Re: ACTION-255: Work on financial reporting text as alternative to legal requirements

On Sep 26, 2012, at 9:02 AM, Alan Chapell <achapell@chapellassociates.com> wrote:
> On 9/26/12 11:52 AM, "Rigo Wenning" <rigo@w3.org> wrote:
>> Now if you want to continue to do re-targeting and provide proof
>> that you have successfully re-targeted this individual, I would
>> guess that the required data collection and use goes a fair amount
>> beyond what the user expects when sending you DNT:1 . Maybe you can
>> also understand this DNT:1 as an opt out of the user of the
>> targeting. Should permitted uses be stronger than such an opt out?
> 
> I'm not sure what you're arguing here. The rationale behind permitted uses
> is that they continue even in the presence of a DNT signal.

I think the concern that Rigo is expressing here is that if the permitted use allows retargeting of a certain kind but the group thinks that retargeting is not compliant with a DNT preference, then having a permitted use that allows retargeting as required by a contract or an auditor would reduce the meaning of compliance with the preference.

I'm still a little uncertain on this PCMCP example, per my questions earlier on this thread. Is someone suggesting that a DNT header would require removing data previously collected about a user or device? (I don't think the group has held that, so that shouldn't be an issue.) Are you suggesting that the ad network would be using data collected under DNT:1 in order to re-target an ad on another site? (I believe this would be incompatible with third-party compliance with a DNT preference.) Does the ad network need to prove to PCMCP that it re-targeted an ad to someone who had previously seen the ad on a particular other website? Or is the example that the ad network needs to retain logs about a particular ad impression to prove that the impression wasn't for a user IP address known to be from a particular country?

I think what Alan is getting at is that there may be some data retention not required by financial reporting laws that we would consider consistent with an expressed DNT preference. For example, retaining the IP address of users who see an ad would be done in order to prove to a third-party auditing/trade organization that ads of a certain type are not shown to users in a particular country.

If that's right, I think that leaves two questions for the group:
1) is the group comfortable with the compliance specification allowing potentially long-term retention (and sharing) of data from DNT:1 users for examples like this one?
2) if so, can we phrase the requirement to allow retention/sharing for this purpose without providing a general permitted use for complying with any contractual term?

Hope this helps,
Nick

Received on Wednesday, 26 September 2012 22:49:22 UTC