- From: Rob van Eijk <rob@blaeu.com>
- Date: Fri, 13 Oct 2017 17:17:32 +0000
- To: Shane M Wiley <wileys@oath.com>
- Cc: Aleecia M. McDonald <aleecia@aleecia.com>, public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org) <public-tracking@w3.org>
- Message-ID: <0102015f16bdb6bf-b719cbcf-ac2a-4a12-972c-18ea1d95fb1e-000000@eu-west-1.amazonse>
Shane, Are we discussing the concept of free when it comes to consent or the concept of specific? Obviously the extent to which consent is given matters, specifically when the purpose is identified and explained to an end-user. Since we are not working on the Tracking Compliance and Scope document, I refer to the GDPR article 7 and, e.g., recitals 32, 33, 42, and 43, and guidance provided by the Working Party. I am afraid there is a technical disconnect for me. The aim of what you propose is not clear to me yet. Could you please walk me through the technical steps of the consent solution you need it for? Rob -----Original message----- From: Shane M Wiley Sent: Friday, October 13 2017, 6:06 pm To: Rob van Eijk Cc: Aleecia M. McDonald; public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org) Subject: Re: Next 2 calls canceled (Oct 09 and Oct 16) Rob, There is a legal disconnect for me based on your statement (at least based on what industry lawyers are saying). Are you suggesting, from the A29WP perspective, then that industry is permitted to request "all-or-nothing" consents? This would mean it would legally be permissible to state two independent purposes but force the user to consent to both or to neither? If that is your official position from a regulatory position that would remove the individual purpose consent need we are discussing now. If you could please respond in an official capacity on just this one topic so industry could have legally certainty that would be very much appreciated. - Shane On Fri, Oct 13, 2017 at 12:11 AM, Rob van Eijk <rob@blaeu.com <mailto:rob@blaeu.com> > wrote: Shane, Adding purpose as metadata to DNT is just one element. In Issue 22 we discussed the other legal aspects: (a) the modalities of the collection, (b) its purpose, (c) the person responsible for it and the (d) other information required under the GDPR where personal data are collected, as well as (e) any measure the end-user of the terminal equipment can take to stop or minimize the collection. Some of the aspects are static (aspects dealing with transparency), others are dynamic (aspects dealing with user control). To me, purpose falls into the first category. It is static and belongs in the TSR. If the aim is to convey a personalized contract through DNT, I think you overload the protocol. It was not designed to do that. Rob -----Original message----- From: Aleecia M. McDonald Sent: Friday, October 13 2017, 12:45 am To: Shane M Wiley Cc: public-tracking@w3.org <mailto:public-tracking@w3.org> (public-tracking@w3.org <mailto:public-tracking@w3.org> ) (public-tracking@w3.org <mailto:public-tracking@w3.org> ) Subject: Re: Next 2 calls canceled (Oct 09 and Oct 16) Wouldn’t hard-coding specific advertising techniques leave the spec brittle and out-dated in short order? Surely you will likewise need consent when advertising uses a new process with, say, facial recognition via 3D-printed drone in VR, or whatever buzzword compliant example you like. What then? Aleecia On Oct 12, 2017, at 3:20 PM, Shane M Wiley <wileys@oath.com <mailto:wileys@oath.com> > wrote: I believe this is an over simplification of the issue. If we want DNT to meet the most basic needs of even small publishers that means they will need to support at least one ad tech partner (assuming the goal of the group is still to meet the original target of the standard). Even the most basic ad tech partner will participate in at least two distinct purposes which lawyers are expressing need to be consented to separately: interest-based advertising and cross-device mapping (all ad ecosystem participants support these two common approaches in the EU marketplace today). If the DNT standard is unable to support even the most basic consent scenario then there will likely be zero adoption - at least for the most common use case and original target of the standard. There may still be hyper edge cases where a singular purpose consent will cover all needed business cases. - Shane On Thu, Oct 12, 2017 at 2:47 PM, Aleecia M. McDonald <aleecia@aleecia.com <mailto:aleecia@aleecia.com> > wrote: > On Oct 12, 2017, at 11:16 AM, Shane M Wiley <wileys@oath.com <mailto:wileys@oath.com> > wrote: > […] > In either case, we'll need a purpose array for the ad industry to be able to leverage DNT as a lawful consent compliance approach in the EU (at least that's what EU lawyers are telling me). […] This sounds like an array of common purposes that also contains a purpose of other. I imagine a common set of purposes congruent with EU regs, and then “other” managed entirely by the publisher, which defines what it means, conveys it meaningfully to users, and records not only consent but what was consented to. I would expect any given publisher using “other” to change what it means over time (e.g. after an acquisition or new product launch, etc.) which is why a timestamp is going to matter. In an ideal world, Art 29 WP could issue guidance that turns the common set of purposes into something fairly self-serve. Perhaps there will be sample text akin to Safe Harbor guidance. For the complexities of Other, well, see your local DPA to have a discussion about that. Small sites should be able to do just fine with the common set. Large companies can get all the complexity they need from Other, which might need to be further defined as OtherA, OtherB, OtherC, on the backend, but that too is up to the publisher to manage. Early on we had the idea that straight-forward publishers should be able to implement DNT easily and those with complex practices would have a more complex implementation. I think we can still fulfill that goal. (I echo Rob’s concern about further delay and the ironies inherent in this discussion.) Aleecia -- - Shane Shane Wiley VP, Privacy Oath: A Verizon Company -- - Shane Shane Wiley VP, Privacy Oath: A Verizon Company
Received on Friday, 13 October 2017 17:18:00 UTC