W3C home > Mailing lists > Public > public-tracking@w3.org > April 2017

Re: Issues for Monday Call

From: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
Date: Sat, 1 Apr 2017 17:09:47 +0200
To: public-tracking@w3.org
Message-ID: <fd38a1b0-ba87-890a-820f-bcb21e818c05@schunter.org>
Hi Mike,

thanks a lot for this detailed inputs.

It helps to clarify what fields are actually suggested and what their
content should be.

I tend to agree that this data is useful (or even required) for GPDR

However, in the spirit of "minimal changes" I tend to suggest to keep
all data under the URL in a human-readable form.

What we need to clarify further is:
- Why is the data required to be machine readable?
- What actions will the browser take once it has read and parsed this data?
- What bad things would happen if the data continues to be available in
human-readable form only?
- Why couldnt the fields be defined in a "EU compliance" note (since
they seem to be specific to the EU)?

If the browser will only store this data, then a consent-metadata blob
(JSON or so) would be sufficient. Further notes and best practices can
then structure this object further.

Just my 2cents. Let us discuss this further on monday.


On 31.03.2017 19:36, Mike O'Neill wrote:
> European Data Protection law has definite requirements for the information made available to users. In my opinion the TSR is the best place for these elements because a) they are not only required when consent is given, or when it is the legal basis for processing, and b) the TSR is more accessible to privacy researchers, regulators and browser extensions (if it was only available to the API we would need to add another API to report them).
> They need not be mandatory in the TPE (though the simple string name property for controllers should be in my opinion), so why not put them in as a non-normative Addendum describing them as examples of TSR extensibility.
> I have assembled my suggestions in a document (in the repo drafts folder):
> https://w3c.github.io/dnt/drafts/Transparency.html
>> -----Original Message-----
>> From: Matthias Schunter (Intel Corporation) [mailto:mts-std@schunter.org]
>> Sent: 30 March 2017 08:11
>> To: public-tracking@w3.org (public-tracking@w3.org) <public-
>> tracking@w3.org>
>> Subject: Issues for Monday Call
>> Hi Folks,
>> based on the discussion last week. Below I codified an alternative
>> approach to resolving the TSR issues (based on the emails on the list
>> and input from last week).
>> Our list of issues is at:
>>   https://github.com/w3c/dnt/issues/23
>> Note that issues that are not resolved by end of April will be
>> auto-pushed out to potential future releases.
>> Regards,
>> matthias
>> -----
>> 1. Issue triage: Are there issues that are high priority and must be
>> resolved in April? If not, we can process without change.
>> 2. What additional fields are desired for simplifying compliance in the EU?
>> Note: So far I have not seen any submitted proposals for an additional
>> concrete field on the list. If I receive none, IMHO we can close this
>> discussion on monday.
>> 2. Best way to communicate "consent context".
>> Our current approach was that the TSR serves two roles:
>> 	A. Discovery (before visiting site) of essential tracking
>> 		information
>> 	B. Sufficient context to give clear meaning to
>> 		user-granted exception. This role triggered that we
>> 		plan to require TSR if the exception API is used.
>> 		It also fuels our discussion "what extra fields are
>> 		needed"
>> Roy suggested that TSR may be the best place for (B). Let us see whether
>> we find a better place for the consent-context information.
>> One suggestion was that it should be part of the API call.
>> 3. Asyncronous API / Update Events (Continued)
>> https://github.com/w3c/dnt/issues/13
>> 4. Anything else we want to discuss
Received on Saturday, 1 April 2017 15:10:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:40:34 UTC