- From: Shane M Wiley <wileys@oath.com>
- Date: Fri, 13 Oct 2017 09:04:58 -0700
- To: Rob van Eijk <rob@blaeu.com>
- Cc: "Aleecia M. McDonald" <aleecia@aleecia.com>, "public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org)" <public-tracking@w3.org>
- Message-ID: <CAEwb2ykvSETue4LpAVRj1ODXvyQy8w8K61g+cjQ1xfTTcuj33w@mail.gmail.com>
Rob, There is a legal disconnect for me based on your statement (at least based on what industry lawyers are saying). Are you suggesting, from the A29WP perspective, then that industry is permitted to request "all-or-nothing" consents? This would mean it would legally be permissible to state two independent purposes but force the user to consent to both or to neither? If that is your official position from a regulatory position that would remove the individual purpose consent need we are discussing now. If you could please respond in an official capacity on just this one topic so industry could have legally certainty that would be very much appreciated. - Shane On Fri, Oct 13, 2017 at 12:11 AM, Rob van Eijk <rob@blaeu.com> wrote: > Shane, > > Adding purpose as metadata to DNT is just one element. In Issue 22 we > discussed the other legal aspects: (a) the modalities of the collection, > (b) its purpose, (c) the person responsible for it and the (d) other > information required under the GDPR where personal data are collected, as > well as (e) any measure the end-user of the terminal equipment can take to > stop or minimize the collection. > > Some of the aspects are static (aspects dealing with transparency), others > are dynamic (aspects dealing with user control). > > To me, purpose falls into the first category. It is static and belongs in > the TSR. If the aim is to convey a personalized contract through DNT, I > think you overload the protocol. It was not designed to do that. > > Rob > > > -----Original message----- > *From:* Aleecia M. McDonald > *Sent:* Friday, October 13 2017, 12:45 am > *To:* Shane M Wiley > *Cc:* public-tracking@w3.org (public-tracking@w3.org) ( > public-tracking@w3.org) > *Subject:* Re: Next 2 calls canceled (Oct 09 and Oct 16) > > Wouldn’t hard-coding specific advertising techniques leave the spec > brittle and out-dated in short order? > > Surely you will likewise need consent when advertising uses a new process > with, say, facial recognition via 3D-printed drone in VR, or whatever > buzzword compliant example you like. What then? > > Aleecia > > On Oct 12, 2017, at 3:20 PM, Shane M Wiley <wileys@oath.com> wrote: > > I believe this is an over simplification of the issue. If we want DNT to > meet the most basic needs of even small publishers that means they will > need to support at least one ad tech partner (assuming the goal of the > group is still to meet the original target of the standard). Even the most > basic ad tech partner will participate in at least two distinct purposes > which lawyers are expressing need to be consented to separately: > interest-based advertising and cross-device mapping (all ad ecosystem > participants support these two common approaches in the EU marketplace > today). If the DNT standard is unable to support even the most basic > consent scenario then there will likely be zero adoption - at least for the > most common use case and original target of the standard. There may still > be hyper edge cases where a singular purpose consent will cover all needed > business cases. > > - Shane > > On Thu, Oct 12, 2017 at 2:47 PM, Aleecia M. McDonald <aleecia@aleecia.com> > wrote: > >> >> > On Oct 12, 2017, at 11:16 AM, Shane M Wiley <wileys@oath.com> wrote: >> > >> […] >> > In either case, we'll need a purpose array for the ad industry to be >> able to leverage DNT as a lawful consent compliance approach in the EU (at >> least that's what EU lawyers are telling me). >> […] >> >> This sounds like an array of common purposes that also contains a purpose >> of other. >> >> I imagine a common set of purposes congruent with EU regs, and then >> “other” managed entirely by the publisher, which defines what it means, >> conveys it meaningfully to users, and records not only consent but what was >> consented to. I would expect any given publisher using “other” to change >> what it means over time (e.g. after an acquisition or new product launch, >> etc.) which is why a timestamp is going to matter. >> >> In an ideal world, Art 29 WP could issue guidance that turns the common >> set of purposes into something fairly self-serve. Perhaps there will be >> sample text akin to Safe Harbor guidance. >> >> For the complexities of Other, well, see your local DPA to have a >> discussion about that. >> >> Small sites should be able to do just fine with the common set. Large >> companies can get all the complexity they need from Other, which might need >> to be further defined as OtherA, OtherB, OtherC, on the backend, but that >> too is up to the publisher to manage. >> >> Early on we had the idea that straight-forward publishers should be able >> to implement DNT easily and those with complex practices would have a more >> complex implementation. I think we can still fulfill that goal. >> >> (I echo Rob’s concern about further delay and the ironies inherent in >> this discussion.) >> >> Aleecia >> >> >> >> > > > -- > - Shane > > Shane Wiley > VP, Privacy > Oath: A Verizon Company > > > -- - Shane Shane Wiley VP, Privacy Oath: A Verizon Company
Received on Friday, 13 October 2017 16:05:24 UTC