Re: Next 2 calls canceled (Oct 09 and Oct 16)

Aleecia,

The purpose is attached to the specific 3rd party (User / Publisher / 3rd
Party / Purpose).  Two 3rd parties would not receive the same purpose
signal.

Publisher:
   - Ad Tech Vendor A
      - Purpose 1
      - Purpose 2
   - Analytics Vendor B
      - Purpose 1
      - Purpose 2

If a Data Controller is leveraging their consent purpose with a Data
Processor they will need to be crystal clear on the bounds of that consent
as part of their relationship.

- Shane

On Fri, Oct 13, 2017 at 3:28 PM, Aleecia M. McDonald <aleecia@aleecia.com>
wrote:

> My concern is name space collisions.
>
> Ad ecosystem members use an array where 1=x, 2=y, and the relevant parties
> all agree.
> Breakfast tracking ecosystem members use an array where 0=a, 1=b, 2=3, and
> all parties agree.
>
> Everything goes along fine until a publisher is part of both ecosystems.
> Publisher then expresses “good news, I have consent for purpose 1.”
> Presumably this goes to all parties. Yet they likely have consent for
> *either* 1=x or 1=b.
>
> We need some way to disambiguate *which* [1] in the array, yes?
>
> Aleecia
>
> On Oct 13, 2017, at 2:46 PM, Shane M Wiley <wileys@oath.com> wrote:
>
> The array only needs to make sense to three parties:  user, publisher, and
> ad tech vendor (3rd party).
>
>    - Publisher and Ad Tech Vendor decide on the array they will use (1=x,
>    2=y) for their relationship
>    - Ad Tech Vendor publishes these values and their meaning in their WKL
>    - The Ad Tech Vendor will publish one set of purposes to reflect their
>       entire business but only a few may be displayed to the user based on the
>       business relationship with that specific Publisher
>    - Publisher displays the purposes choices for that Ad Tech Vendor to
>    the User for consent (with links to learn more)
>    - Ad Tech Vendor receives their purpose array with their DNT:0 when
>    that User interacts with that Publisher -- this tells the Ad Tech Vendor
>    which practices are allowed or disallowed based on the array they receive
>    for that transaction
>
>
> - Shane
>
> On Fri, Oct 13, 2017 at 2:12 PM, Aleecia M. McDonald <aleecia@aleecia.com>
> wrote:
>
>> Ah! I think I am finally starting to understand. Thanks for your
>> patience, Shane.
>>
>> Not to make this harder, but presumably you need more than 1 to n, since
>> there could be multiple ecosystems that want to do similar mappings. It
>> would be deeply unfortunate to have Publisher A get consent to purpose 1 in
>> context Breakfast Tracking, while an advertiser *thinks* they have consent
>> to purpose 1 in the Ad Ecosystem, but no, it was purpose 1 in the Breakfast
>> Tracking ecosystem.
>>
>> Arrays seem fundamentally problematic. I do not have better ideas yet.
>>
>> I hesitate to put this forward, but perhaps an array that is documented
>> as [0] through [19] are reserved for use by IAB/NAI/AAAA/whomever will own
>> the coordination task. This is suboptimal. Perhaps we need prefixes or
>> multiple well-named arrays, though there are obvious brittle problems
>> there. We could use a registry of some type but I doubt W3C is interested
>> in unending work to support such things.
>>
>> (Ignoring fingerprinting risk for now; ignoring that we may fail to ship
>> any spec by making major changes this late; can weigh those when we have a
>> solid idea of how to move forward)
>>
>> Aleecia
>>
>> On Oct 13, 2017, at 1:20 PM, Shane M Wiley <wileys@oath.com> wrote:
>>
>> David,
>>
>> The way this is likely going to work in the real-world, with or without
>> DNT, is that the publisher will be capturing the consent (by purpose) for
>> each ad tech vendor they work with.  Imagine a consent dialogue that lists
>> 5 ad tech partners with 2 to 3 purposes below each partner that the user
>> must consent (thus far the mocks I've seen are not very pretty).
>>
>> Note - I'll avoid the pre-checked box debate here as there could be a
>> secondary unchecked box that confirms the user's choice prior to allowing
>> them to hit the "I Consent" button.
>> Note 2 - I'll avoid the all-or-nothing discussion here (having that with
>> Rob on the same thread).
>> Note 3 - I'll also avoid the pay-wall or tracking-wall debates (as those
>> are on-going in the ePR legislative process).
>>
>> The publisher will capture this consent and then need to convey it to
>> those 3rd parties in some manner.  DNT is a nice solution as the browser
>> does this for the ad tech vendor (publisher -> browser -> ad tech vendor).
>> Similarly, the publisher could daisy chain through their 3rd party ad tech
>> vendor's domains (iFramed) so they each set a cookie with the appropriately
>> passed parameters for what level of consent has been provided.  If the
>> consent is "web-wide" the publisher would need to follow a similar approach
>> anyway (site-wide does not require the iFrame daisy chain).  The publisher
>> will of course record this themselves as any changes (new partners, new
>> purposes) will require they interact with the user again to gain consent
>> for the new elements.  Net-net: EU users will be seeing A LOT of consent
>> dialogues going forward.
>>
>> In the publisher to ad tech vendor setup they will need to agree to the
>> purposes for which the ad tech vendor is seeking to gain consent to prior
>> to launching the consent experience with users on the publisher's site.  Ad
>> Tech Vendors may agree to a single set of possible purposes such that
>> numbering is common across industry (1 = interest based ads, 2 =
>> cross-device mapping, 3 = probabilistic mapping, N...).  In either case the
>> publisher and the ad tech vendor have to agree to this up front so they are
>> accurately conveying the appropriate consent for each purpose for that
>> vendor.
>>
>> - Shane
>>
>> On Fri, Oct 13, 2017 at 9:39 AM, David Singer <singer@apple.com> wrote:
>>
>>>
>>>
>>> > On Oct 13, 2017, at 17:48 , Shane M Wiley <wileys@oath.com> wrote:
>>> >
>>> > David,
>>> >
>>> > The missing element in your assessment is that the user MUST be able
>>> to consent (or not) to the options individually.  We're not able to make it
>>> an "all-or-nothing" proposition legally.  If that was possible we wouldn't
>>> need to have this conversation as then a single signal would cover our
>>> needs.
>>>
>>> OK. Kinda weird. The site may not do the quid-pro-quo (e.g. free access)
>>> unless you consent to it all.  So ‘granular consent’ as I wrote below, and
>>> possibly ‘changing purposes over time’ are both issues.
>>>
>>> It’s easy for the site to talk back to itself; cookies, or even as I
>>> suggested using the DNT-extension. That covers the web-wide exception, and
>>> the site itself for site-specific.
>>>
>>> How do you think a site should convey to the ads and its 3rd-parties,
>>> for site-specific exceptions, which purposes they have consent for?
>>>
>>> “This user agreed to a non-vegetarian meal” “This user agreed to wearing
>>> synthetic fibers during the night-time” and so on?
>>>
>>>
>>>
>>> >
>>> > - Shane
>>> >
>>> > On Thu, Oct 12, 2017 at 11:33 PM, David Singer <singer@mac.com> wrote:
>>> >
>>> >
>>> > > On Oct 13, 2017, at 0:20 , Shane M Wiley <wileys@oath.com> wrote:
>>> > >
>>> > > I believe this is an over simplification of the issue.  If we want
>>> DNT to meet the most basic needs of even small publishers that means they
>>> will need to support at least one ad tech partner (assuming the goal of the
>>> group is still to meet the original target of the standard).  Even the most
>>> basic ad tech partner will participate in at least two distinct purposes
>>> which lawyers are expressing need to be consented to separately:
>>> interest-based advertising and cross-device mapping (all ad ecosystem
>>> participants support these two common approaches in the EU marketplace
>>> today).  If the DNT standard is unable to support even the most basic
>>> consent scenario then there will likely be zero adoption - at least for the
>>> most common use case and original target of the standard.  There may still
>>> be hyper edge cases where a singular purpose consent will cover all needed
>>> business cases.
>>> >
>>> > Shane
>>> >
>>> > I think I am confused.
>>> >
>>> > When consent is requested, the site manages the UI. It can certainly
>>> ask:
>>> >
>>> > I need to be able to track you so that
>>> > * I serve you the breakfast that corresponds to your weird food fads
>>> > * I and my third parties can gather data about you that I will sell to
>>> a foreign intelligence service, to cover my medical bills
>>> >
>>> > So, the dual purposes can be clearly expressed in the request.
>>> >
>>> > Likewise they can be expressed in the tracking status resource; we
>>> could certainly have a list of purposes added here:
>>> >
>>> > object {
>>> >     string tracking;                 // TSV
>>> >     array { string; } compliance?;   // hrefs
>>> >     string qualifiers?;              // compliance flags
>>> >     array { string; } controller?;   // hrefs
>>> >     array { string; } same-party?;   // domains
>>> >     array { string; } audit?;        // hrefs
>>> >     string policy?;                  // href
>>> >     string config?;                  // href
>>> > }*;
>>> >
>>> > So, as I see it, for an unchanging picture we seem to be covered, no?
>>> >
>>> > The tricky parts come in at least two ways:
>>> > * if the site offers granular consent, for each purpose separately, it
>>> needs to know who consented to which purpose.
>>> > * if the site’s needs and hence purposes for tracking change over
>>> time, it needs to remember “this user gave consent before I added
>>> purpose-Q, whereas that user gave consent also to purpose-Q”
>>> >
>>> > Are these what we are struggling with?
>>> >
>>> >
>>> > >
>>> > > - Shane
>>> > >
>>> > > On Thu, Oct 12, 2017 at 2:47 PM, Aleecia M. McDonald <
>>> aleecia@aleecia.com> wrote:
>>> > >
>>> > > > On Oct 12, 2017, at 11:16 AM, Shane M Wiley <wileys@oath.com>
>>> wrote:
>>> > > >
>>> > > […]
>>> > > > In either case, we'll need a purpose array for the ad industry to
>>> be able to leverage DNT as a lawful consent compliance approach in the EU
>>> (at least that's what EU lawyers are telling me).
>>> > > […]
>>> > >
>>> > > This sounds like an array of common purposes that also contains a
>>> purpose of other.
>>> > >
>>> > > I imagine a common set of purposes congruent with EU regs, and then
>>> “other” managed entirely by the publisher, which defines what it means,
>>> conveys it meaningfully to users, and records not only consent but what was
>>> consented to. I would expect any given publisher using “other” to change
>>> what it means over time (e.g. after an acquisition or new product launch,
>>> etc.) which is why a timestamp is going to matter.
>>> > >
>>> > > In an ideal world, Art 29 WP could issue guidance that turns the
>>> common set of purposes into something fairly self-serve. Perhaps there will
>>> be sample text akin to Safe Harbor guidance.
>>> > >
>>> > > For the complexities of Other, well, see your local DPA to have a
>>> discussion about that.
>>> > >
>>> > > Small sites should be able to do just fine with the common set.
>>> Large companies can get all the complexity they need from Other, which
>>> might need to be further defined as OtherA, OtherB, OtherC, on the backend,
>>> but that too is up to the publisher to manage.
>>> > >
>>> > > Early on we had the idea that straight-forward publishers should be
>>> able to implement DNT easily and those with complex practices would have a
>>> more complex implementation. I think we can still fulfill that goal.
>>> > >
>>> > > (I echo Rob’s concern about further delay and the ironies inherent
>>> in this discussion.)
>>> > >
>>> > >         Aleecia
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > --
>>> > > - Shane
>>> > >
>>> > > Shane Wiley
>>> > > VP, Privacy
>>> > > Oath: A Verizon Company
>>> >
>>> > Dave Singer
>>> >
>>> > singer@mac.com
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > - Shane
>>> >
>>> > Shane Wiley
>>> > VP, Privacy
>>> > Oath: A Verizon Company
>>>
>>> David Singer
>>> Manager, Software Standards, Apple Inc.
>>>
>>>
>>
>>
>> --
>> - Shane
>>
>> Shane Wiley
>> VP, Privacy
>> Oath: A Verizon Company
>>
>>
>>
>
>
> --
> - Shane
>
> Shane Wiley
> VP, Privacy
> Oath: A Verizon Company
>
>
>


-- 
- Shane

Shane Wiley
VP, Privacy
Oath: A Verizon Company

Received on Friday, 13 October 2017 22:39:29 UTC