Re: Next 2 calls canceled (Oct 09 and Oct 16)

If a data controller would like to engage in a net new purpose with a data
subject that requires consent then they would need to re-engage with the
user to obtain consent for that new practice/purpose.  For example, if the
ad tech vendor we discussed below had originally obtained consent from a
user for purposes #1 (IBA) and #2 (CDM) but brings a new feature forward
for database matching services, they would need to need to request consent
for the new purpose #3 (DMS).  If the user consents then that ad tech
vendor would have 3 purposes consented to with the user.

- Shane

On Thu, Oct 12, 2017 at 3:44 PM, Aleecia M. McDonald <aleecia@aleecia.com>
wrote:

> Wouldn’t hard-coding specific advertising techniques leave the spec
> brittle and out-dated in short order?
>
> Surely you will likewise need consent when advertising uses a new process
> with, say, facial recognition via 3D-printed drone in VR, or whatever
> buzzword compliant example you like. What then?
>
> Aleecia
>
> On Oct 12, 2017, at 3:20 PM, Shane M Wiley <wileys@oath.com> wrote:
>
> I believe this is an over simplification of the issue.  If we want DNT to
> meet the most basic needs of even small publishers that means they will
> need to support at least one ad tech partner (assuming the goal of the
> group is still to meet the original target of the standard).  Even the most
> basic ad tech partner will participate in at least two distinct purposes
> which lawyers are expressing need to be consented to separately:
> interest-based advertising and cross-device mapping (all ad ecosystem
> participants support these two common approaches in the EU marketplace
> today).  If the DNT standard is unable to support even the most basic
> consent scenario then there will likely be zero adoption - at least for the
> most common use case and original target of the standard.  There may still
> be hyper edge cases where a singular purpose consent will cover all needed
> business cases.
>
> - Shane
>
> On Thu, Oct 12, 2017 at 2:47 PM, Aleecia M. McDonald <aleecia@aleecia.com>
> wrote:
>
>>
>> > On Oct 12, 2017, at 11:16 AM, Shane M Wiley <wileys@oath.com> wrote:
>> >
>> […]
>> > In either case, we'll need a purpose array for the ad industry to be
>> able to leverage DNT as a lawful consent compliance approach in the EU (at
>> least that's what EU lawyers are telling me).
>> […]
>>
>> This sounds like an array of common purposes that also contains a purpose
>> of other.
>>
>> I imagine a common set of purposes congruent with EU regs, and then
>> “other” managed entirely by the publisher, which defines what it means,
>> conveys it meaningfully to users, and records not only consent but what was
>> consented to. I would expect any given publisher using “other” to change
>> what it means over time (e.g. after an acquisition or new product launch,
>> etc.) which is why a timestamp is going to matter.
>>
>> In an ideal world, Art 29 WP could issue guidance that turns the common
>> set of purposes into something fairly self-serve. Perhaps there will be
>> sample text akin to Safe Harbor guidance.
>>
>> For the complexities of Other, well, see your local DPA to have a
>> discussion about that.
>>
>> Small sites should be able to do just fine with the common set. Large
>> companies can get all the complexity they need from Other, which might need
>> to be further defined as OtherA, OtherB, OtherC, on the backend, but that
>> too is up to the publisher to manage.
>>
>> Early on we had the idea that straight-forward publishers should be able
>> to implement DNT easily and those with complex practices would have a more
>> complex implementation. I think we can still fulfill that goal.
>>
>> (I echo Rob’s concern about further delay and the ironies inherent in
>> this discussion.)
>>
>>         Aleecia
>>
>>
>>
>>
>
>
> --
> - Shane
>
> Shane Wiley
> VP, Privacy
> Oath: A Verizon Company
>
>
>


-- 
- Shane

Shane Wiley
VP, Privacy
Oath: A Verizon Company