[dow1-2tf] Moving forward on "conspicuous notice"?
- To: dow1-2tf@xxxxxxxxxxxxxx
- Subject: [dow1-2tf] Moving forward on "conspicuous notice"?
- From: Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 28 Sep 2004 14:47:19 +0200
- Mail-followup-to: dow1-2tf@xxxxxxxxxxxxxx
- Sender: owner-dow1-2tf@xxxxxxxxxxxxxx
- User-agent: Mutt/1.5.6i
I'm somewhat concerned that there has been (almost) no follow-up
discussion on Tuesday's call so far. On the call, some suggested
that we should look at legal approaches to "conspicuous notice" to
figure out the right balance between burden to processing parties
and forcing registrants to take notice.
BUT: "Conspicuous notice" of data processing in the form of, say,
all-caps or boldface parts of the registration agreement may be
considered enough in some contexts in some jurisdictions. In other
jurisdictions, you may encounter requirements such as explicit,
deliberate, and free consent to well-specified purposes, maybe even
in writing. The point here is that the burden on the processing
party may be balanced against data subjects' awareness and free
consent in significantly different ways.
At this point, and with the major work item of tiered access still
before us, I'd suggest this group pragmatically (and on-list!) look
at ways to increase registrant awareness above the current levels,
recognizing that we are certainly not going to fix WHOIS' privacy
problems in dealing with the "conspicuous notice" milestone.
Here's a possible set of recommendations, to get things started;
these are mostly based on TF2's findings, except for the success
Objective: Increase registrant awareness of WHOIS.
Success Metric: Significant increase of registrant awareness
of WHOIS, as measured by sampling registrants prior to and
12 months after implementation.
1. Registrars must ensure that disclosures regarding
availability and third-party access to personal data
associated with domain names actually be presented to
registrants during the registration process. Linking to an
external web page is not sufficient.
2. Registrars must ensure that these disclosures are set
aside from other provisions of the registration agreement if
they are presented to registrants together with that
agreement. Alternatively, registrars may present data
access disclosures separate from the registration agreement.
3. Registrars must obtain a separate acknowledgement from
registrants that they have read and understood these
Thomas Roessler · Personal soap box at <http://log.does-not-exist.org/>.