Re: Next 2 calls canceled (Oct 09 and Oct 16) from Shane M Wiley on 2017-10-13 (public-tracking@w3.org from October 2017)

From: Shane M Wiley <wileys@oath.com>
Date: Fri, 13 Oct 2017 08:48:44 -0700
To: David Singer <singer@mac.com>
Cc: "Aleecia M. McDonald" <aleecia@aleecia.com>, "public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <CAEwb2ym5AmgvhXKpFWPu+v3r9HBojpAfi=+7c0Yd6QzQMHTsVA@mail.gmail.com>
David,

The missing element in your assessment is that the user MUST be able to
consent (or not) to the options individually.  We're not able to make it an
"all-or-nothing" proposition legally.  If that was possible we wouldn't
need to have this conversation as then a single signal would cover our
needs.

- Shane

On Thu, Oct 12, 2017 at 11:33 PM, David Singer <singer@mac.com> wrote:

>
>
> > On Oct 13, 2017, at 0:20 , Shane M Wiley <wileys@oath.com> wrote:
> >
> > I believe this is an over simplification of the issue.  If we want DNT
> to meet the most basic needs of even small publishers that means they will
> need to support at least one ad tech partner (assuming the goal of the
> group is still to meet the original target of the standard).  Even the most
> basic ad tech partner will participate in at least two distinct purposes
> which lawyers are expressing need to be consented to separately:
> interest-based advertising and cross-device mapping (all ad ecosystem
> participants support these two common approaches in the EU marketplace
> today).  If the DNT standard is unable to support even the most basic
> consent scenario then there will likely be zero adoption - at least for the
> most common use case and original target of the standard.  There may still
> be hyper edge cases where a singular purpose consent will cover all needed
> business cases.
>
> Shane
>
> I think I am confused.
>
> When consent is requested, the site manages the UI. It can certainly ask:
>
> I need to be able to track you so that
> * I serve you the breakfast that corresponds to your weird food fads
> * I and my third parties can gather data about you that I will sell to a
> foreign intelligence service, to cover my medical bills
>
> So, the dual purposes can be clearly expressed in the request.
>
> Likewise they can be expressed in the tracking status resource; we could
> certainly have a list of purposes added here:
>
> object {
>     string tracking;                 // TSV
>     array { string; } compliance?;   // hrefs
>     string qualifiers?;              // compliance flags
>     array { string; } controller?;   // hrefs
>     array { string; } same-party?;   // domains
>     array { string; } audit?;        // hrefs
>     string policy?;                  // href
>     string config?;                  // href
> }*;
>
> So, as I see it, for an unchanging picture we seem to be covered, no?
>
> The tricky parts come in at least two ways:
> * if the site offers granular consent, for each purpose separately, it
> needs to know who consented to which purpose.
> * if the site’s needs and hence purposes for tracking change over time, it
> needs to remember “this user gave consent before I added purpose-Q, whereas
> that user gave consent also to purpose-Q”
>
> Are these what we are struggling with?
>
>
> >
> > - Shane
> >
> > On Thu, Oct 12, 2017 at 2:47 PM, Aleecia M. McDonald <
> aleecia@aleecia.com> wrote:
> >
> > > On Oct 12, 2017, at 11:16 AM, Shane M Wiley <wileys@oath.com> wrote:
> > >
> > […]
> > > In either case, we'll need a purpose array for the ad industry to be
> able to leverage DNT as a lawful consent compliance approach in the EU (at
> least that's what EU lawyers are telling me).
> > […]
> >
> > This sounds like an array of common purposes that also contains a
> purpose of other.
> >
> > I imagine a common set of purposes congruent with EU regs, and then
> “other” managed entirely by the publisher, which defines what it means,
> conveys it meaningfully to users, and records not only consent but what was
> consented to. I would expect any given publisher using “other” to change
> what it means over time (e.g. after an acquisition or new product launch,
> etc.) which is why a timestamp is going to matter.
> >
> > In an ideal world, Art 29 WP could issue guidance that turns the common
> set of purposes into something fairly self-serve. Perhaps there will be
> sample text akin to Safe Harbor guidance.
> >
> > For the complexities of Other, well, see your local DPA to have a
> discussion about that.
> >
> > Small sites should be able to do just fine with the common set. Large
> companies can get all the complexity they need from Other, which might need
> to be further defined as OtherA, OtherB, OtherC, on the backend, but that
> too is up to the publisher to manage.
> >
> > Early on we had the idea that straight-forward publishers should be able
> to implement DNT easily and those with complex practices would have a more
> complex implementation. I think we can still fulfill that goal.
> >
> > (I echo Rob’s concern about further delay and the ironies inherent in
> this discussion.)
> >
> >         Aleecia
> >
> >
> >
> >
> >
> >
> > --
> > - Shane
> >
> > Shane Wiley
> > VP, Privacy
> > Oath: A Verizon Company
>
> Dave Singer
>
> singer@mac.com
>
>


-- 
- Shane

Shane Wiley
VP, Privacy
Oath: A Verizon Company
Received on Friday, 13 October 2017 15:49:08 UTC