Proposed text for W3C Tracking Protection Compliance ISSUE-15 from Paddy Underwood on 2011-12-22 (public-tracking@w3.org from December 2011)

From: Paddy Underwood <paddy@fb.com>
Date: Thu, 22 Dec 2011 19:24:36 +0000
To: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <CB18C397.12DD6%paddy@fb.com>
Below is the proposed language for Issue-15.  Jeffrey has voiced concern that the proposal is "problematic in terms of ensuring youth are protected under a DNT system."  He proposes: "that even when a DNT signal is not on, a website that knowingly primarily targets a child should assume its DNT:1 unless informed otherwise.  Same for sites that specifically primarily target teens."  See details of our discussion below.

Description:
     I wasn't sure that this part of the template was relevant for ISSUE-15..

Specification:
             The DNT:1 header does not require special treatment for children because DNT:1 means
             no tracking regardless of whether the user is a child or not.  Note that operator handling of children's
             data may also be governed by local laws and regulations, such as COPPA in US.

Examples and use cases:
     An child using a browser with DNT:1 visits a website.   By default, the website does not know that
             the user is a child.   Since it sees DNT:1 it records no data about the user (subject to the exceptions in this spec).

Thanks,
Paddy

NOTICE:  This email (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege.  Unless you are the intended recipient, you may not use, copy, or retransmit the email or its contents.


From: Jeffrey Chester <jeffreychester@me.com<mailto:jeffreychester@me.com>>
Date: Thu, 15 Dec 2011 14:34:43 -0500
To: "Leung, Ted" <Ted.Leung@disney.com<mailto:Ted.Leung@disney.com>>
Cc: Patrick Underwood <paddy@fb.com<mailto:paddy@fb.com>>
Subject: Re: Proposed text for W3C Tracking Protection Compliance ISSUE-15

Send it by please note I have raised concerns and I find this proposal problematic in terms of ensuring youth are protected under a DNT system.  Btw, since I got COPPA passed in 1998.  It has nothing to do with teens.  They are on a separate policy track that doesn't involve COPPA at FTC, but is included in the Markey/Barton legislation.


On Dec 15, 2011, at 2:28 PM, Leung, Ted wrote:

Some thoughts on process and then the text.

Paddy and I were asked to propose some text as a starting point for a discussion in the WG.   Jeffrey, I understand that you disagree with the current text, and I suspect that there will be others in the WG that share your opinion.   I'm equally sure that others in the WG will be closer to Paddy and myself, so I think that the next step for us is to send this text to the WG and have the discussion there.

On the text,  what you are proposing, DNT for everyone under 17, is actually stronger that the FTC's proposed COPPA revisions.  When I discussed this with our policy folks, our feeling was that this type of policy should be dictated by regulatory process and not encoded in a W3C specification.   I recognize that you might disagree with this, but I at least wanted to make my rationale clear.

I propose that Paddy send the text (I am fine with the edits) to the WG per Aleecia's assignment, where we can include any other interested parties from the WG in the discussion.

Thanks,
Ted

From: Jeffrey Chester <jeffreychester@me.com<mailto:jeffreychester@me.com>>
Date: Thu, 15 Dec 2011 11:06:36 -0800
To: Paddy Underwood <paddy@fb.com<mailto:paddy@fb.com>>
Cc: "Leung, Ted" <Ted.Leung@email.disney.com<mailto:Ted.Leung@email.disney.com>>
Subject: Re: Proposed text for W3C Tracking Protection Compliance ISSUE-15

We should establish DNT for all youth, under 17, as the baseline. It then can be modified based on jurisdictional policy.

On Dec 15, 2011, at 2:02 PM, Paddy Underwood wrote:

I disagree, websites are subject to a number of regulations in their own jurisdiction w/r/t children's data.  Most of which require parental consent, and in the EU (according to the Working Party's latest recommendation) sites aren't allowed to process <13 yo data for OBA purposes.  I don't see any reason why the DNT standard should dictate what is acceptable for children.  I think Ted had this right, if DNT is enabled, no tracking.  If not, that data is still subject to a number of laws protecting children online.

Thanks,
Paddy

NOTICE:  This email (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege.  Unless you are the intended recipient, you may not use, copy, or retransmit the email or its contents.


From: Jeffrey Chester <jeffreychester@me.com<mailto:jeffreychester@me.com>>
Date: Thu, 15 Dec 2011 08:36:39 -0500
To: Patrick Underwood <paddy@fb.com<mailto:paddy@fb.com>>, Ted Leung <Ted.Leung@disney.com<mailto:Ted.Leung@disney.com>>
Subject: Re: Proposed text for W3C Tracking Protection Compliance ISSUE-15

Thanks.  We need to write this to address DNT for both children and adolescents (everyone under 17).  That would configure to EU policies and also reflect the US debate.

The DNT default should be set on all sites whose primary audience is children and teens (as defined by comScore or other key services).  So no tracking on those sites.




On Dec 14, 2011, at 8:39 PM, Paddy Underwood wrote:

Comments inline below in red.

Thanks,
Paddy

NOTICE:  This email (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege.  Unless you are the intended recipient, you may not use, copy, or retransmit the email or its contents.


From: "Leung, Ted" <Ted.Leung@disney.com<mailto:Ted.Leung@disney.com>>
Date: Wed, 14 Dec 2011 14:34:49 -0800
To: Patrick Underwood <paddy@fb.com<mailto:paddy@fb.com>>
Cc: Jeffrey Chester <jeffreychester@me.com<mailto:jeffreychester@me.com>>
Subject: Proposed text for W3C Tracking Protection Compliance ISSUE-15

Hi Paddy,

Here is the text I am proposing for ISSUE-15.  I'm also copying Jeffrey Chester, per his earlier email.

Thanks,

Ted Leung

----------------------------------------------------------------------

Issue number: Issue-15
Issue name:   What special treatment should there be for children's data?
Issue URL:    http://www.w3.org/2011/tracking-protection/track/issues/15
Section number in the FPWD: 4.4
Contributors to this text:
Draft: Ted Leung

Description:
     I wasn't sure that this part of the template was relevant for ISSUE-15..

Specification:
             The DNT:1 header does not require special treatment for children because DNT:1 means
             no tracking regardless of whether the user is a child or not.  Note that operator handling of children's
             data may also be is additionally governed by local legislation laws and regulations, such as COPPA in US.  [PU: To make it more of a heads-up than a part of the spec.]

Examples and use cases:
     An child using a browser with DNT:1 visits a website.   By default, the website does not know that
             the user is a child.   Since it sees DNT:1 it records no data about the user (subject to the exceptions in this spec).
             Any data which is allowed by the exceptions but forbidden by COPPA (assuming that the user is in the US) is
             forbidden due to the regulations.  [PU: I don't think this sentence is necessary.  If a website is careful enough to make any effort to comply with DNT, they're most certainly buttoned up on local privacy regulations (such as COPPA).  This is a stylistic suggestion, I think the Spec looks good otherwise.]
Received on Thursday, 22 December 2011 20:41:42 UTC