Ensuring Browser Compliance with Legally Consented Actions #91
Comments
|
One way to implement a tracking consent/request might be to copy the Global Privacy Control (GPC) specification and make a similar standard HTTP header that works in the opposite direction and enables browser users to request cross-context tracking. An alternate header spec could say something like,
Depending on jurisdiction and business model, browsers and sites could then use the new header to auto-populate consent strings and/or set other cross-context tracking behavior. (To avoid creating too many extra code paths to test, browsers should probably not make it easy for users to turn on both headers.) |
|
I think this could be a viable approach @dmarti. I am not sure how granular these permissions should be since the draft requires different mechanisms, such as LinkDecoration Removal and limiting the Cookie's lifetime. But I think the most basic variant would be permission based on the (top-level?) domain. This way we could save extra code paths about the different possibilities and combinations. |
|
@t-zuehlsdorff Looking at the user research it seems like a granular approach would not add much value -- people tend to either want cross-context personalization/tracking or not. So one "Global Personalization Control" header (or whatever you want to call it) that switches off all tracking mitigations would probably make the most sense to users. |
|
@dmarti I think it would make the most sense to users, too. But to add some context, when dealing with Cookie-Banner, you have an "Accept all" option that consents to everything. This is the most often used function, followed by "Decline all." But to honor the GDPR, you are legally required to give consent to every third party on a granular basis. Sometimes, this is pure nonsense because some websites have hundreds of third parties-integrated. But people are going this way. Also, there are "consent groups" like "Allow all performance-related third party" or "Allow all Marketing performance-related third party." These groups basically group a number of third-party tools into a group, and if you consent to the group, you consent to every single member of it. But I am really not sure if this is legal - i am no lawyer. The situation will also change in April. Then - at least in Germany - central Consent Management Services are allowed. So you can define your consent for single third parties and this will applied to every Website that integrates this service. You can look this up in the Germany TDDDG § 26 Paragraph 2 . |
|
@t-zuehlsdorff It sounds not very future proof to depend on a nonsense implementation requiring hundreds of identifiers for third parties to track consent (and we still don't know the final status of IAB TCF in the courts). Can you explain how the central consent management service works? How does a site know that the user has central consent management and what their consent string (GPP?) is? Could the browser check the same central consent management to know when to turn off bounce tracking? |
Aloha @wanderview,
moving our discussion started in #23 (comment) to here. I also rephrase it after sleeping over the topic.
I originally used the example of the Bounce Marketing market, which developed in Germany and has been spreading internationally since last year.
In Bounce Marketing, bouncing users are redirected to further content. Bouncing users are users who visit a website but leave immediately.
I described the workflow of this in more detail here #23 (comment), but will focus on a more central question:
How can we ensure consented actions through the Standard?
Here in Europe, we have very high data protection. The GDPR requires the impacted person to allow every form of tracking or private data transfer. So if I visit a website and it wants to set a tracking Cookie it needs my permission to do so. If some Third-Party tool is included and private data a transferred to it, this also needs permission. You can check this in §6 GDPR and §7 GDPR to start with.
This also covers technical basics. For example, if a tool is included via JavaScript, it needs permission. Loading and Calling the JavaScript will transfer my personal IP address to the Third Party and even this is personal information i need to allow the transfer of.
Not following this legal requirement can be pursued by each person and result in high fines.
This creates scenarios, where explicit consent for Third-Party Services (Tracking, Redirects, etc.) is given, but it is suppressed by the Browser itself.
We have this already with the Chrome Browser. The user - for example - gives explicit consent to allow the Redirect by a Bounce Marketing solution, but Chrome suppresses it because no user action has happened.
The same is true for the cookie lifetime restriction in Safari. If the user consented to this cookie and its Tracking, Safari will still remove the cookie.
Following the Draft even more mechanisms will be introduced, which suppresses actions a user has legally consented to. For example, these mechanisms could block redirects or limit cookie lifetimes even if the user explicitly agreed to them.
I am aware, that we have here a mix of legal and technical definitions. Data protection in Europe is way higher than in most other countries (but not implemented equally through all countries). This makes violations of data privacy even in every small day-to-days cases something you can bring to court. Also, there is a good infrastructure to handle these cases without a court which will ensure data protection. This is of course not true for many other countries where the users would benefit from the improved data privacy provided by the Browser!
So these will end up in this central question:
How can we ensure that services the user explicitly consented to in a legal sense are allowed by the Browser itself even when the privacy settings would normally suppress these services?
One potential approach could be an exception mechanism integrated into the browser. For example, a dedicated API could allow consent management platforms to communicate explicit user consent to the browser, ensuring services are not blocked. Alternatively, browsers could offer settings where users manage specific exceptions for trusted services. Another approach could be a deeper integration of Consent Management Platforms (CMPs) into browsers. This could allow browsers to directly verify user consent provided through CMPs and respect such consent in their privacy settings.
Best,
Torsten
The text was updated successfully, but these errors were encountered: