Re: Action-157: Update logged-in consent proposal

Justin,

Your cite of the Sears case is probably not an appropriate example for these
purposes. Trackware is an entirely different animal (at least in the U.S.)
from most other forms of tracking for a whole host of reasons.

And in some respect, that's the crux of the issue I have with your argument.
Regulators in different jurisdictions may choose to evaluate different type
of consent mechanisms differently based upon context, historical practices,
consumer culture, and perhaps other facts that I haven't listed. And its a
bad idea for this group to try to create pan-world standards for consent.


Cheers,

Alan Chapell
Chapell & Associates
917 318 8440


From:  Justin Brookman <justin@cdt.org>
Date:  Wednesday, May 9, 2012 12:16 PM
To:  "public-tracking@w3.org" <public-tracking@w3.org>
Subject:  Re: Action-157:  Update logged-in consent proposal
Resent-From:  <public-tracking@w3.org>
Resent-Date:  Wed, 09 May 2012 16:16:46 +0000

    
 
 On 5/8/2012 3:08 AM, Roy T. Fielding wrote:
>  
>  
> On May 7, 2012, at 8:32 PM, Justin Brookman wrote:
>  
>  
>>  
>> 
>>  You say that this language is not necessary for interoperability.  I'm
>> saying that the language (or comparable language) is necessary to accomplish
>> the stated mission of this working group, which is to improve user privacy
>> and user control over tracking.
>>  
>>  
>  
> 
>  
>  We can completely remove it from the spec and it would not lower
>  
> the user's privacy nor remove control over tracking. If a site has
>  
> the user's consent to do something, then by definition the site
>  
> does not violate the user's control by doing that something.
>  
> It is the site's responsibility to ensure that it has consent
>  
> to override DNT before it does so.
>  
 
 Perhaps this the crux of our disagreement.  You believe that so long as a
company has legally valid consent to track, then by definition there can be
no privacy concerns.  I would like to believe this is the case, but I think
history has shown that dense contracts of adhesion can be used to obtain
what is arguably legal consent to privacy violations that a user doesn't
want or understand.  The FTC's Sears settlement is a good example --- there,
Sears included a contractual term within a long contract that reserved broad
rights to track a user's web activity.  Legally speaking, that may well have
been consent, but the FTC said that Sears nevertheless violated deceptive
practices by failing to clearly and conspicuously disclose the practice in a
clear and conspicuous manner outside of the contract.  However, the case was
never litigated.
 
 Here, I do believe that if a company only asserted the ability within a
EULA or privacy policy user consent to track despite a clear user
instruction not to track, then that consent would be invalid or the practice
would be otherwise illegal, but the law is far from settled.  There is at
least an argument that the practice would not be illegal in some
jurisdictions, though I think most of us are agreed that it would constitute
a clear violation of user's privacy and expectations.
 
 As we have all agreed several times now, we cannot change law, but we can
set a standard that protects user privacy.  I do not believe that requiring
express, informed consent (or permission, whatever) to ignore the DNT signal
and providing a couple of what are non-controversial examples of what that
means adds any uncertainty for companies --- to the contrary, the existing
legal regime(s) on consent and reasonably expectations of privacy are
extraordinarily vague and confusing as is.  If there are *any* use cases
that you think this language limits, please explain them.
 
 Again, I fail to see how providing an example that notice only in a privacy
policy is not express, informed consent (permission) for this spec is
burdensome or undesirable.  And it would have the clear benefit of giving
guidance to potentially deceptive actors and some confidence to consumer
advocates that this spec will actually achieve its goals.