Re: ACTION-172: Write up more detailed list of use cases for origin/origin exceptions from Kimon Zorbas on 2012-05-03 (public-tracking@w3.org from May 2012)

From: Kimon Zorbas <vp@iabeurope.eu>
Date: Thu, 3 May 2012 22:27:26 +0000
To: "rob@blaeu.com" <rob@blaeu.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <7311806C-FBDD-47A6-B7C2-14A38B342611@iabeurope.eu>
Rob,

Are we not mixing up legal and technical issues here? I am not sure I understand how consent can be handled the way you describe, given differing and inconsistent transpositions (and some missing) of the E-Privacy Directive. While I'd be excited having a technical solution to the the legal challenge, I'm not optimistic this can be resolved here.

Kind regards,
Kimon

Kimon Zorbas Vice President IAB Europe

IAB Europe - The Egg
Rue Barastraat 175
1070 Brussels - Belgium
Phone +32 (0)2 5265 568
Mob +32 494 34 91 68
Fax +32 2 526 55 60
vp@iabeurope.eu
Twitter: @kimon_zorbas

www.iabeurope.eu and www.interactcongress. eu

IAB Europe supports the .eu domain name www.eurid.eu

IAB Europe is supported by:

Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Netherlands, Norway, Poland, Romania, Russia, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey, Ukraine and United Kingdom representing their 5.000 members. The IAB network represents over 90% of European digital revenues and is acting as voice for the industry at National and European level.

IAB Europe is powered by:

Adconion Media Group, Adobe, ADTECH, Alcatel-Lucent, AOL Advertising Europe, AudienceScience, BBCAdvertising, CNN, comScore Europe, CPX Interactive, Criteo, eBay International Advertising, Expedia Inc, Fox Interactive Media, Gemius, Goldbach Media Group, Google, GroupM, Hi-Media, Koan, Microsoft Europe, Millward Brown, News Corporation, nugg.ad, Nielsen Online, OMD, Orange Advertising Network, PHD,Prisa, Publicitas Europe, Quisma, Sanoma Digital, Selligent, TradeDoubler, Triton Digital, United Internet Media, ValueClick, Verisign, Viacom International Media Networks, White & Case, Yahoo! and zanox.

IAB Europe is associated with: Advance International Media, Banner, Emediate, NextPerformance, Right Media, Tribal Fusion and Turn Europe

----- Reply message -----
From: "Rob van Eijk" <rob@blaeu.com>
To: "public-tracking@w3.org" <public-tracking@w3.org>
Subject: ACTION-172: Write up more detailed list of use cases for origin/origin exceptions
Date: Fri, May 4, 2012 12:06 am



Explicit/explicit gives Controllers the opportunity to signal which 3rd parties are processors. Because the controller determines the purpose and means, controller is responsible for valid consent in the EU.

So my use case [A] would be: a DNT:0 signal sent to the limited and known list of processors, who are bound by a legal contract, i.e. the processor agreement. In my opinion, this is not the use case to use the '*' parameter, i.e. MUST NOT be used. In this case the list [Inc_A,Inc_B,...,Inc_Z] SHOULD/MUST be used.

Use case [B]: a DNT:0 signal to service providers, not being processors, but as a result controllers themselves or in some cases joint controller. It could be useful, but I haven't given it a lot of thought. My assumption for DNT:0 to be useful in this scenario is that the browser reflects user consent. This implies that the user has made an informed choice, preferably in the install/update flow of the browser to use DNT technology as a granular consent expression mechanism.

Rob


On 2-5-2012 9:54, Nicholas Doty wrote:
>>> * Separate data controllers in EU jurisdictions
>>> >>  A DNT:0 signal sent to a third-party service in the EU might usefully be interpreted as consent for independent use by that thid-party (that the service would itself be a data controller, not just a processor). EU regulations, however, may require that this consent be specific to the party rather than site-wide. (Suggested by Ninja, who may be able to add more detail.)
>> >
>> >  Importance: Medium
>> >
>> >  Design Notes:
>> >  I agree that being able to provide consent via DNT is useful. I cannot
>> >  judge what extent explicit/explicit is needed or whether a site-wide
>> >  exception would also be considered consent. An important question in
>> >  this use case is what responsibilities (under EU law) are implied from
>> >  the corresponding "Trust myself and my third parties" statement.
> I also welcome input from Ninja, Rob and others on this issue.
>
Received on Thursday, 3 May 2012 22:28:08 UTC