Re: ePrivacy & DNT

> On Dec 19, 2016, at 16:20 , Aleecia M. McDonald <aleecia@aleecia.com> wrote:
> 
> David++
> 
> Worst case, the law itself will serve as the compliance spec. However, it would help companies to have something translated from wonk to geek, something more easily implementable. Reference implementations and source code would help. It does not appear the TPWG will do that work, but others have said they will.
> 
> By opting not to publish a spec we have said multiple compliance approaches can work with DNT TPE. There will be *at least* one EU compliance document, and I know of a few different groups working on such a document.   
> 
> The great things about standards is there are so many too choose from,

I could wish that there were a “minimal” DNT which you must support if you use the protocol spec.

At the moment, I am puzzled to know what to tell the users they might get, before we see the URLs of the specs. that the servers claim to support.


>  Aleecia
> 
>> On Dec 19, 2016, at 4:11 PM, David Singer <singer@mac.com> wrote:
>> 
>>> 
>>> On Dec 18, 2016, at 3:48 , Walter van Holst <walter@vanholst.com> wrote:
>>> 
>>> On 2016-12-18 03:44, Jeff Jaffe wrote:
>>> 
>>>>> Where Do Not Track comes in is that it could be a standard approach
>>>>> that would enable a clean path for first and third parties to comply
>>>>> with EU law, in particular with consent requirements. Article 29 WP
>>>>> has issued preliminary written guidance on where DNT must change in
>>>>> order to support EU laws. We should take their texts very seriously,
>>>>> IMHO. Ideally we finish our work and have the Art29WP say to
>>>>> companies, “Implement W3C DNT correctly, and you will not have
>>>>> legal issues here.”
>>>> Even though we have no compliance spec?
>>> 
>>> As far as DNT:1 is concerned, an EU compliance spec isn't really necessary. From an EU perspective DNT:1 is only necessary for 1st party and would mean an objection to first-party collections. In the EU context DNT:0 is the interesting part because it can be an expression of consent to 3rd parties, with DNT:1 potentially meaning withdrawal of such consent. Both under the GDPR and the current e-privacy directive and the future e-privacy regulation there's nothing to opt-out for regarding 3rd parties since 3rd party data collection requires user consent, so an opt-in.
>>> 
>>> For neither scenario a compliance specification is strictly necessary, although it may be very helpful for practical purposes and to provide clarification, both for implementing parties and users.
>>> 
>>> From where I am standing, getting a W3C compliance spec is a nice-to-have, but nowhere near necessary to make DNT a succes. Getting the TPE to have a more formal status, preferrably with some tweaks, however is.
>>> 
>> 
>> Walter
>> 
>> it does seem that what you wrote is, in some sense, a compliance spec. (albeit in draft state). Perhaps the EU could write a spec. and assign it a URL, so that sites can say “I respect DNT when interpreted as the EU does”?
>> 
>> 
>> 
>> Dave Singer
>> 
>> singer@mac.com
> 

David Singer
Manager, Software Standards, Apple Inc.

Received on Tuesday, 20 December 2016 00:48:10 UTC