Cookie Use Case - For Consent Tag
- Cookies Use Case - Submitted by Par Lannero
**************************
The cookielaw problem
-----------------------------------
The E-privacy directive contained writings to the effect that all EU countries were forced to make laws that require website owners to inform visitors about and ask them for consent to any cookies that they want to set. The reason was honorable: consumers should know about, and have some control over, when they are confronted with technologies that can be used for tracking.
Unfortunately, web browsers do not have useful built-in features for displaying descriptive information about cookies, nor controls for dynamically accepting or rejecting the use of cookies based on this information. Therefore, in order to follow the law, website owners must either make information about cookies the very first thing they communicate with visitors or sacrifice all features that require cookies (such as behavioural advertisements and modern usage analytics). So the problem: Most website owners break the law by not asking for consent, and those who do suffer from worse user experience. While privacy certainly is important, most users probably would benefit by not having to confront the issue several times per day as they move around the web.
A Consent Tag?
-----------------------------------
On the initiative of Mark Lizar and a few other people on the OpenNotice mailinglist, work has begun on a specification for a so-called “Consent Tag” Or ‘Consent Transaction Token’. The OpenNotice group is determined to fix the currently broken infrastructure around notice and consent on the web. Ie. the fact that users have to agree to terms & conditions whose content they are not, in practice, aware of. (Thus forced to tell the Biggest Lie on the internet: “Yes I have read and agree”.) A consent tag is one of several building blocks that we think are needed to fix the Biggest Lie problem.
The basic idea is that whenever you are bound by any kind of terms & conditions (privacy policy, terms of service, terms of use, purchase conditions…) there should be a standardized way for you to get hold of metadata about those conditions. The current specification draft specifies a number of fields, including
· Company name (who are you contracting with?)
· Applicable jurisdiction
· URL to full Privacy Policy
· URL to cookie policy
It is still under discussion how the Consent Tag should be made discoverable by the user agent (web browser). Several already well explored options exist. For example, a reference could be put in an html meta element, or in a text file at a standardized relative position on the webserver (similar to robots.txt).
A consent tag, would enable, for example
· Users can automatically log all contracts they are entering
· Which, in turn, should facilitate automatic monitoring of changes to contracts that they are still bound by (via services such as TOSBack)
· Easy access to contracts via buttons/menu options in browser
· Possibility to retrieve relevant terms & conditions even before visiting the site (eg, in connection with a search result listing)
How can a Consent Tag solve the cookielaw problem?
-----------------------------------
Consider having the following two fields in a consent tag:
· If you visit this website, you will get cookies that require consent? (Yes/No)
· At what URL can information about those cookies be retrieved?
A web browser (possibly via a browser plugin) could ask for the consent tag before asking for the requested URL. If the content of the first field is Yes, the page with information about the cookies could be retrieved and displayed to the user, without accepting any cookies.
User settings in the browser could say, for example that
· cookie information should be displayed by default before entering a website whose consent tag is not already logged as acceptable
· cookies should not be accepted for websites until a consent tag has been logged for that website
· cookies should be accepted, and a cookie-info button enabled when a consent tag is available, for further exploration if the user feels like it
· the cookie-info button should turn into a warning sign if there’s no consent tag available
If such an infrastructure was to become a standard, website owners could comply with the EU cookielaw simply by making sure they have information about their cookies on a specific url AND put a consent tag on every server/page.
What does the EU want?
-----------------------------------
The EU is very much aware of the problem, and has been approaching both browser makers and web standardization groups to push for better built-in support. Most notably, the Tracking Protection working group has been addressed by commissioner Neelie Kroes who wanted[1] to see DNT developed to meet the requirements of the e-privacy directive.
Differences from P3P and DNT
-----------------------------------
You might comment that P3P was a consent tag that failed to get adoption. Yes, in a way that is true. However, P3P is complex, requiring website owners to specify the privacy practices according to a detailed codification system. A consent token is a much more light-weight and therefore cheaper for website owners to implement correctly, and more flexible because there isn’t a taxonomy of static codes. Instead it focuses on pointing at free-text information in human readable format.
You may also ask why this could work when DNT doesn’t seem to. The consent tag is a receipt from the provisioning of consent, and the Do Not Track is a signal at the browser level/layer. DNT is a binary on and off signal, and therefore of little use to customise consent and sculpt experience. With DNT you either accept all tracking or you don’t . Users who actually trust the big players may want to allow tracking.
Cases
-----------------------------------
For the above ideas to be useful, the following cases must be dealt with nicely, at least:
· Website offers consent tag. First time visit. User approves of cookies as described in the text pointed out by the tag.
· Website offers consent tag. First time visit. User disapproves of cookies as described in the text pointed out by the tag.
· Website offers consent tag. Second visit. Last time, user approved.
· Website offers consent tag. Second visit. Last time, user disapproved.
· Website offers consent tag. Information in tag is false. User approves.
· Website offers consent tag. Information in tag is false. User disapproves.
· Website offers consent tag, but user agent unaware.
· Website does not offer consent tag.
Combinations with different DNT settings should also be explored…
I am sure there are challenges other than technical/specifications that will confront any initiative that can disrupt the way users are being tracked on the web today. So even if the above does indeed work, it may be impossible to standardize. But at least, if it works it should be documented.