W3C discussions ponder how to control user data and personal identifiers: Technology, governance or both?

Privacy Beat

Your weekly privacy news update.



Two W3C discussions ponder how to control user data and personal identifiers: Technology, governance or both?

Two World Wide Web Consortium (W3C) discussion groups continued to struggle with how to control the use of personal identifiers on the web, minutes of meetings Oct. 14-15 show.

One approach discussed by both the W3C Privacy Community Group and the W3C Federated Identity Community Group is to have web browser software  limit the data that can be stored in the browser and used across multiple sites.

Another approach is to consider looser technical restrictions, but impose legal or governance requirements on data use or sharing, rather than blocking the data itself.  Is there a “web-wide-scale way to enforce policy,” as one participant observed?

“We (Apple) prefer technical restrictions,” Apple engineer John Wilander told privacy-group colleagues, according to public minutes (also found HERE)  of the 16-participant, Oct. 14 privacy-group meeting. “It should not be possible to track users — we don’t think it’s manageable to handle public statements or policies on a web-wide global scale.  We haven’t seen anyone be able to enforce a policy globally.” Wilander’s view is that the browser software should perform as a “user agent” but cannot be responsible for server-side tracking.

“If it’s information about a person, it needs to be restricted in some way,” added Baycloud’s Michael O’Neill, the minutes report. “Hard for a piece of software to determine whether something is used for personal data.  It’s an insoluble problem.”

Facebook’s Eric Taubeneck said he agreed generally with O’Neill and wondered how technology would be able to distinguish between strings of data added to a transmitted URL (a “query string” or “link decoration”) represented an encoded personal identifier, or just information about data or objects on a website — such as shopping-cart information.

“If a browser were to intervene against things that appeared to be personally identifiable, how good is that?” asked the Washington Post’s Aram Zucker-Scharff, according to the minutes.

” I think it’s very difficult to solve problem technically without putting significant damage to things that are entirely appropriate and necessary uses of the web, distillery’s Brian May said, according to the minutes. ” Maybe we need to make a well-lit path for how to do things in ways that are private, encourage people to do those.”

Salesforce’s Kris Chapman suggested group focus should be on how to obtain consent from the end user for the use or sharing of personal data. “I would personally prefer education than trying to block things in the (browser) client,” the minutes report her saying.

Another participant, Google Chrome’s Jeffrey Yaskin said one approach would be to block transmission of data that is not explicitly being sent for a purpose within the user’s explicit consent.

Although its charter is somewhat different, participants in the federated-identity W3C group, meeting Oct. 15, are also grappling with how technology should be used to address privacy and identity, minutes show. (also found HERE).

“The urgent issue is making sure that use cases that are working continue to work while trying to improve the experience for those users who would like to protect their privacy,” observed Vittorio Bertocci, of Auth0|Okta, the identity-service provider.  An online poll of of the group’s participants, found them almost evenly split 50:44 over whether current cross-site “federated identity” protocols are OK or whether some aspects should be intentionally blocked, or technically “broken.”

“Privacy is not just technical, the federated ID group’s minutes note GEANT’s Christos Kanellopoulos saying. “Looking at solving privacy with just technical means is not sufficient. There is also a legal aspect.’

The federated identity group is beginning to share examples of “use cases” for cross-site user-data sharing. For example, Achim Schlosser has shared the start of a description of European Net ID Federation’s service established  as a collaboration among German publishers. Schlosser is its CTO and a board member.




Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More






ACLU back Massachusetts Information Privacy Act; retailers oppose at hearing because of private suit right

Retailers came forward at a hearing to oppose a bill in the Massachusetts Legislature that would impose significant notice and consent requirements around collection of some times of consumer data.  The American Civil Liberties Union of Massachusetts supports and testified in favor of the bill at a hearing on Oct. 14. The bill remains in committee awaiting action.


Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

Marketing Brew’s drawing of third-party cookies at work






Cameron Kerry: How a limited private right of action provides a path to passing a federal privacy law

  • The following excerpt is from a Brookings Institute post by Cameron Kerry, a lawyer and expert on digital-privacy law who has been following for more than a year machinations in Congress toward passing a federal digital-privacy law.  In co-writing a 2020 white paper, Kerry tried to find a balance between Democrats insisting that private citizens should be able to sue over privacy, and Republican and business interests dead set against the idea because of its potential cost. Here Kerry describes a middle ground.

“These discussions of a private right of action in privacy legislation resemble the ideas that I — along with John B. Morris, Jr., Caitlin Chin, and Nicol Turner Lee—explored over a year ago in our Brookings report. 

“In detailed analysis of leading bills and recommendations for bridging these gaps, we suggested that Congress and stakeholders would need to consider some form of private right of action to pass privacy legislation. We recognized that individuals could suffer serious harms from privacy violations—and that private litigation, along with federal and state enforcement, can strengthen a privacy law. 

“Yet, we also proposed a variety of substantive and procedural guardrails to limit the nature and frequency of private litigation. Our proposals were intended to plant the seeds for compromise. Whether or not our proposals played a part, the September 29 hearing makes clear that such ideas are germinating.

“Over the past year, various businesses have started to consider the possibility of private rights of action in some form as the price for enacting a baseline federal privacy law that establishes nationwide standards. But, so far, these have been discussed among like-minded players behind virtual closed doors. The overt discussion in the September 29 hearing takes this willingness to entertain a private right of action to a new level and could pave the way for the hard work by all stakeholders—and bargaining—it will take to pass a strong baseline privacy law.

“Compared to Senate Commerce hearings in 2019 and 2020, this latest hearing demonstrates significant progress. The exchanges and body language between Sens. Wicker and Cantwell suggested renewed bipartisan talks on legislation might be possible. Cantwell nodded along with much of Wicker’s opening statement, including his statement that they both believe the time has come to pass privacy legislation. In turn, she expressed appreciation for his “reminding me of your willingness to have a larger discussion about the private right of action.” 

“Both senators agreed that the Biden administration should designate a senior point of contact to work with Congress on privacy legislation, and that the U.S. privacy debate has international ramifications.”


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to newsletter@itega.org.

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2021 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp