RE: TPE Handling Out-of-Band Consent (including ISSUE-152)

It would be very easy to set up a page (that includes JS) with a document origin the same as the 1x1 gif hostname., then execute the API to get consent. A panel member just needs to visit the page and click a ”I agree I am a member of the panel” button. If they must run with JS disabled they just need to set the DNT general pref. to 0.

 

We do not need to change the TPE for this and we are undermining the core reason for the standard if we allow an exemption for it.

 

Mike

 

 

From: Rob van Eijk [mailto:rob@blaeu.com] 
Sent: 23 March 2013 07:38
To: Roy T. Fielding; Justin Brookman
Cc: public-tracking@w3.org
Subject: Re: TPE Handling Out-of-Band Consent (including ISSUE-152)

 


The problem Alex raies is that the pixel technology is not able to talk DNT. Like I said in Berlin when we discussed audience measurement: Nielsen has to innovate. When DNT=1, it has to be meaningful. If your fishnet is not designed to determine whether you have out-of-bad consent, then you shouldn't be fishing.
I remain to be very conserned about this discussion. We have seen this discussion going from an possbile exception to now a deferrence of approach. The underlying problem has been the same: the tracking pixels are invisible, and data from non-panel members gets collected under DNT=1. That is not meaningful to me.

Rob




"Roy T. Fielding" <fielding@gbiv.com> wrote:

On Mar 22, 2013, at 1:39 PM, Justin Brookman wrote:
On 3/22/2013 3:42 PM, Ronan Heffernan wrote:
Responding to a DNT:1 signal with an acknowledgement that a company follows DNT, and will abide by the restrictions (and permitted uses) therein, is easy.  Responding with real-time lookups of whether OOBC exists is quite difficult (in many cases impossible), especially for large-scale systems that use CDNs and other distributed processing, and systems that do not receive technical information required to perform OOBC lookups until after some browsing has already happened.
I just don't understand why these concerns hadn't b!
 een
raised in the previous two years of discussions (it is possible they have and I was paying less attention to TPE, but if they were, they were resolved to the editors' and chairs' satisfaction).  The mandatory response signal has been in the TPE for some time now.  I would like to hear from others if feedback is effectively impossible for OOB.  In which case, that's an argument that we need should get rid of OOB and require implementation of the exception mechanism by user agents (something I had previously been reluctant to do).

I think Alex raised the issue early on and we simply neglected
to design for it.  There do exist systems that only *use* collected data
in essentially offline batch processing, so it is reasonable for a site
to say "we are collecting data for all transactions but will only retain
and use data from users identified as having previously given consent".

I would not suggest using "C" for that.  It is a dif!
 ferent
answer.

Alternatively, we could just make it part of the "3" definition to
be that DNT:1 data will not be retained (beyond the minimum period
allowed for non-processed raw data) unless agreed to separately by
the user under contract.  That would be consistent with prior consent
overriding DNT.

And, again, whether or not this meets what the user asked by DNT:1
depends entirely on the definition of Do Not Track.  If DNT:1 means
let me browse anonymously, then sites that can't support anonymous
browsing can't comply with DNT. Panel studies should simply
require that members in the panel turn off DNT.

OTOH, if DNT:1 means do not follow my activity across non-affiliated
sites without my prior consent, then it would be sufficient for
OOB consent sites to implement DNT by stating that the data will be
deleted within X hours if it does not correspond to a user that has
consented.

....Roy