- From: Justin Brookman <jbrookman@cdt.org>
- Date: Wed, 25 Jun 2014 09:43:55 -0400
- To: "Mike O'Neill" <michael.oneill@baycloud.com>
- Cc: public-tracking@w3.org
- Message-Id: <C9F5B8F5-98E9-4AFB-8E20-913C6B660294@cdt.org>
I think this is already addressed in the draft. Right after the language about what third parties can't do when DNT:1 is set (which we're currently debating), there's already this language: A third party to a given user action may nevertheless collect and use such data when: a user has explicitly-granted an exception, as described below; data is collected for the set of permitted uses described below; or, the data is de-identified as defined in this recommendation On Jun 25, 2014, at 9:40 AM, "Mike O'Neill" <michael.oneill@baycloud.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Sure, if it is redundant and nobody else wants it in I am fine with taking it out (the stuff about exceptions is redundant also) . I think there should be some mention of OOBC in the TCS (as its talked about in the TPE), but maybe it should be in the introduction. > > What about the permitted use phrase? That could also just be referred to in its own section? > > mike > >> -----Original Message----- >> From: Dobbs, Brooks [mailto:Brooks.Dobbs@kbmg.com] >> Sent: 25 June 2014 14:25 >> To: Mike O'Neill; 'Alan Chapell'; 'Walter van Holst'; public-tracking@w3.org >> Subject: Re: ISSUE-219 (context separation) >> >> I have that, but when does OOBC not override a compliance requirement? >> Assuming OOBC trumps any requirement, which I can’t think of an argument >> why it wouldn’t, I’m still not sure what this adds? >> -- >> >> Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the >> Wunderman Network >> (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com >> brooks.dobbs@kbmg.com >> >> >> >> This email including attachments may contain confidential information. >> If you are not the intended recipient, >> do not copy, distribute or act on it. Instead, notify the sender >> immediately and delete the message. >> >> >> >> On 6/24/14, 5:32 PM, "Mike O'Neill" <michael.oneill@baycloud.com> wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Hi Brooks, >>> >>> The “other than with their explicit consent” phrase is to cover OOBC. A >>> party may have obtained consent elsewhere but has not for some reason >>> used the UGE. For example they might have an authentication cookie after >>> a login (and they explained during the login that consent was being given >>> for cross-context tracking). >>> >>> If they use the UGE they get DNT:0 anyway so this section does not apply. >>> >>> >>> Mike >>> >>> >>>> -----Original Message----- >>>> From: Dobbs, Brooks [mailto:Brooks.Dobbs@kbmg.com] >>>> Sent: 24 June 2014 21:18 >>>> To: Alan Chapell; Walter van Holst; public-tracking@w3.org >>>> Subject: Re: ISSUE-219 (context separation) >>>> >>>> Question… >>>> Just for purpose of mental processing isn’t this statement more >>>> succinctly >>>> written. >>>> "the third party MUST NOT use data gathered in another context about the >>>> user.” >>>> >>>> Adding “other than with their explicit consent” adds nothing substantive >>>> as I can’t imagine the compliance spec is ever meant to undermine the >>>> explicit consent of the user >>>> And adding “or for permitted uses as as described within this >>>> recommendation” also is just fluff as there shouldn’t be a case where >>>> permitted uses aren’t explicitly permitted” >>>> >>>> Just to be clear, and per Alan’s comment, I would read that simpler text >>>> to mean that a 3rd party couldn’t use data collected in a 1st party >>>> context, but it isn’t clear that a 1st party who later appears in a 3rd >>>> party context couldn’t use data? >>>> >>>> -Brooks >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the >>>> Wunderman Network >>>> (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com >>>> brooks.dobbs@kbmg.com >>>> >>>> >>>> >>>> This email including attachments may contain confidential >>>> information. >>>> If you are not the intended recipient, >>>> do not copy, distribute or act on it. Instead, notify the sender >>>> immediately and delete the message. >>>> >>>> >>>> >>>> On 6/24/14, 3:52 PM, "Alan Chapell" <achapell@chapellassociates.com> >>>> wrote: >>>> >>>>> Hi Walter - >>>>> >>>>> This language doesn't seem to address a first party acting in a third >>>>> party context. Was that by design? >>>>> >>>>> I strongly support re-inserting the language around first parties not >>>>> being able to use data outside the Context in which it was collected. >>>>> >>>>> Alan >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On 6/24/14 3:29 PM, "Walter van Holst" <walter.van.holst@xs4all.nl> >>>> wrote: >>>>> >>>>>> On 24/06/2014 17:57, Ninja Marnau wrote: >>>>>>> Hi John, hi Mike, >>>>>>> >>>>>>> we wil probably start a Call for objections on the topic of context >>>>>>> separation this wee. Could you take a look at Walter's proposal to >>>> see >>>>>>> whether it does reflect your text for data append and first >>>> parties: "A >>>>>>> Party MUST NOT use data gathered while a 1st Party when operating >>>> as a >>>>>>> 3rd Party.˛ >>>>>>> >>>>>>> Here is the link to Walter's text: >>>>>>> >>>> >>>>> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Limitations_on_ >>>> use_ >>>>>>> i >>>> >>>>>>> n_Third_Party_Context#Proposal_2:_Prohibit_use_of_data_collected_as_ >> an >>>> y_ >>>>>>> t >>>>>>> ype_of_party >>>>>>> >>>>>> >>>>>> Mike, John and I have had a fruitful discussion, which resulted in a >>>>>> more precise wording of what I wanted to achieve and I have updated >>>> the >>>>>> text accordingly to: >>>>>> >>>>>> "... the third party MUST NOT use data gathered in another context >>>> about >>>>>> the user, other than with their explicit consent or for permitted uses >>>>>> as defined within this recommendation." >>>>>> >>>>>> I feel this is a make-or-break issue for the compliance specification >>>>>> which on top of the privacy issue also has competition implications. A >>>>>> strong separation between 1st and 3rd party roles is a must for this >>>>>> compliance specification to be credible. >>>>>> >>>>>> Regards, >>>>>> >>>>>> Walter >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.13 (MingW32) >>> Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/ >>> Charset: utf-8 >>> >>> iQEcBAEBAgAGBQJTqe5XAAoJEHMxUy4uXm2JHzYH/3+jrRayXscseCJ0XyuXPpIl >>> fikzAyiCMX9atxGhn9LKQhFgVdlOWsAn1sxA/MZswUPUEJt99pyM17u0YZ0NSGQ >> k >>> b840KLJuRyDOXwdfnnsw9V52zkiP80PROG5YtVi7jaRVAOTGkikHS4AiIYakem73 >>> ImNNkkYzgKWNmROPia28qRkisA7mS177KhoX7iFYozRpIX86L3FMRcW44vxnDu >> fB >>> FmEF+qDRfE6Qre8OU9eJnwy5j+SQphIvKQaQzUc15D9hkOCGIuGw1YIYZTvnWz >> 8h >>> WFNr/zmGkaPluj9tl6GRJ3gu4SvpN1pUfmPYiOU/GYPFFndnyRSUVQt5v5fSEcc= >>> =CJIz >>> -----END PGP SIGNATURE----- >>> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (MingW32) > Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/ > Charset: utf-8 > > iQEcBAEBAgAGBQJTqtFDAAoJEHMxUy4uXm2JRQYIAOO09BXP3Bore0VEBgXE36JK > o9qHAedljf85NBLkUQO5pNZX3Hl5nllwrwtPy2CNnnzJlRKZ2eMQDhzsAbij/KH1 > x3CjPUHaPvoOwFShJt8q9oK3KxHMGoQi2JV0f+cD0GpLFFdfe6h0mOujE4e/1lLV > Uv7g57v+mkkcPmTMa6C+H1mmQ6kwNWs2UQe/+NQltjC1NrO6RQVyvEztgffQ0Y5w > dw0TlaZDEqR6XW+5ewDcA+ho6AUJPo7BB83Z98htjL9H/rEKoequhHQuooLG6FZD > cX7a8OeCdik0jeZgu29kCjB6u5it+oVdavvNsj5Khlc4pv12E4KWlCdOuDb0iKs= > =N/t8 > -----END PGP SIGNATURE----- > >
Received on Wednesday, 25 June 2014 13:44:24 UTC