/
2017-06-09 Meeting Notes (CR Legal)

2017-06-09 Meeting Notes (CR Legal)

Dec 12, 2019

Date

2017-06-09

Note: This is a meeting of the Consent and Information Sharing Work Group.

 

Approved at: 2019-12-12 Meeting notes (CR) DRAFT

Agenda

0 - Introductions - 10 min 

1. Review  the contribution  of specifying a purpose category  -15 min 

2, Discuss the considerations/template started for how to specify a purpose category - 15 min

3. Using Marketing Purpose Category (in the GDPR context)  - 20 min

Attendees

 

  • Mark Lizar

  • Andrew Hughes

  • Rachel O'Connell (guest)

  • Robert Lapes

  • David Clarke (guest)

  • Rupert Graves (guest)

  • Luk Vervenne

  • Jim Pasquale

  • Colin Wallis

Discussion Items

Introductions

  • Rupert Graves

    • AdUnity - programmatic digital advertising agency

    • Preparing for GDPR - keen to get standards established in time for May 2018

  • Rachel O'Connell

    • Trust Elevate - Trust services consultancy

    • Author of BSI standard of age-related attribute verification

      • Working on Parental relationship - to meet the GDPR requirement for Verified Parental Consent

  • David Clarke

    • Working with others here on GDPR - Security Assessment Expert

Purpose Category Document Draft Discussion

  • Mark gave an overview of the document

  • Seeking to define a kind of code table or taxonomy to describe Purpose categories and sub-categories

  • Q: Is there currently an industry practice or standard for these purposes? A: No - typically too broadly stated

  • Rupert: the drafted list from CR spec is pretty good

  • Rachel: need to add age-related marketing purposes

  • The question of "Legitimate Interest"

    • Under GDPR, Direct Marketing does have a legitimate interest for use of PII

    • For Targeted Marketing, it implies that consent is required.

    • Rupert sees that these points lie on a spectrum

      • Believes that most orgs will end up using consent, even though there may be a case to be made to use 'legitimate interest'

    • David - this is intertwined with the PECR (Privacy in electronic communication Regulation) - there have been surprises -  http://www.legislation.gov.uk/uksi/2003/2426/contents/made

  • Advertising Fraud

    • in US the Digital Advertisers Alliance have a code of practice and definitions

      • they have defined 'Ad Delivery' - counting and fraud monitoring - a specific carve-out

      • For GDPR this carve out is not valid

    • There's a copy-paste European Digital Advertisers Alliance - same carve-out

    • Should 'Online Behavioural Advertising' be a legitimate interest? A: too broad and can be defined in any way

      • The current list of behaviours in the CR spec are relative to the particular stakeholders - which is the right approach. 

      • There are a specific list of stakeholder types in digital advertising - the only complexity might be if a party has more than one type - but then it might actually require multiple purposes

    • For Age-related - we should reference Article 8 (13 and under requires parental consent). Over 13 there are specific topics that have age bands - e.g. ads for lottery tickets.

      • Countries may choose the specific age trigger - UK going for U13

    • Perhaps there should be an 'Adult' age band for each of the purpose categories, then some for non-adults

      • Robert: this is a pattern for delegated grant of consent

      • Rupert - the conditionals probably apply in practice at the Purpose level

Action Items

  • Mark: Provide contribution in form of instructions for a use case to WG/Rachel, Rupert, David to work out how to define a  purpose categories and purpose category taxonomy. 

  • Mark: Make Comment for Purpose Category Contribution with this input into GITHUB issues