RE: [web-adv] February 1 agenda

My points are;



a)            to highlight the increasing value of directly identifiable personal data and the methods being used to capture and use it;

b)            that just one impact of Privacy Sandbox and GPC among others is to centralize the availability of increasingly valuable personal data;

c)            that W3C is not enforcing its own guidelines; and

d)            that you should all seek your own advice and not rely on Robin, Wendy, me, or anyone else.



Robin's statement regarding the operation of GPC and mine are compatible with one another.



If the GPC signal (Do Not Sell Or Share Preference<https://globalprivacycontrol.github.io/gpc-spec/#definitions>) is present in a request to a website and the website operator is using a privacy policy that incorporates GPC or is operating in a jurisdiction that requires the website under law to operate such a privacy policy, and that signal is set to true, then that website operator must not pass any personal data to any other data controllers or processors (in Robin's words "to reuse data independently of a business or person") including other data controllers and processors that operate their services on other domains. If the proposers of GPC envisage data sharing between domains being permitted when the GPC signal is true it would be helpful to modify the proposal to make this clear.



-----Original Message-----
From: Robin Berjon <robin@berjon.com>
Sent: 04 February 2022 17:41
To: James Rosewell <james@51degrees.com>; Nick Doty <ndoty@cdt.org>; public-web-adv@w3.org
Cc: Katherine Wei <kwei@zetaglobal.com>; Wendy Seltzer <wseltzer@w3.org>; Kris Chapman <kristen.chapman@salesforce.com>; Sam Goto <goto@google.com>; Beri Lee <berilee@google.com>; dan sinclair <dsinclair@google.com>; Heather Flanagan <hlf@sphericalcowconsulting.com>; Tim Cappalli <Tim.Cappalli@microsoft.com>
Subject: Re: [web-adv] February 1 agenda



On 2022-02-04 10:40, James Rosewell wrote:

> One consequence of work to reduce data sharing between different

> internet domains, such as Privacy Sandbox or GPC, is to significantly

> increase the value of directly identifiable personal data such as

> email addresses and telephone numbers.



I am very reluctantly stepping in here as editor of the GPC specification to correct this piece of disinformation. While everyone can make honest mistakes, when someone speaks confidently and assertively in public, it is tempting to assume that they at least understand the topic well enough to get the more elementary facts right.

That is not the case here.



GPC does not "reduce data sharing between different internet domains."

Where enforceable, GPC only impinges upon the right of service providers to reuse data independently of a business or person. Crucially, GPC applies in the exact same way to personal data shared using cookie IDs, email addresses, phone numbers, or whatever else one may cook up.



Please note that I am only providing a fact check on the GPC part of that email, and not implying by omission that its non-GPC parts are in any way more truthful.



--

Robin Berjon

VP Data Governance

The New York Times Company

This email and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose, use, store or copy the information contained herein. This is an email from 51Degrees.mobi Limited, Davidson House, Forbury Square, Reading, RG1 3EU. T: +44 118 328 7152; E: info@51degrees.com; 51Degrees.mobi Limited t/as 51Degrees.