- From: Shane M Wiley <wileys@oath.com>
- Date: Thu, 12 Oct 2017 16:03:58 -0700
- To: "Aleecia M. McDonald" <aleecia@aleecia.com>
- Cc: "public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org)" <public-tracking@w3.org>
- Message-ID: <CAEwb2ykDjepk6gQcjBUQSwmwwN6qtJCKkMWvAHA4SkUi0mT9hA@mail.gmail.com>
If a data controller would like to engage in a net new purpose with a data subject that requires consent then they would need to re-engage with the user to obtain consent for that new practice/purpose. For example, if the ad tech vendor we discussed below had originally obtained consent from a user for purposes #1 (IBA) and #2 (CDM) but brings a new feature forward for database matching services, they would need to need to request consent for the new purpose #3 (DMS). If the user consents then that ad tech vendor would have 3 purposes consented to with the user. - Shane On Thu, Oct 12, 2017 at 3:44 PM, Aleecia M. McDonald <aleecia@aleecia.com> wrote: > Wouldn’t hard-coding specific advertising techniques leave the spec > brittle and out-dated in short order? > > Surely you will likewise need consent when advertising uses a new process > with, say, facial recognition via 3D-printed drone in VR, or whatever > buzzword compliant example you like. What then? > > Aleecia > > On Oct 12, 2017, at 3:20 PM, Shane M Wiley <wileys@oath.com> wrote: > > I believe this is an over simplification of the issue. If we want DNT to > meet the most basic needs of even small publishers that means they will > need to support at least one ad tech partner (assuming the goal of the > group is still to meet the original target of the standard). Even the most > basic ad tech partner will participate in at least two distinct purposes > which lawyers are expressing need to be consented to separately: > interest-based advertising and cross-device mapping (all ad ecosystem > participants support these two common approaches in the EU marketplace > today). If the DNT standard is unable to support even the most basic > consent scenario then there will likely be zero adoption - at least for the > most common use case and original target of the standard. There may still > be hyper edge cases where a singular purpose consent will cover all needed > business cases. > > - Shane > > On Thu, Oct 12, 2017 at 2:47 PM, Aleecia M. McDonald <aleecia@aleecia.com> > wrote: > >> >> > On Oct 12, 2017, at 11:16 AM, Shane M Wiley <wileys@oath.com> wrote: >> > >> […] >> > In either case, we'll need a purpose array for the ad industry to be >> able to leverage DNT as a lawful consent compliance approach in the EU (at >> least that's what EU lawyers are telling me). >> […] >> >> This sounds like an array of common purposes that also contains a purpose >> of other. >> >> I imagine a common set of purposes congruent with EU regs, and then >> “other” managed entirely by the publisher, which defines what it means, >> conveys it meaningfully to users, and records not only consent but what was >> consented to. I would expect any given publisher using “other” to change >> what it means over time (e.g. after an acquisition or new product launch, >> etc.) which is why a timestamp is going to matter. >> >> In an ideal world, Art 29 WP could issue guidance that turns the common >> set of purposes into something fairly self-serve. Perhaps there will be >> sample text akin to Safe Harbor guidance. >> >> For the complexities of Other, well, see your local DPA to have a >> discussion about that. >> >> Small sites should be able to do just fine with the common set. Large >> companies can get all the complexity they need from Other, which might need >> to be further defined as OtherA, OtherB, OtherC, on the backend, but that >> too is up to the publisher to manage. >> >> Early on we had the idea that straight-forward publishers should be able >> to implement DNT easily and those with complex practices would have a more >> complex implementation. I think we can still fulfill that goal. >> >> (I echo Rob’s concern about further delay and the ironies inherent in >> this discussion.) >> >> Aleecia >> >> >> >> > > > -- > - Shane > > Shane Wiley > VP, Privacy > Oath: A Verizon Company > > > -- - Shane Shane Wiley VP, Privacy Oath: A Verizon Company
Received on Thursday, 12 October 2017 23:04:24 UTC