Hi Chris,


I agree DNT:0 should signal consent for tracking, but we have restricted “tracking” to be only “across multiple contexts”, which does not compute in Europe because here there needs to be a legal basis for processing (for any party not just third-parties). Anyway when we have got this issue out of the way I will emit more text.





Sent: 07 June 2014 21:18
To: Mike O'Neill
Cc: Roy T. Fielding; W3C DNT Working Group Mailing List
Subject: Re: issue-170


Who's going to certify how DNT:0 was set? I agree with Roy, let industry self-regulation oversight programs (i.e. Council of Better Business Bureaus in the US) or regulators deal with bad actors, per enforcement of local codes, regulation, and laws. The bad actors aren't going to follow this spec anyway. In my experience around self-regulatory enforcement, the good actors have a vested interest in reporting the bad actors when they find them (simple market dynamics).


Industry needs an easy to determine signal to process at scale. If you see DNT:0, you have consent- simple as that.



Chris Mejia


On Jun 6, 2014, at 3:47 PM, "Mike O'Neill" <michael.oneill@baycloud.com> wrote:

Hash: SHA1

Hi Chris,

What is not implementable at scale & in real-time, the UGE? I can assure you it can and in fact already has.


-----Original Message-----

From: Chris Mejia [mailto:elementslifestylegroup@hotmail.com]

Sent: 06 June 2014 19:50

To: Roy T. Fielding; Mike O'Neill

Cc: W3C DNT Working Group Mailing List

Subject: Re: issue-170


Agree with Roy on this. Logistically/technically speaking, the proposal is

not implementable at scale, in real-time.



Chris Mejia







On 6/6/14, 10:56 AM, "Roy T. Fielding" <fielding@gbiv.com> wrote:


On Jun 4, 2014, at 5:38 AM, Mike O'Neill wrote:

If a 1st Party receives a request with DNT:0 set then data regarding

the user MAY be used or shared but, if the header signal resulted from

an explicitly-granted exception, only for the purposes that were clearly

and comprehensively explained when the exception was granted.


There is no need for this text.  If a server receives DNT:0,

it will behave according to its own set of practices for DNT:0.

It is not going to change its practices on a per-user basis.


If those practices exceed whatever the server might have stated in some

request for a UGE, the server owner is inviting regulatory action or

lawsuits.  We do not need to say anything about servers that mislead.


If the server does not request UGEs (and thus only receives DNT:0 when

set web-wide), then it has no control over what was explained to the user

and is instead relying on the browser configuration.  What the browser

configuration means is largely outside the scope of compliance, though

we all hope that they will eventually become consistent.



Version: GnuPG v1.4.13 (MingW32)
Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/
Charset: utf-8