- From: Shane M Wiley <wileys@yahoo-inc.com>
- Date: Tue, 21 Feb 2017 23:10:42 +0000 (UTC)
- To: "Matthias Schunter \(Intel Corporation\)" <mts-std@schunter.org>, "public-tracking@w3.org \(public-tracking@w3.org\)" <public-tracking@w3.org>
- Message-ID: <1863705492.2072526.1487718642844@mail.yahoo.com>
Matthias and Working Group,
I believe the Exception API is critical for industry support of DNT. >From a web site owners perspective (in light of a possible requirement to obtain explicit consent from a user) you will have several options:
1. Implement your own consent solution and store the result in a browser cookie and/or with the user's account (if you have account registration)2. Implement DNT as your consent solution and store the exception with the browser (which can be shared across authenticated devices of the browser)3. BOTH (as this could allow crossing browser types - although this approach has to handle race conditions)
If the Exceptions API is removed there is little value in implementing DNT as the site owner is forced to use cookies to store a user's preference. The clear win for a site owner is that Exceptions should survive cookie cleaning (could be deleted through another mechanism - that needs to be decided by browser vendors). If Exceptions offer no value over standard cookies then the path of least resistance is to implement your own consent mechanism as you have complete control over the user experience and you don't have to brace for possible unexpected developments from each browser vendor (which will always remain a concern with a browser centric model).
Timing: It was in the ePR context that more direct calls for DNT support came from several EU regulators. The ePR is still in draft form and its legislative timing and final wording are unclear. As that may take some time we may be trying to force the completion of the TPE a bit too quick for the regulatory environment to clear up on core concepts like legitimate interests of 3rd parties and forms of acceptable consent where legitimate interests are not found. Once the language of the ePR is finalized we'll better understand the boundaries of legal certainty and related options for implementation which will in turn help drive the direction for the Working Group (IMHO).
- Shane Shane Wiley
VP, Privacy Policy
Yahoo
From: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
To: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Sent: Monday, February 20, 2017 5:14 AM
Subject: Propagating site-wide consent without Javascript
Hi Folks,
during our last call, David suggested that we should put the Javascript
API at risk. By doing so, we can continue towards recommendations even
if the API is not implemented by the participants.
I would like to now kick-off a "what if" discussion.
The javascript API serves IMHO three purposes:
1 - To store site/web-wide exceptions
2 - To propagate consent from the site to its sub-elements (e.g. the
site
obtained site-wide consent and all its sub-elements (such as
analytics) will then receive a DNT;0 to signal that they are
permitted to track.
3 - To provide transparency to the user (who can check what
consent/exceptions are stored in his browser)
If the Javascript API were removed, then consent can be stored using
cookies or other means (point 1), transparency would need to be provided
(at a limited level) by the sites (point 2).
I would now kick off a discussion how consent could be forwarded from a
site to its subsidiaries. Options I see
Option 1: Javascript API + DNT;0 header (current solution; at risk)
Option 2: Some other way to trigger sending DNT;0 (e.g. we could define
a "site-wide exceptioN" response header that triggers sending DNT;0 to
other elements
Option 3: Encoding in URLs? Some Javascript tricks? Other?
What do you think? Opinions?
Regards,
matthias
Received on Tuesday, 21 February 2017 23:11:16 UTC