rvaneijk
commented
6 years ago We should take the EU use case for a web wide opt-out for the purpose of audience measurement (aka web analytics) into account. We discussed the opt-out on many occasions, e.g. the global considerations taskforce in Berlin (2013). The current development is that the approach for web analytics is a carefully balanced one. The text of the LIBE compromise amendments for the ePR is as follows:
Article 8 Protection of information transmitted to, stored in, related to, processed by and collected from users’ terminal equipment
- The use of processing and storage capabilities of terminal equipment and the collection of information from users’ terminal equipment, including about its software and hardware, other than by the user concerned shall be prohibited, except on the following grounds: (...) (d) if it is technically necessary for measuring the reach of an information society service requested by the user, provided that such measurement is carried out by the provider or on behalf of the provider, or by a web analytics agency acting in the public interest including for scientific purpose; that the data is aggregated and the user is given a possibility to object; and further provided that no personal data is made accessible to any third party and that such measurement does not adversely affect the fundamental rights of the user; Where audience measuring takes place on behalf of an information society service provider, the data collected shall be processed only for that provider and shall be kept separate from the data collected in the course of audience measuring on behalf of other providers; or (...)
See also the thread on public-tracking-comments: https://lists.w3.org/Archives/Public/public-tracking-comments/2017Oct/0022.html
michael-oneill
royfielding
As industry has engaged further on preparations for GDPR compliance - and possible extensions of that compliance by drafts of ePR - a new likely requirement has emerged to allow DNT to be a viable solution in the EU marketplace - purpose level preferences. To date, it was thought by the TPWG that preferences tracked at the user / publisher / 3rd party levels would cover our needs. These are expressed in the current CR as a User Granted Exception at the site-wide level with a duple domain containing the first party domain (publisher) and the third parties domain (or web-wide with just the 3rd party domain). With the growing understanding now that a purpose tier will likely need to be added it is requested that the DNT standard be updated to support this critical element to be a viable option in the EU marketplace.
Purpose level consent maps to specific forms of data processing that each require individual consent from a data subject. For example, possible purposes could be "interest based advertising" or "cross-device mapping".
How to address this in the TPE? One path to support would be to add a purpose array to the UGE API calls. The current duple structure would be expanded to allow for the purpose array: (origin domain, 3rd party domain, purpose array). This would allow the following result:
Site-Wide: User / Publisher / 3rd Party / Purpose Web-Wide: User / 3rd Party / Purpose
While it would be "nice" to have the full consent scope returned in the page request header (DNT:0|1, 2, 4) this is not a hard requirement. As long as the purpose array can be client-side queried by local JS prior to calling the 3rd party ad server, then this can be passed along as part of the ad call.
This is only one possible example of a path to fulfill the market need. There are likely many other possible technical options to consider to support the same purpose level preference so hopefully this is the start of those discussions.
Shane Wiley VP, Privacy Oath: A Verizon Company