W3C home > Mailing lists > Public > public-tracking@w3.org > April 2012

Aleecia's Template for Issue-10, Issue-17, Issue 19

From: John Simpson <john@consumerwatchdog.org>
Date: Fri, 6 Apr 2012 15:05:12 -0700
Message-Id: <744BE897-2168-4970-B280-7722306F3B5B@consumerwatchdog.org>
To: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Colleagues,

I have been working on text to deal with parties and allowed business uses as outlined in Aleecia's revised template.  So far I have a draft that addresses the first part of the template -- Issue-10, What is a first party?, Issue-17, Data use by 1st Party,  Issue-19, Data collection / Data use (3rd party). It is attached as an RTF file and is also in the body of this email below.  I  expect to have ideas about permitted uses later today or tomorrow at the latest.

73s,
John



------

Contributors to this proposal:  John M. Simpson

Part I: Parties

	A.  A "party" is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person, that an ordinary user would perceive to be a discrete entity for purposes of information collection and sharing.  A party MAY also include affiliates if the affiliates are commonly owned and controlled, and the relationship is clear to consumers through common branding. A party MUST NOT include more than five affiliates.

		Example 0: If a user visits flickr.com, which is branded "from Yahoo!", are Flickr and Yahoo one party? Yes.
		Example 1: If a user visits google.com, are other parts of Google, Inc. (adwords, analytics, YouTube, gmail, Google Maps) also the same party as google.com? Yes.
		Example 2: If a user visits geico.com, is See's Candies also the same party? No.
		Example 3: If Mozilla and Opera form a jointly-owned and controlled company called Moperilla, and a user visits Moperilla, are Mozilla and Opera part of the same party as Moperilla? No.

	B. A "first party" is any party, in a specific network interaction, that can infer with high probability that the user knowingly and intentionally communicated with it.  Otherwise, a party is a  "third party."   If a party cannot infer with a high degree of probability that it is a "first party," it MUST behave as a third party.

		To comply with DNT, a first party MUST NOT share data with a third party, outside of permitted uses as defined in this standard or specific user-granted exceptions.
		To comply with DNT, a first party MAY take additional privacy enhancing steps, such as treating each session with a user as an entirely new session unless it has been given permission to store her information and use it again.

	C. A "third party" is any party, in a specific network interaction, that cannot infer with high probability that the user knowingly and intentionally communicated with it.  If a party does not know its status, it MUST behave as a third party.

		To comply with DNT, if the operator of a third-party domain receives a communication to which a [DNT:1] header is attached:
that operator MUST NOT collect, share, or use information related to that communication outside of the permitted uses as defined within this standard and any explicitly-granted exceptions, provided in accordance with the requirements of this standard;
that operator MUST NOT use information about previous communications in which the operator was a third party, outside of the explicitly expressed permitted uses as defined within this standard;
that operator MUST NOT retain information about previous communications in which the operator was a third party, outside of the explicitly expressed permitted uses as defined within this standard.
that operator MUST NOT use information associated with the user agent that was gathered and stored when the operator was acting as a first party.


	D. A third party acting as a first party (as an agent) MUST be under contract to provide a specific service for the first party.

		To comply with DNT, a third party acting as a first party MUST NOT combine any data obtained from the first party to perform the contracted service with any other data.
		To comply with DNT, a third party acting as a first party MUST retain the data only as long as necessary to perform the contracted service for the first party.
		To comply with DNT, a third party acting as a first party MUST NOT collect data that could be combined across first parties.





---------
John M. Simpson
Privacy Project Director
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902
www.ConsumerWatchdog.org
john@consumerwatchdog.org
Received on Friday, 6 April 2012 22:05:31 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:27 UTC