Re: ePrivacy & DNT

> On Dec 16, 2016, at 4:45 AM, Jeff Jaffe <jeff@w3.org> wrote:

Hi Jeff,
> Mike,
> 
> Thanks for the pointer.
> 
> I didn’t see where this pointed to any W3C Standard for Do Not Track, or any compliance regime. 
> 

Sure, just like there didn’t happen to be any mechanism that fulfilled some FTC descriptions other than P3P. We all knew what the text meant and there was no press critique of FTC hard-coding to a specific technology or picking favorites. Nothing new under the sun, eh?

Beyond agreeing with Mike’s read on the face of things, back channel discussions support that yes, DNT was intended.
> Is it correct that any utilization of any (non-standard) browser setting and any compliance definition would satisfy these regs?
> 
Parse failure. Let me take some guesses at what you’re asking; please try again if I do not get there. 

What I think you’re asking — explicitly, Art29WP has written that just because there are browser settings to limit cookies that a user did not avail herself of, this is *not* consent to cookies being set. In US terms, this is basically calling for opt-in for data collection and use (with exceptions where it doesn’t.) Consent requires affirmative action, not mere inaction. 

The browsers cannot know what all the parties are up to (is that cookie for a shopping cart, or to track interests?)  This is not an issue to solve just at the browser level, though browsers and other user agents absolutely have a role to play, and can make things harder or easier on the entire ecosystem. Browsers are important, but not the show.

Where Do Not Track comes in is that it could be a standard approach that would enable a clean path for first and third parties to comply with EU law, in particular with consent requirements. Article 29 WP has issued preliminary written guidance on where DNT must change in order to support EU laws. We should take their texts very seriously, IMHO. Ideally we finish our work and have the Art29WP say to companies, “Implement W3C DNT correctly, and you will not have legal issues here.” The value to companies would be huge as they would not need individual meetings with lawyers and DPAs, the whole circus. European users would have something they could count on for a change, a privacy baseline. This would be a manageable, incremental improvement over the cess pool that is the modern web. 

From a tech perspective, what DNT offers that other approaches do not is timing. It is possible to establish consent before setting or getting cookies. This is key. HTTP headers for the win. We’ve discussed this before.

There are almost certainly other options that could work, given enough effort. They’d be starting from scratch. 
Enforcement of EU laws begins in a year and a half.
W3C DNT started in Fall 2011. It’s not so far off from meeting EU compliance. It seems worth a final push. I say that as someone who would rather dental work to more DNT discussions.

 Aleecia

Received on Friday, 16 December 2016 21:08:07 UTC