RE: ACTION-75: Write-up a hybrid of Do Not Profile and Do Not Cross-Site Track from Shane Wiley on 2012-02-03 (public-tracking@w3.org from February 2012)

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Fri, 3 Feb 2012 12:22:17 -0800
To: Nicholas Doty <npdoty@w3.org>
CC: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-ID: <63294A1959410048A33AEE161379C8023D0C8AC47D@SP2-EX07VS02.ds.corp.yahoo.com>

Nicholas,

Please see my remarks below in [ ]:

- Shane

From: Nicholas Doty [mailto:npdoty@w3.org]
Sent: Friday, February 03, 2012 1:14 PM
To: Shane Wiley
Cc: Tracking Protection Working Group WG
Subject: Re: ACTION-75: Write-up a hybrid of Do Not Profile and Do Not Cross-Site Track

Just a clarifying question.

Given that 3rd parties must not collect any data across multiple sites...

3rd parties MUST NOT collect data across multiple, non-affiliated or branded websites.
<Non-Normative> Data collected by a 3rd party MUST be segregated according to the 1st party from which it was collected.  A 3rd party MUST NOT aggregate, correlate or use together data that was collected on different 1st party sites.

Do these next three statements only apply to data collected across multiple sites? Or to any data that a third party collects about a user?  [Correct - only data collected across multiple sites - as profiling only for a single site falls under the 1st party definition (as a Service Provider with no independent rights to use this data elsewhere).]

3rd parties MUST NOT add collected data to a "profile" of a user.

3rd parties MUST NOT leverage previously collected data to profile a user or to alter a user's experience.

3rd parties MUST NOT attempt to personally identify a user.

If these only apply to data collected across multiple sites, I'm not sure the first at least is necessary. If I can't collect data about a user across sites, it would be impossible to use that not-collected data to add to a profile of them, right?

[Logically you could argue it that way but we added this statements to make the prohibition very clear and to lower the risk of logic entanglement arguments.]

Also, if that assumption is right, then the language seems confusing to me; 3rd-parties would be allowed to add data to profiles, leverage previously collected data to alter a user's experience or identify a user, as long as they were doing so with data they hadn't combined across sites, right?

[Correct - as a Service Provider to a 1st party with no independent rights to use this data elsewhere.]

Thanks,
Nick

Received on Friday, 3 February 2012 20:23:00 UTC