- From: David Singer <singer@apple.com>
- Date: Fri, 13 Oct 2017 18:39:15 +0200
- To: Shane M Wiley <wileys@oath.com>
- Cc: "Aleecia M. McDonald" <aleecia@aleecia.com>, "public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org)" <public-tracking@w3.org>
> On Oct 13, 2017, at 17:48 , Shane M Wiley <wileys@oath.com> wrote:
>
> David,
>
> The missing element in your assessment is that the user MUST be able to consent (or not) to the options individually. We're not able to make it an "all-or-nothing" proposition legally. If that was possible we wouldn't need to have this conversation as then a single signal would cover our needs.
OK. Kinda weird. The site may not do the quid-pro-quo (e.g. free access) unless you consent to it all. So ‘granular consent’ as I wrote below, and possibly ‘changing purposes over time’ are both issues.
It’s easy for the site to talk back to itself; cookies, or even as I suggested using the DNT-extension. That covers the web-wide exception, and the site itself for site-specific.
How do you think a site should convey to the ads and its 3rd-parties, for site-specific exceptions, which purposes they have consent for?
“This user agreed to a non-vegetarian meal” “This user agreed to wearing synthetic fibers during the night-time” and so on?
>
> - Shane
>
> On Thu, Oct 12, 2017 at 11:33 PM, David Singer <singer@mac.com> wrote:
>
>
> > On Oct 13, 2017, at 0:20 , Shane M Wiley <wileys@oath.com> wrote:
> >
> > I believe this is an over simplification of the issue. If we want DNT to meet the most basic needs of even small publishers that means they will need to support at least one ad tech partner (assuming the goal of the group is still to meet the original target of the standard). Even the most basic ad tech partner will participate in at least two distinct purposes which lawyers are expressing need to be consented to separately: interest-based advertising and cross-device mapping (all ad ecosystem participants support these two common approaches in the EU marketplace today). If the DNT standard is unable to support even the most basic consent scenario then there will likely be zero adoption - at least for the most common use case and original target of the standard. There may still be hyper edge cases where a singular purpose consent will cover all needed business cases.
>
> Shane
>
> I think I am confused.
>
> When consent is requested, the site manages the UI. It can certainly ask:
>
> I need to be able to track you so that
> * I serve you the breakfast that corresponds to your weird food fads
> * I and my third parties can gather data about you that I will sell to a foreign intelligence service, to cover my medical bills
>
> So, the dual purposes can be clearly expressed in the request.
>
> Likewise they can be expressed in the tracking status resource; we could certainly have a list of purposes added here:
>
> object {
> string tracking; // TSV
> array { string; } compliance?; // hrefs
> string qualifiers?; // compliance flags
> array { string; } controller?; // hrefs
> array { string; } same-party?; // domains
> array { string; } audit?; // hrefs
> string policy?; // href
> string config?; // href
> }*;
>
> So, as I see it, for an unchanging picture we seem to be covered, no?
>
> The tricky parts come in at least two ways:
> * if the site offers granular consent, for each purpose separately, it needs to know who consented to which purpose.
> * if the site’s needs and hence purposes for tracking change over time, it needs to remember “this user gave consent before I added purpose-Q, whereas that user gave consent also to purpose-Q”
>
> Are these what we are struggling with?
>
>
> >
> > - Shane
> >
> > On Thu, Oct 12, 2017 at 2:47 PM, Aleecia M. McDonald <aleecia@aleecia.com> wrote:
> >
> > > On Oct 12, 2017, at 11:16 AM, Shane M Wiley <wileys@oath.com> wrote:
> > >
> > […]
> > > In either case, we'll need a purpose array for the ad industry to be able to leverage DNT as a lawful consent compliance approach in the EU (at least that's what EU lawyers are telling me).
> > […]
> >
> > This sounds like an array of common purposes that also contains a purpose of other.
> >
> > I imagine a common set of purposes congruent with EU regs, and then “other” managed entirely by the publisher, which defines what it means, conveys it meaningfully to users, and records not only consent but what was consented to. I would expect any given publisher using “other” to change what it means over time (e.g. after an acquisition or new product launch, etc.) which is why a timestamp is going to matter.
> >
> > In an ideal world, Art 29 WP could issue guidance that turns the common set of purposes into something fairly self-serve. Perhaps there will be sample text akin to Safe Harbor guidance.
> >
> > For the complexities of Other, well, see your local DPA to have a discussion about that.
> >
> > Small sites should be able to do just fine with the common set. Large companies can get all the complexity they need from Other, which might need to be further defined as OtherA, OtherB, OtherC, on the backend, but that too is up to the publisher to manage.
> >
> > Early on we had the idea that straight-forward publishers should be able to implement DNT easily and those with complex practices would have a more complex implementation. I think we can still fulfill that goal.
> >
> > (I echo Rob’s concern about further delay and the ironies inherent in this discussion.)
> >
> > Aleecia
> >
> >
> >
> >
> >
> >
> > --
> > - Shane
> >
> > Shane Wiley
> > VP, Privacy
> > Oath: A Verizon Company
>
> Dave Singer
>
> singer@mac.com
>
>
>
>
> --
> - Shane
>
> Shane Wiley
> VP, Privacy
> Oath: A Verizon Company
David Singer
Manager, Software Standards, Apple Inc.
Received on Friday, 13 October 2017 16:39:41 UTC