W3C

Tracking Protection Working Group
Global Considerations Task Force
11-12 March 2013 Face to Face meeting

Conclusions drawn from the meeting (Peter's suggestions)

  1. The group had a constructive discussion, with civil and detailed analysis of the relevant issues.
  2. Task Force should proceed. There was consensus that the Global Considerations Task Force (GCTF) should continue to work on issues relating to DNT:0 setting. Members of the working group are welcome to join the GCTF mailing list by writing to rigo@w3.org.See also the Archives of public-tracking-international at. w3.org
  3. Gap analysis. The first task for the GCTF is to assess the delta between the current DNT draft specification and what is legally required under current EU law. Also, assess the delta between the DNT draft specification and the EDAA approach. There may be a similar gap analysis with respect to Canadian law, pursuant to the opinion of the Office of the Federal Privacy Commissioner concerning OBA. The Group will explore also other jurisdictions (Australia, Hongkong, Japan)
  4. Standard contract. Once gap analysis is concluded, there will be discussion, including DPAs, industry, and other stakeholders, of the meaning of DNT:0 compliance. The group discussed the possible usefulness of a “standard contract” that could be understood in the EU as authorizing a number of actions by the server. The standard contract would not have to address all possible uses; for instance, it likely would not authorize collection and use of “sensitive” data such as the categories in Article 8 of the EU Data Protection Directive.
  5. After the gap analysis. One gap analysis is concluded, there will be a go/no-go discussion about how and whether the GCTF will proceed. That discussion will include consideration of the practicality and implementability of any normative text. One path may be drafting of a “standard contract” that could be understood in the EU as authorizing a number of actions by the server. Another path might recognize that meeting the DNT:0 standard will not be sufficient to reach the level of legal requirements in the EU (and possibly elsewhere). In that case, an option might be to explore if DNT:0 could be a mechanism for providing a specific grant of permission by a user to an action by a server.

    Suggested wording for the second path from Justin Brookman: There was some recognition at the meeting that the DNT standard we're negotiating will in any event not be sufficient to reach the level of legal requirements in the European Union (and quite possibly elsewhere). Instead of repurposing DNT:0 as web-wide (or more granular) agreement to a set of less controversial uses (such as first-party analytics, first-party personalization, or audience measurement), we could edit the TPE (and to a lesser extend to allow for *any* party (first or third) to take advantage of the exception-API mechanism to ask for consent if that party believes that adhering to the DNT standard alone will not be sufficient for legal compliance in a particular jurisdiction. Thus, if a first party believes it needs consent to do first-party analytics despite the TCS exemption of first parties from compliance obligations, that first party could call the exception-API to get permission to engage in tracking on its own domain. Or if market research was deemed a permitted use, an audience measurement company could still trigger a call to the API for consent to track around the web even if the TCS allowed for market research.

  6. Time line. The GCTF plans to work intensively to determine if normative text is appropriate concerning DNT:0. The GCTF understands that normative text is subject to the Working Group’s July, 2013 deadline for Last Call. It also understands that any such normative text would be included in the compliance spec only if consensus is reached in the Working Group.
  7. Possible non-normative text. In addition to determining whether and what to propose as normative text, the GCTF may work on non-normative text. Specifically, the group discussed the possibility of drafting a Note, which would be subject to discussion and review in the full Working Group. Topics of the non-normative text may include a guide about compliance with the compliance spec, with citations and assistance to organizations in different regions about local requirements and implementation.

Initial listing of issues

  1. How TCS applies to first parties
    • Wolf emphasizes the possibility of a contract or other agreement between a first party and data subject; that agreement may override what is in the DNT standard that applies to both first and third parties; don't know how to eal with that issue (revisit as part of first party discussion)
    • How does the exception mechanisms and other consumer relations affect the TCS application to first parties
    • Technical implementation issues: Asymmetric Issue bridging gap between DNT which distinguishes first part and third party DNT:0 does not eliminate need for 1st party to provide notice obtain consent (e.g. window shades) and timing question
  2. Pseudonymous data
    • asymmetries with permitted uses
    • Clear statement that Anonymous data is out of scope? Pseudonymous data is still in scope of DNT.
    • Sufficiently pseudonomized data that falls out of scope of the consent requirement? (Permitted use?)
  3. Are there special requirements on defaults?
    • => go back with default question to main groupq
  4. Compare and contrast proposed Amendment 108 with existing Article 27 under the 95/46EC
    • How do we fit into Recital 66 of 2009/136EC amendment of 2002/58EC
    • If DNT is not able to represent consent, provide feedback to the TPWG that we give up on this.
  5. Sensitive data issues (Article 8) - need some additional requirements (like minimum area of javascript shade to get to DNT:0 (Pharma ads are not a prob) (low priority)
  6. DNT:1 permitted uses; under e-Privacy Directive 2009/136EC ePrivacy Directive has its own list of permitted uses (goal to have all legal exemptions covered)
    • assymmetry of first party vs third party
    • assymmetry on what constitutes a permitted use (US) and what is considered an exemption (ePrivacy Directive and other laws (regulation, directive, ).
    • assymmetry in national law
  7. While using DNT, are there additional requirements for legal compliance (use case driven implementation guide)
    • what is needed to get consent for DNT:0 at initial startup
  8. First Party Analytics as defined in "data controller"
  9. Definition of DNT:0
    • Short explanation of why and how
    • Additional legal limitations explained as non normative text
  10. Unresolved Questions:
    • Requirements for Consent (what does DNT have to do to get accepted as free, specific and informed consent)
    • What is the browsers role in the consent messaging. Do we need something else than the API as suggested by Adrian Bateman?
    • Is the browsing context while sending DNT:0 sufficient for the consent to be specific?
  11. What permitted uses are in line the ePrivacy Directive and 95/46/EC
  12. Justin: First parties may use the DNT exception mechanism to ask for DNT:0 exception. Doesn't force a first party to follow DNT:1 Suggestion from Justin: