ACTION-157: Update logged-in consent proposal by April 24

<Normative>

Sites MAY override a user's DNT preference if they have received explicit, informed consent to do so.

<Non-Normative>

In the absence of a Tracking Preference standard, many organizations have developed direct consent mechanisms for web-wide tracking. Interactions with users to obtain consent are often contextual. For example, If a service has an obvious cross-site tracking function that the user deliberately signs up for then this could be deemed to have achieved “explicit and informed” consent from a user without directly addressing its reaction to an external Tracking Preference (which wasn’t contemplated at the time the consent experience was designed). Even in these cases, organizations should consider providing Tracking Preference references in associated product or service materials such as a privacy policy, help center, or separate notice to users.

Companies claiming public compliance with the W3C Tracking Protection standard, should not seek to obtain explicit, informed consent from users in non-obvious ways such as placing these details in their Terms of Service or deeply placed within their Privacy Center if it will not be obvious to users that the nature of the service will lead them to ignore a user’s Tracking Preference based on the nature of the consent the user is granting.

Out-of-band consent will be further reinforced in user interactions through either the Header Response or Well-Known URI approaches to replying to user Tracking Preferences. This will provide a constant reminder of prior consent on each interaction and provide a resource (link) to allow the user to understand how this consent was achieved and hopefully options to alter that consent if the user chooses to do so.