2017-06-09 Meeting Notes (CR Legal)

Date

2017-06-09

Note: This is a meeting of the Consent and Information Sharing Work Group.


Approved at: 2019-12-12 Meeting notes (CR) DRAFT

Agenda

0 - Introductions - 10 min 
1. Review  the contribution  of specifying a purpose category  -15 min 
2, Discuss the considerations/template started for how to specify a purpose category - 15 min
3. Using Marketing Purpose Category (in the GDPR context)  - 20 min

Attendees


  • Mark Lizar
  • Andrew Hughes
  • Rachel O'Connell (guest)

  • Robert Lapes
  • David Clarke (guest)
  • Rupert Graves (guest)
  • Luk Vervenne
  • Jim Pasquale
  • Colin Wallis

Discussion Items

Introductions

  • Rupert Graves
    • AdUnity - programmatic digital advertising agency
    • Preparing for GDPR - keen to get standards established in time for May 2018
  • Rachel O'Connell
    • Trust Elevate - Trust services consultancy
    • Author of BSI standard of age-related attribute verification
      • Working on Parental relationship - to meet the GDPR requirement for Verified Parental Consent
  • David Clarke
    • Working with others here on GDPR - Security Assessment Expert

Purpose Category Document Draft Discussion

  • Mark gave an overview of the document
  • Seeking to define a kind of code table or taxonomy to describe Purpose categories and sub-categories
  • Q: Is there currently an industry practice or standard for these purposes? A: No - typically too broadly stated
  • Rupert: the drafted list from CR spec is pretty good
  • Rachel: need to add age-related marketing purposes
  • The question of "Legitimate Interest"
    • Under GDPR, Direct Marketing does have a legitimate interest for use of PII
    • For Targeted Marketing, it implies that consent is required.
    • Rupert sees that these points lie on a spectrum
      • Believes that most orgs will end up using consent, even though there may be a case to be made to use 'legitimate interest'
    • David - this is intertwined with the PECR (Privacy in electronic communication Regulation) - there have been surprises -  http://www.legislation.gov.uk/uksi/2003/2426/contents/made
  • Advertising Fraud
    • in US the Digital Advertisers Alliance have a code of practice and definitions
      • they have defined 'Ad Delivery' - counting and fraud monitoring - a specific carve-out
      • For GDPR this carve out is not valid
    • There's a copy-paste European Digital Advertisers Alliance - same carve-out
    • Should 'Online Behavioural Advertising' be a legitimate interest? A: too broad and can be defined in any way
      • The current list of behaviours in the CR spec are relative to the particular stakeholders - which is the right approach. 
      • There are a specific list of stakeholder types in digital advertising - the only complexity might be if a party has more than one type - but then it might actually require multiple purposes
    • For Age-related - we should reference Article 8 (13 and under requires parental consent). Over 13 there are specific topics that have age bands - e.g. ads for lottery tickets.
      • Countries may choose the specific age trigger - UK going for U13
    • Perhaps there should be an 'Adult' age band for each of the purpose categories, then some for non-adults
      • Robert: this is a pattern for delegated grant of consent
      • Rupert - the conditionals probably apply in practice at the Purpose level

Action Items

  • Mark: Provide contribution in form of instructions for a use case to WG/Rachel, Rupert, David to work out how to define a  purpose categories and purpose category taxonomy. 
  • Mark: Make Comment for Purpose Category Contribution with this input into GITHUB issues