RE: Batch closing of TPE related issues

Hi Rigo,

I agree many of the  "implied consent" banners we see in the UK are
irritating and annoying,  because they do not offer the ability to give or
revoke consent for [tracking identifier] storage as required by the ePrivacy
directive. They usually just allow you to click a button to make them go
away, so offering a diminished web experience without any choice over
privacy. 

I also agree that using cookies as an opt-out signal is sub optimal. A user
deleting their cookies as a privacy protection tactic will paradoxically
revoke all their carefully arranged opt-outs. Also if they have set their
Firefox browser to block third-party cookies but accept those from visited
sites (which was going to be the default in Firefox 22) then just accepting
an opt-out cookie will allow third-party cookies from the same site, the
opposite to the user's intention.

But using OOBC alongside DNT does not necessary mean either of these, and is
in any case unavoidable. 

The DNT UGE mechanism we have now will have to be augmented using other
mechanisms, for example to support sunset revocation, cross-domain consent
and consent signalled through login authentication.

You are right that the user must be always able to revoke any consent they
have given within their browser, but this can still be supported by a
properly implemented DNT augmentation mechanism.

We could help with transparency by adding some non-normative text describing
how it could be done, with recommendations on names and value encoding (if
it is based on HTTP cookies, which it does not have to be).

Mike


-----Original Message-----
From: Rigo Wenning [mailto:rigo@w3.org] 
Sent: 18 June 2013 09:19
To: public-tracking@w3.org
Cc: Matthias Schunter (Intel Corporation); Rob van Eijk
Subject: Re: Batch closing of TPE related issues

On Monday 10 June 2013 14:39:48 Matthias Schunter wrote:
> Do I understand you correctly that
> - you are concerned if UGEs are translated into out of band 
> exceptions?

Matthias, have you ever tried to revoke your consent or to opt out of one of
those ridiculous UK ICO cookie banners? 

I think that a UGE MUST NOT be translated into OOBC, a user MUST be able to
revoke UGE by deleting the exception in the store. 

The whole point of DNT is a centralized opt-out in the browser. This means
Shane's local duplication is meaningless. It may only serve as a memory for
some historical state, but MUST NOT overwrite the status of the UGE store in
the browser. Otherwise the exercise is futile because Johnny can't opt out
anymore. 

 --Rigo

Received on Tuesday, 18 June 2013 12:09:15 UTC