Re: tracking-ISSUE-184 (Walter van Holst): 3rd party dependencies in 1st party content [Tracking Definitions and Compliance] from Rigo Wenning on 2012-10-25 (public-tracking@w3.org from October 2012)

From: Rigo Wenning <rigo@w3.org>
Date: Thu, 25 Oct 2012 08:57:08 +0200
To: public-tracking@w3.org, rob@blaeu.com
Message-ID: <1956772.K24HiV83hf@hegel.sophia.w3.org>

Walter, Rob, 

in our setup, a first party doesn't need consent with the current 
specifications. And the second party is not DNT enabled in your 
scenario. So you have already a logic break in there. 

There is a law in Germany that a service can't refuse service merely 
because the data subject refuses data collection. This hasn't been 
applied in a case I know of. And for good reasons. If the user 
refuses necessary data collection, how would I obtain the service? 

I think we would be ill-guided if we would accept that a service 
can't refuse service. Forced licenses and services exist for patents 
and monopolies. We are not there. And if we were there, we would 
have to define precisely what that minimum service is. I don't think 
we can do that from here. 

The only point that Walter has is the following: If the first party 
responds "3" (as in the EU context) and has other third parties not 
compliant with DNT and the site is not working without them, one 
could argue for text that says, the entire site is not DNT 
compliant. But that has dangers from redirects and other surprises. 
I would rather say that we add non-normative text that the browser 
should assume that the site is not usable with DNT. It finally says 
that the site, by establishing the denial, it links its service to 
another non-DNT service such that the DNT can't be assumed. 

Another break is then, that Walter assumes DNT and says: "The user 
is forced to give consent". But there is no DNT to consent to other 
than the first party as -by definition- the third party is not DNT 
enabled. 

Concluding, I can say that for the EU, the situation is rather 
simple. Requests are DNT-enabled or not. If those enabled are 
hardwired with a service that aren't, the entire request must fail 
or made under the assumption of DNT unset. 

Rigo

On Wednesday 24 October 2012 19:49:46 Rob van Eijk wrote:
> > This raises an interesting situation if we have DNT. For example
> > we have a 1st party that is trusted by the user and also claims
> > to comply
> > to DNT and a 3rd party that is neither. Since the 1st party
> > content  is
> > technically dependent on 3rd party content, the user has the
> > choice between either granting consent to the 3rd party in
> > order to have the 1st party function properly or not getting
> > the content at all.
> > 
> > To what extent is such consent informed, genuine and meaningful?
> 
> I would like to add the question the element of free (i.e. freely 
> given): to what extent is such consent freely given.
> 
> (Recital 17 (2002/58/EC): Consent may be given by any appropriate 
> method enabling a freely given, specific and informed  indication
> of the user’s whishes.)

Received on Thursday, 25 October 2012 06:57:32 UTC