- From: Jonathan Mayer <jmayer@stanford.edu>
- Date: Tue, 13 Mar 2012 21:10:33 -0700
- To: Tracking Protection Working Group WG <public-tracking@w3.org>
We agreed in Brussels that: 1) If two entities are not related by corporate affiliation, they are not part of the same party. From discussion on the mailing list, I think we are very close to consensus on three other points: 2) Branding should determine party boundaries. 3) Branding should determine first parties and third parties. 4) An entity must make "discoverable" the other entities that it considers part of the same party. We do not have consensus on a final issue: 5) If two entities are related by corporate affiliation, are they part of the same party? I've taken a stab at text that captures these five points. It is based on the current TCS document, the DAA principles, my proposal with Tom, and the CDT proposal. -------------------------------------------------- I. Definitions A. Network Interaction A "network interaction" is an HTTP request and response, or any other sequence of logically related network traffic. B. Entity An "entity" is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person. C. Affiliation If an entity holds significant ownership in or exercises significant operational control over another entity, they are "affiliated." D. Party A "party" is any group of entities that: a) consistently presents common branding throughout each entity, and b) is related by affiliation. [there is debate over whether to flip the "and" to an "or"] E. First Parties and Third Parties A "first party" is any party, in a specific network interaction, that brands content that occupies the full window. A "third party" is any party, in a specific network interaction, that does not brand content that occupies the full window. II. Transparency Requirement A. Operative Text A party must make reasonable efforts to ensure users can discover which entities it encompasses. B. Non-Normative Discussion A list of entities in a privacy policy would ordinarily satisfy this requirement.
Received on Wednesday, 14 March 2012 04:11:03 UTC