Re: ePrivacy & DNT

On 12/16/2016 4:07 PM, Aleecia M. McDonald wrote:
>
>> On Dec 16, 2016, at 4:45 AM, Jeff Jaffe <jeff@w3.org 
>> <mailto:jeff@w3.org>> wrote:
>
> Hi Jeff,
>>
>> Mike,
>>
>> Thanks for the pointer.
>>
>> I didn’t see where this pointed to any W3C Standard for Do Not Track, 
>> or any compliance regime.
>>
>
> Sure, just like there didn’t happen to be any mechanism that fulfilled 
> some FTC descriptions other than P3P. We all knew what the text meant 
> and there was no press critique of FTC hard-coding to a specific 
> technology or picking favorites. Nothing new under the sun, eh?
>
> Beyond agreeing with Mike’s read on the face of things, back channel 
> discussions support that yes, DNT was intended.
>>
>> Is it correct that any utilization of any (non-standard) browser 
>> setting and any compliance definition would satisfy these regs?
>>
> Parse failure. Let me take some guesses at what you’re asking; please 
> try again if I do not get there.
>
> What I think you’re asking — explicitly, Art29WP has written that just 
> because there are browser settings to limit cookies that a user did 
> not avail herself of, this is *not* consent to cookies being set. In 
> US terms, this is basically calling for opt-in for data collection and 
> use (with exceptions where it doesn’t.) Consent requires affirmative 
> action, not mere inaction.
>
> The browsers cannot know what all the parties are up to (is that 
> cookie for a shopping cart, or to track interests?)  This is not an 
> issue to solve just at the browser level, though browsers and other 
> user agents absolutely have a role to play, and can make things harder 
> or easier on the entire ecosystem. Browsers are important, but not the 
> show.
>
> Where Do Not Track comes in is that it could be a standard approach 
> that would enable a clean path for first and third parties to comply 
> with EU law, in particular with consent requirements. Article 29 WP 
> has issued preliminary written guidance on where DNT must change in 
> order to support EU laws. We should take their texts very seriously, 
> IMHO. Ideally we finish our work and have the Art29WP say to 
> companies, “Implement W3C DNT correctly, and you will not have legal 
> issues here.”

Even though we have no compliance spec?

> The value to companies would be huge as they would not need individual 
> meetings with lawyers and DPAs, the whole circus. European users would 
> have something they could count on for a change, a privacy baseline. 
> This would be a manageable, incremental improvement over the cess pool 
> that is the modern web.
>
> From a tech perspective, what DNT offers that other approaches do not 
> is timing. It is possible to establish consent before setting or 
> getting cookies. This is key. HTTP headers for the win. We’ve 
> discussed this before.
>
> There are almost certainly other options that could work, given enough 
> effort. They’d be starting from scratch.
> Enforcement of EU laws begins in a year and a half.
> W3C DNT started in Fall 2011. It’s not so far off from meeting EU 
> compliance. It seems worth a final push. I say that as someone who 
> would rather dental work to more DNT discussions.
>
> Aleecia