Privacy/TPWG/Compliance Last Call Comments
From W3C Wiki
- editorial corrections/suggestions from timeless
- internationalization question about Accept-Language header
interaction with laws/regulations
- suggests "This specification does not override regulatory terminology, and as such, compliance with this specification does not mean compliance with the law and/or regulations."
- interpretation of DNT:0 (Art 29)
- suggests in de-identification "In cases where the process of de-identification of (personal) data is not properly assessed against privacy risks and the possibility of identification of users cannot be excluded, compliance with this specification does not mean compliance with other legislative law and/or regulations."
- suggests in out-of-band consent: "Out of band consent MUST be obtained in an unambiguous manner and specific to the intended purpose. Data collected with out of band consent MUST only be used for that specified purpose."
- covering collection as well as use and sharing [isn't this already included?]
first and third party interactions
- covering 1st party interactions Markey, Barton, Franken on 1st party interactions
- Turn Inc. re-iterates comments from others on 1st/3rd distinction
- EFF recommends by sub-domain rather than 1st/3rd distinction
- EFF raises concerns about permitted uses:
- specific mechanisms (fingerprinting, super cookies)
- frequency capping and billing auditing
- reasonableness standard about retention