Re: ACTION-152 - Write up logged-in-means-out-of-band-consent from Rigo Wenning on 2012-04-02 (public-tracking@w3.org from April 2012)

From: Rigo Wenning <rigo@w3.org>
Date: Mon, 02 Apr 2012 18:21:34 +0200
To: Alan Chapell <achapell@chapellassociates.com>
Cc: public-tracking@w3.org, Jeffrey Chester <jeff@democraticmedia.org>, Shane Wiley <wileys@yahoo-inc.com>, Jonathan Mayer <jmayer@stanford.edu>, David Singer <singer@apple.com>, John Simpson <john@consumerwatchdog.org>
Message-ID: <9072285.LzoQlEnJLY@hegel.sophia.w3.org>

Alan, 

I see, and because of the lack of understanding, your remark below is a 
logic consequence. Let me try again: 

On Monday 02 April 2012 11:40:28 Alan Chapell wrote:
> I'm having a hard time understanding some of your arguments. You say the
> group should not be creating standards for consent. And then you also say
> that we are creating a consent requirement - and one which others have
> indicated should be outlined in considerable detail. Sorry, but I'm afraid
> you've lost me.

If we write into the Specification that out of band agreements trump DNT, 
then the Specification can also contain requirements on what "out of band 
agreement" could possibly mean for our _Specification_. Because all we 
define is a Specification you can comply to or not. We do not define any law 
here.

So the definition of consent (if any) is scoped to DNT and DNT compliance, 
not to data protection in general. This scope is _very_ important to the 
further understanding.

We could also be silent on out of band agreements. They may legally trump 
DNT in some jurisdictions. And in others they wouldn't. Or the out of band 
agreements would have some requirements in some jurisdictions. This would 
not affect DNT compliance. In this case, tracking despite DNT=1 by claiming 
an out of band agreement would be eventually legally clean, but not DNT 
compliant. 
> 
> And I don't believe we are here because regulators are unable to determine
> standards of fairness for their jurisdiction. If the goal is to set out a
> detailed level of requirements around 'consent' that will work in every
> jurisdiction, then I think we're in for a long discussion that will push
> the development of our spec out several months.

1/ JC already made a really good suggestion for compromise
2/ we can always fall back to saying nothing or saying that out of band 
agreements trigger a special response header. On browsers to decide how to 
react in this case. 

Again, this is NOT defining any form of "legal consent" for the world. It is 
just defining compliance with a rather small Specification. Wiggling out of 
DNT with a click-wrap and still claim DNT compliance is not an option either 
IMHO.

Best, 

Rigo

Received on Monday, 2 April 2012 16:22:08 UTC