[registrars] Melbourne IT Comments on WHOIS recommendation relating to notification and consent

["Bruce Tonkin" <Bruce.Tonkin@xxxxxxxxxxxxxxxxxx>]

Hello All,

For information I have submitted the comment below to the WHOIS public
comment forum.

I recommend that other registrars also post to the forum.

Regards,
Bruce

-----Original Message-----
From: Bruce Tonkin 
Sent: Friday, 6 May 2005 4:47 PM
To: 'gnso-whois-tf-rpt@xxxxxxxxx'
Subject: Comments on WHOIS recommendation relating to notification and
consent

Hello,

I do not support the recommendation below in its current form.

Recommendations relating to improving notification and consent for the
use of contact data in the whois system:

(1) Registrars must ensure that disclosures regarding availability and
third-party access to personal data associated with domain names
actually be presented to registrants during the registration process.
Linking to an external web page is not sufficient. 

(2) Registrars must ensure that these disclosures are set aside from
other provisions of the registration agreement if they are presented to
registrants together with that agreement. Alternatively, registrars may
present data access disclosures separate from the registration
agreement. The wording of the notice provided by registrars should, to
the extent feasible, be uniform. 

(3) Registrars must obtain a separate acknowledgement from registrants
that they have read and understand these disclosures. This provision
does not affect registrars' existing obligations to obtain registrant
consent to the use of their contact information in the WHOIS system. 

I offer the following comments:

Clause 3.7.7.4 of the Registrars Accreditation Agreement already
requires:
Registrar shall provide notice to each new or renewed Registered Name
Holder stating:

(a) The purposes for which any Personal Data collected from the
applicant are intended;

(b) The intended recipients or categories of recipients of the data
(including the Registry Operator and others who will receive the data
from Registry Operator);

(c) Which data are obligatory and which data, if any, are voluntary; and

(d) How the Registered Name Holder or data subject can access and, if
necessary, rectify the data held about them.


Registrants that are concerned about the use of Personal Data that they
supply to an online company normally have two places to find this out:
- a privacy policy
- the terms and conditions of the service

Registrars are already required to include information in the terms and
conditions of the service.

It is a challenging task to present a domain name registration in a form
that is understandable by the average consumer.  Registrants are
required to provide contact information as well as information about the
DNS nameserver information associated with each domain name.   Adding
further steps, and separate explicit consents, as proposed in the
recommendation is unlikely to improve the experience for the registrant,
and the registrant should be encouraged to read the terms and conditions
of the licence.    These are merely additional barriers to prevent a
registrant registering a name, when a far better customer experience
would be to offer the option to opt-out of the public display of
Personal Data, rather than force the registrant to acknowledge that they
have no choice but to have Personal Data available for public access.

In Australia and other countries with strong privacy protection laws, it
is far more common that organisations explicitly include all privacy
related information in an easily accessible privacy policy.    It is not
necessary to explicitly acknowledge that the person has read the privacy
policy.

For example, the Melbourne IT privacy policy is directly accessible via
a link on the front page of the website:
http://www.melbourneit.com.au/privacy/ .  This is consistent with local
privacy laws, and Australian consumers have been widely educated to read
privacy policies when providing personal data.

I recommend that the GNSO provide more flexibility for registrars to
implement the goal consistent with the expectations of registrants in
particular markets.  For example in the USA a registrant may be used to
reading about privacy in the terms and conditions of a product, whereas
in Australia it is far more common for such information to be in a
separate privacy policy.

I recommend that the recommendations be changed to the following:


"Registrars must ensure that disclosures regarding availability and
third-party access to personal data associated with domain names
actually be readily AVAILABLE to registrants during the registration
process. 

Examples of approaches include, but are not limited to,
- a link to a separate privacy policy,
- information provided in printed form at the time of registration,
- information provided via email,
- privacy provisions set aside from other provisions in the registration
agreement."


Regards,
Bruce Tonkin
Melbourne IT