Re: transitivity of DNT exceptions

Thanks Matthias, that is exactly my point. This is even more extreme than Article 29 Working Party proposals, cf. Opinion 2/2010. (Needless to say that I am not agreeing with many points raised in this legally non-binding opinion and its legal interpretations.) I highlight the part relevant(3rd sentence):

The Article 29 Working Party is conscious of the current practical problems related to obtaining consent, particularly if consent is necessary every time a cookie is read for the purposes of delivering targeted advertising. To avoid this problem, in accordance with Recital 25 of the ePrivacy Directive ("the right to refuse (cookies) may be offered once for the use of various devices to be installed on the user's terminal equipment….during subsequent connections"), users' acceptance of a cookie could be understood to be valid not only for the sending of the cookie but also for subsequent collection of data arising from such a cookie. In other words, the consent obtained to place the cookie and use the information to send targeting advertising would cover subsequent 'readings' of the cookie that take place every time the user visits a website partner of the ad network provider which initially placed the cookie.

In other words, once consented to an ad-network cookie, Art. 29 WG accepts that subsequently data collected across sites can be used by this ad-network.
So the proposal goes further than Art. 29 and I have serious concerns with this approach.

Apologies to US colleagues for raising European points but our companies are already operating under strict legal regime and I think it's important to understand the points.

Kind regards,
Kimon


From: Matthias Schunter <mts-std@schunter.org<mailto:mts-std@schunter.org>>
Date: Monday 14 May 2012 16:35
To: Kimon Zorbas <vp@iabeurope.eu<mailto:vp@iabeurope.eu>>
Cc: Nicholas Doty <npdoty@w3.org<mailto:npdoty@w3.org>>, Tracking Protection Working Group <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Re: transitivity of DNT exceptions

Hi Kimon,


I believe that this also holds for DNT with transitive exceptions:
- If an ad-network receives an exception, this holds for its descendants too (the transitivity)
- These third parties are then exempted from the DNT constraints and can use the collected data as before
- This includes cross-site use among sites where a user has agreed to an exception

E.g., if a user granted a site-wide exception at site1 and site2 and both use an adnetwork adnet1 then adnet1 can correlated the data collected at site1 and site2. However, if a user has not granted a site-wide exception for site3, then the data collected via site3 is still constrained by DNT and must not be pooled for cross-site use.


Regards,


On 09/05/2012 19:46, Kimon Zorbas wrote:
Nick, I think this goes even beyond what data protection authorities have been discussing. They would allow for an ad-network to be "authorised" on via website and use data cross-sites.

We need to discuss this with our members, as we see the transpositions across the EU/EEA to not be coherent or consistent.

Kind regards,
Kimon

Kimon Zorbas Vice President IAB Europe

IAB Europe - The Egg
Rue Barastraat 175
1070 Brussels - Belgium
Phone +32 (0)2 5265 568
Mob +32 494 34 91 68
Fax +32 2 526 55 60
vp@iabeurope.eu<mailto:vp@iabeurope.eu>
Twitter: @kimon_zorbas

www.iabeurope.eu<http://www.iabeurope.eu> and www.interactcongress<http://www.interactcongress>. eu

IAB Europe supports the .eu domain name www.eurid.eu<http://www.eurid.eu>

IAB Europe is supported by:

Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Netherlands, Norway, Poland, Romania, Russia, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey, Ukraine and United Kingdom representing their 5.000 members. The IAB network represents over 90% of European digital revenues and is acting as voice for the industry at National and European level.

IAB Europe is powered by:

Adconion Media Group, Adobe, ADTECH, Alcatel-Lucent, AOL Advertising Europe, AudienceScience, BBCAdvertising, CNN, comScore Europe, CPX Interactive, Criteo, eBay International Advertising, Expedia Inc, Fox Interactive Media, Gemius, Goldbach Media Group, Google, GroupM, Hi-Media, Koan, Microsoft Europe, Millward Brown, News Corporation, nugg.ad, Nielsen Online, OMD, Orange Advertising Network, PHD,Prisa, Publicitas Europe, Quisma, Sanoma Digital, Selligent, TradeDoubler, Triton Digital, United Internet Media, ValueClick, Verisign, Viacom International Media Networks, White & Case, Yahoo! and zanox.

IAB Europe is associated with: Advance International Media, Banner, Emediate, NextPerformance, Right Media, Tribal Fusion and Turn Europe

----- Reply message -----
From: "Nicholas Doty" <npdoty@w3.org><mailto:npdoty@w3.org>
To: "Tracking Protection Working Group" <public-tracking@w3.org><mailto:public-tracking@w3.org>
Cc: "Matthias Schunter" <mts-std@schunter.org><mailto:mts-std@schunter.org>
Subject: transitivity of DNT exceptions
Date: Wed, May 9, 2012 7:45 am



After some discussion of transitivity of exceptions on last week's call and some follow-up with Matthias, it sounds like there might be interest in specific exceptions (that might help with EU or other jurisdictions) for top-level third parties. For example, maybe a large site could more easily specify the ad networks or exchanges it works with in requesting an exception (such that those domains receive a DNT:0 opt-in signal) and then all further re-directs would also be excepted, because the further third-parties aren't using the data for any additional purposes (via some version of our Outsourcing exception, and perhaps fitting an EU "data processor" definition).

Does this sound workable for interpretations of EU law? For site or browser implementers?

Do we see other definitions of "transitivity of exceptions" that would be useful? Browsers could, for example, send DNT:0 to all resources that are re-directed from a request that was initiated with DNT:0, but that sounds both annoying to implement (for browser plug-ins, for example) and sometimes specifically not the intent of an exception (URL re-direction services, maybe).

Thanks,
Nick

(This isn't meant to duplicate Ian's action-194, though maybe it will be related.)