Re: TPE Handling Out-of-Band Consent (including ISSUE-152) from Matthias Schunter (Intel Corporation) on 2013-03-19 (public-tracking@w3.org from March 2013)

From: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
Date: Tue, 19 Mar 2013 12:38:59 +0100
To: public-tracking@w3.org
Message-ID: <51484E53.5060007@schunter.org>

Hi!


for consent, we now have 4 cases:
1. The site has in-band consent (=DNT;0 either as a preference or an 
exception)
2. The site is reasonably certain that it has out of band consent
3. The site uses out of band consent and a user can see (and maybe 
manage) this out of band consent via "control" link
     and the site promises to respect it

I believe this translates into two qualifiers:
  C = I obtained consent (either in-band or out-of-band)
  c  = I will handle your data according to the out of band consent that 
you can retrieve via "control"
        (in this case, the control link is mandatory).

If browsers care, they can differentiate the cases (1) and (2) by means 
of the fact whether they have sent a DNT;0 or not.


Does this sound like an appropriate resolution?


Regards,
  matthias





On 19/03/2013 10:59, Ronan Heffernan wrote:
> David,
>
>    That is pretty much what I was proposing, though we could certainly 
> add some protective language to make it clear that the data cannot be 
> used (except under other fraud and technical-operation permitted uses) 
> until the determination of OOBC is made.  Regarding "delete all the 
> data we don't have consent for", some servers might delete the data, 
> others might be just de-identify it to the same extent that one would 
> have to perform for other non-consented data.
>
> --ronan
>
>
> On Mon, Mar 18, 2013 at 8:47 PM, David Singer <singer@apple.com 
> <mailto:singer@apple.com>> wrote:
>
>     I share Justin's concerns, but I also understand where Ronan is
>     coming from.  I am not sure I see what to do here, but let's try.
>      Let me see if I can summarize...
>
>     What Matthias wrote: the site that thinks it has consent has to
>     tell the user, and offer a URI where the user can review and
>     possibly update that consent ('control').
>
>     What Ronan wrote: we collect all the data ('short term raw data
>     permitted use') and then delete all the data we don't have consent
>     for.
>
>     What Justin asks:  How does the user know where they stand (a
>     pretty basic need)?
>
>
>     I hate to suggest even more status/qualifiers, but do we need one
>     for 'possible consent'?  That would flag to the user that they
>     could check by visiting the 'control' link...
>
>

Received on Tuesday, 19 March 2013 11:39:23 UTC