W3C home > Mailing lists > Public > public-tracking@w3.org > March 2013

Re: TPE Handling Out-of-Band Consent (including ISSUE-152)

From: Ronan Heffernan <ronansan@gmail.com>
Date: Tue, 26 Mar 2013 16:32:07 -0400
Message-ID: <CAHyiW9KmEGvyCYVz1B8+5QQDtR+F==MOuv+CxHw43dbDJt4dJA@mail.gmail.com>
To: "Matthias Schunter (Intel Corporation)" <mts-std@schunter.org>
Cc: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
   Perhaps I did not understand, but Justin's suggestion that I was
replying to contained this, "I still do not understand why you cannot
operate in-band or otherwise configure the user agent to send DNT:0 signals
using your client-side software."  The suggestion to "configure the user
agent to send DNT:0 signals by using your client-side software", is the
part that I think sounds dangerous and should be disallowed by the DNT
spec.  I don't think that 3rd-party software should be allowed to turn off
a user's DNT:1 signal; that is very non-transparent and opts the user into
full data disclosure with no explanation or recourse.  That also does not
sound like following the normal in-band exception process that you
described.  If I misunderstood the suggestion, my apologies.

   Also to clarify, no one ever suggested 53 weeks to make an OOBC
determination.  The longest time period that I suggested was 48-hours,
though there might be other entities who would need more time, and I am not
trying to use a W3C spec to shut-out smaller companies or organizations,
with fewer resources.  Any attempt to require massive engineering
investment will disadvantage startups and other small players, giving power
to entrenched interests.

   BTW, I am also suggesting that OOBC cannot always be withdrawn in-band.
If a user signs a contract and gets paid to be a panelist, they need to
follow the legal steps to break their contract, including (possibly)
returning the money that they were paid.  I don't think that we should
expect an in-band exception-withdrawing mechanism to be able to withdraw a
consent that was granted out-of-band.


On Tue, Mar 26, 2013 at 3:19 PM, Matthias Schunter (Intel Corporation) <
mts-std@schunter.org> wrote:

> Hi Ronan,
> just to explain: This approach is our default for obtaining consent
> (called "exceptions" in TPE language).
> 1. A user visits a site with DNT;1 set
> 2. The site asks the user for a permission to personalise/track/...
> 3. If the user is OK with providing consent to this site, the site stores
> an "exception" in the browser
> 4. The browser starts sending DNT;0 to this site; this indicates that the
> site has consent
> The advantage is that the user has transparency (users may look into the
> exceptions in their browser)
> and can withdraw their consent (I hope you are not calling this 'abuse')
> by removing an exception.
> Furthermore, the DNT;0 signals will reliably reflect the users preference.
> Does this clarify your question?
> Regards,
> matthias
Received on Tuesday, 26 March 2013 20:32:57 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:07 UTC