Re: Proposed Text for Local Law and Public Purpose

On 2012-10-26 00:58, Grimmelmann, James wrote:

> On the basis of the available sources, it appears that the MRC is a
> private body that promulgates voluntary standards and accredits
> compliance with them.  Some members of Congress indicated in the 
> 1960s
> that they would prefer industry self-regulation to legal regulation.
> The industries involved created the MRC, which regularly sends
> information about its activities to Congress and the executive branch
> (such as in the testimony quoted above).  The MRC has no official
> legal status; Congress has never passed legislation establishing it,
> requiring its accreditation, or giving it any advisory capacity.

Thank you very much for providing this insight in the formal status of 
the MRC as an industry body.

> In the language of the proposed text, the MRC's accreditation rules
> appear to be "relevant self-regulatory verification requirements."
> Whether the DNT self-regulation effort or the MRC self-regulation
> effort should give way where they might conflict is a policy choice
> for the group to make.

My position would be that if we are to treat the tracking status value 
as an indication of a self-regulatory restraint on the collection, use 
and sharing of personal data in jurisdictions which do not have a great 
deal of such restraints outside contract law, we cannot accept 
exceptions introduced through requirements from other forms of 
self-regulation. This is because doing otherwise would create a 
potential for different meanings of the tracking status value for 
different content providers.

Also to come back to the earlier discussions about different legal 
perpectives. I think DNT can become a workable global standard provided 
that we are able to agree on the following basic principles:

- on the UA side DNT:0 or DNT:1 may have different purposes for 
different jurisdictions:
  - DNT:0 means an informed, freely given, thus providing clarity and 
legal certainty for EU content providers
  - DNT:1 means an informed, freely given indication of a preference for 
having no personal (linkable) data collected about that user across 
different contexts (this group has chosen  to use the 1st and 3rd party 
distinction as the main vehicle for determining context)


- on the server side the tracking status value, the optional tracking 
status qualifiers and the tracking status resources must provide a 
globally unified indication of what a reasonable user may expect in 
terms of the restraints on data collection. Doing otherwise will result 
in a standard that is either as convoluted as p3p or one that is 
meaningless because it will result in unexpected surprises for users.

To given an example: an Argentian user will not necessarily be aware of 
the exact legal requirements a US based advertisement broker has to 
operate under, but will not be suprised to find out there are 
requirements for data collection imposed by law. It does not take a 
great deal of domain expertise to be aware of this possibility and will 
generally be accepted, because there generally speaking is trust in the 
balances struck by democratically chosen lawmakers, especially in those 
of one of the oldest democracies in the world. So even though it may 
result in more collection of data than would be the case if the content 
provider was based in the EU, it is a difference that will not be 
unexpected by users.

Regards,

  Walter

Received on Friday, 26 October 2012 08:21:28 UTC