W3C home > Mailing lists > Public > public-tracking@w3.org > October 2012

Re: ACTION-267 - Propose first/third party definitions from existing DAA documents

From: Alan Chapell <achapell@chapellassociates.com>
Date: Thu, 11 Oct 2012 12:20:57 -0400
To: Jonathan Mayer <jmayer@stanford.edu>, Rachel Thomas <RThomas@the-dma.org>
CC: Jeffrey Chester <jeff@democraticmedia.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <CC9C68F6.23241%achapell@chapellassociates.com>
Nice work in getting back to Jonathan so quickly, Rachel.

Thanks for your thoughts Jonathan. Are you planning to answer my questions
today? 

 If your answer is -- "no, we haven't been able to document real examples of
harm" or "I've split from my colleagues at Mozila re: certain first party
issues, then I would encourage you to help me understand so we can move on
to other issues. 

Ignoring multiple requests from me while continuing to ask others for more
and more data points on issues that are important to you isn't going to help
the long term productivity of the group.

Thanks again.

-a

From:  Jonathan Mayer <jmayer@stanford.edu>
Date:  Thursday, October 11, 2012 11:23 AM
To:  Rachel Thomas <RThomas@the-dma.org>
Cc:  Jeffrey Chester <jeff@democraticmedia.org>, "public-tracking@w3.org"
<public-tracking@w3.org>
Subject:  Re: ACTION-267 - Propose first/third party definitions from
existing DAA documents
Resent-From:  <public-tracking@w3.org>
Resent-Date:  Thu, 11 Oct 2012 15:24:23 +0000

>  
> Thanks Rachel.  This answers my first question (the TRUSTe pilot).  Any
> progress on the second (present opt-out usage rates)?
> 
> For those interested, here are my thoughts on the TRUSTe trial:
> 
> I'm confused as to how the TRUSTe pilot was a pretest of the DAA icon program.
> The DAA's self-regulatory principles (and the call for in-ad notice) were
> published in July 2009, and the "Advertising Option Icon" was announced in
> early October 2010.  TRUSTe's results didn't come out until mid-November 2010.
> 
> I suspect many researchers would contest the characterization that the pilot
> showed "very positive results."  Only 0.28% to 0.63% of consumers in TRUSTe's
> trial clicked the icon (depending on uniqueness), and only 0.0036% to 0.0082%
> made any opt-out choice (again depending on uniqueness).  TRUSTe itself
> concluded it was "[n]ot clear that ad notice outside the privacy policy,
> whether in footer or near/in ad, is superior."
> 
> I also anticipate advocates may be troubled by the trial's explicit conclusion
> that "[t]he very low rate of consumer preference changes suggest that [n]otice
> outside [the] privacy policy will not negatively impact advertising revenues."
>  
>   
> 
> On Thursday, October 11, 2012 at 7:28 AM, Rachel Thomas wrote:
>  
>>  
>> As promised, here are the links to the TRUSTe pilot I mentioned in my note
>> below:
>> 
>>  
>> 
>> ·         Press Release: Consumers Find Behavioral Advertising Choices
>> Compelling with TRUSTe TRUSTed Ads Privacy Platform
>> http://www.truste.com/about-TRUSTe/press-room/news_truste_PCH_TrustedAds_resu
>> lts 
>> 
>>  
>> 
>> ·         Full Results: Trusted Ads ­ OBA Notice and Choice
>> http://www.truste.com/pdf/TRUSTe-OBA-Behavioral-Advertising-Opt-Out.pdf
>> 
>>  
>> 
>> Very best,
>> 
>> Rachel
>> 
>>  
>> 
>> From: Jonathan Mayer [mailto:jmayer@stanford.edu]
>> Sent: Wednesday, October 10, 2012 4:43 PM
>> To: Rachel Thomas
>> Cc: Jeffrey Chester; public-tracking@w3.org
>> Subject: Re: ACTION-267 - Propose first/third party definitions from existing
>> DAA documents
>> 
>>  
>> 
>> Rachel,
>> 
>>  
>> 
>> This information is helpful, thanks.  Two quick followup questions.
>> 
>>  
>> 
>> First, is the TRUSTe pilot report available somewhere?  It would be helpful
>> to better understand the methodology and results.  For example, it's
>> difficult to estimate the proportion of users who clicked through the ad
>> notice from the passage you provided.
>> 
>>  
>> 
>> Second, about what proportion of web users are presently taking advantage of
>> the DAA program's choice mechanism?  Again, it's hard to get a sense from the
>> numbers below.
>> 
>>  
>> 
>> Thanks,
>> 
>> Jonathan
>> 
>>  
>> 
>>  
>> 
>> On Wednesday, October 10, 2012 at 12:55 PM, Rachel Thomas wrote:
>>> 
>>> Hi Jeff ­ It actually wasn¹t me to whom you directed this question during
>>> the briefing that DMA recently hosted for you and other consumer groups (in
>>> conjunction with the NTIA multistakeholder process).  You were in
>>> conversation with my colleague, Sarah Hudgins from IAB, who was presenting
>>> an update regarding the DAA program.  We¹re both brunettes, and you¹re not
>>> the first to confuse us.  J  Regardless, I would like to correct the record
>>> regarding testing of the DAA programŠ
>>> 
>>>  
>>> 
>>> The DAA icon program implementation was consumer-tested prior to its launch
>>> ­ and with very positive results.  TRUSTe ran a pilot of the icon
>>> implementation (serving via a ³widget² that launches from a clickable icon
>>> placed on adjacent to advertisements or in the header/footer of pages).  The
>>> pilot ran for approximately six months in market, and was executed with
>>> Comcast.net <http://Comcast.net>  and PCHLotto.com <http://PCHLotto.com> .
>>> TRUSTe reported positive findings in November 2011, including:
>>> 
>>> 1. Consumers engaged more with Ad Notice [the icon implementation] outside
>>> the Privacy Policy.  Over the 6 months 2.5 more people engaged with the ad
>>> notice than the privacy policy.
>>> 
>>> 2. Consumer education, notice and choice were effective to build consumer
>>> trust with online behavioral advertising.  During the pilot, over 80% of
>>> visitors did not make any changes to their preferences; only 1% chose to
>>> opt-out of OBA.  Over 55% of feedback respondents found the Notice helpful.
>>> 
>>>  
>>> 
>>> Much more compelling, I would argue, is the fact that ­ since the DAA
>>> program¹s launch in 2010 ­ more than 16 million consumers have visited the
>>> DAA sites to learn about their advertising data choices, and, to date, more
>>> than 1 million consumers have taken action to exercise their choice about
>>> how advertisers will use their data.
>>> 
>>>  
>>> 
>>> Hard to argue that the design and usability of the DAA program is
>>> ³inadequate² with 16 million consumers served to date.
>>> 
>>>  
>>> 
>>> Very best, as always,
>>> 
>>> Rachel
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>> From: Jeffrey Chester [mailto:jeff@democraticmedia.org]
>>> Sent: Wednesday, October 10, 2012 11:52 AM
>>> To: Thomas Roessler; Aleecia McDonald; Matthias Schunter
>>> Cc: Rachel Thomas; Craig Spiezle; public-tracking@w3.org; Kimon Zorbas
>>> Subject: Re: ACTION-267 - Propose first/third party definitions from
>>> existing DAA documents
>>> 
>>>  
>>> 
>>> I have to say I am dismayed that colleagues from the US online marketing
>>> community are trying to replace the W3C multistakeholder process with a
>>> system devised exclusively by the online ad industry.  As I mentioned during
>>> last week's f2f, NGOs and other civil society groups across the Atlantic
>>> have criticized the DAA system as inadequate.  Leading computer science and
>>> other researchers have also repeatedly shown how lacking and ineffective it
>>> is.  Indeed, just two weeks ago in DC I asked Ms. Thomas if there had been
>>> any testing done for design and usability of the system--including by
>>> independent bodies.  The answer was basically there was no such usability
>>> and independent review.  As we all know, the user experience online is
>>> tested and  "optimized" to move them through a digital data collection
>>> funnel-- in order to achieve the required "conversion."  Until such
>>> independent testing of the DAA system to show that it can effectively inform
>>> and empower online users about their privacy choices-- in the face of a
>>> purposefully powerful and designed interactive experience--the W3C would be
>>> remiss adopting it in all or in part.
>>> 
>>>  
>>> 
>>> In addition, yesterday's announcement by the DAA that it would, in essence,
>>> condone a boycott of DNT requests from users relying on the IE browser (or
>>> other browsers adopting privacy by design frameworks), suggests there is a
>>> political motivation that should be addressed by the group and W3C (inc. Mr.
>>> Berners-Lee).  Instead of developing the best technical standard through
>>> expert and objective international standards work, we appear to now confront
>>> a political agenda designed to maintain the data collection and user
>>> targeting status quo.  The W3C needs to do better than be silent about these
>>> recent developments.
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>> Jeffrey Chester
>>> 
>>> Center for Digital Democracy
>>> 
>>> 1621 Connecticut Ave, NW, Suite 550
>>> 
>>> Washington, DC 20009
>>> 
>>> www.democraticmedia.org <http://www.democraticmedia.org>
>>> 
>>> www.digitalads.org <http://www.digitalads.org>
>>> 
>>> 202-986-2220
>>> 
>>>  
>>> 
>>> On Oct 10, 2012, at 10:57 AM, Kimon Zorbas wrote:
>>> 
>>>  
>>> 
>>> Dear all,
>>> 
>>>  
>>> 
>>> to add some European flavour, here what we use in our OBA Framework,
>>> matching European law. We call First Parties "Web Site Operators". W3C can
>>> of course use this wording, we have the full rights to it.
>>> 
>>>  
>>> 
>>> Third Party
>>> 
>>> An entity is a Third Party to the extent that it engages in Online
>>> Behavioural Advertising on a web site or web sites other than a web site or
>>> web sites it or a an entity under Common Control owns or operates.
>>> 
>>>  
>>> 
>>> Web Site Operator
>>> 
>>> A Web Site Operator is the owner, controller or operator of the web site
>>> with which the web user interacts.
>>> 
>>>  
>>> 
>>> Control
>>> 
>>> Control of an entity means that another entity (1) holds a majority of the
>>> voting rights in it, or (2) is a member of it and has the right to appoint
>>> or remove a majority of its board of directors, or (3) is a member of it and
>>> controls alone, pursuant to an agreement with other members, a majority of
>>> the voting rights in it, or (4) has placed obligations upon or otherwise
>>> controls the policies or activities of it by way of a legally binding
>>> contract, or (5) otherwise has the power to exercise a controlling influence
>>> over the management, policies or activities of it, and ³Controlled² shall be
>>> construed accordingly.
>>> 
>>>  
>>> 
>>> Common Control
>>> 
>>> Entities or web sites under Common Control include ones which Control, for
>>> example parent companies, are Controlled by, such as subsidiaries, or are
>>> under common Control, such as group companies. They also include entities
>>> that are under a written agreement to process data for the controlling
>>> entity or entities, and do such processing only for and on behalf of that
>>> entity or entities and not for their own purposes or on their own behalf.
>>> 
>>>  
>>> 
>>>  
>>> 
>>> For other UA, we capture them through the following wording:
>>> 
>>> To the extent that Companies collect and use data via specific technologies
>>> or practices that are intended to harvest data from all or substantially all
>>> URLs traversed by a particular computer or device across multiple web
>>> domains and use such data for OBA, they should first obtain Explicit
>>> Consent.
>>> 
>>>  
>>> 
>>> Kind regards,
>>> 
>>> Kimon
>>> 
>>>  
>>> 
>>> From: Rachel Thomas <RThomas@the-dma.org>
>>> Date: Wednesday 10 October 2012 16:48
>>> To: Craig Spiezle <craigs@otalliance.org>, "public-tracking@w3.org"
>>> <public-tracking@w3.org>
>>> Subject: RE: ACTION-267 - Propose first/third party definitions from
>>> existing DAA documents
>>> Resent-From: <public-tracking@w3.org>
>>> Resent-Date: Wednesday 10 October 2012 16:43
>>> 
>>>  
>>> 
>>> Hi Craig, great question ­ let me try to clarify with some additional info
>>> from the DAA principles.  Below is the definition of ³affiliate² as well as
>>> some commentary on the definition from the DAA¹s Self-Regulatory Principles
>>> for Online Behavioral Advertising.  (Also, please note that while there is
>>> not an explicit definition of ³affiliate² included in the DAA¹s
>>> Self-Regulatory Principles for Multi-Site Data, the same definition applies
>>> in that context as well).
>>> 
>>>  
>>> 
>>> AFFILIATE
>>> 
>>>  
>>> 
>>> Definition: An Affiliate is an entity that Controls, is Controlled by, or is
>>> under common Control with, another entity.
>>> 
>>>  
>>> 
>>> Commentary (relating to definitions of both ³affiliate² and ³control²):
>>> These terms set an objective test to separate related First Party entities
>>> from Third Parties and others. An Affiliate is defined as an entity that
>>> Controls, is Controlled by, or is under common Control with, another entity.
>>> The definition of Control sets out two alternative tests, which reflect a
>>> commonly understood definition of a single entity. The first alternative
>>> looks to whether one entity is under significant common ownership with the
>>> other entity. The second alternative looks to whether one entity has the
>>> power to exercise a controlling influence over the management or policies of
>>> the other. In addition, each entity must be subject to Online Behavioral
>>> Advertising policies that are not materially inconsistent with the other
>>> entity¹s Online Behavioral Advertising policies. The combination of Control
>>> and governance by similar Online Behavioral Advertising policies renders the
>>> two entities Affiliates of each other.
>>> 
>>>  
>>> 
>>> The tests for Control are unrelated to brand names. As a result, different
>>> brands, if they otherwise meet one of the tests for Control, would be
>>> treated as Affiliates rather than Third Parties.
>>> 
>>>  
>>> 
>>> The starting point for whether two or more affiliated consumer-facing Web
>>> sites constitute a First Party under the Principles is whether the Web sites
>>> are the same company. The use of the term Affiliate is intended to allow
>>> affiliated companies that are in the same corporate family to share
>>> information within that family as if they are the same company, thereby
>>> benefitting from their collective assets. The treatment of Affiliates is not
>>> intended to create a means for companies that are in reality unrelated in
>>> corporate structure (and, therefore, that consumers would never expect would
>>> be sharing information,) to avoid providing the choice required under these
>>> Principles. In many cases companies can readily be transparent either in
>>> branding on the Web sites or through clarity in the privacy notices of their
>>> particular Affiliates. Assuming an entity otherwise meets the standard set
>>> forth in the definition of Control, such practices would clearly satisfy and
>>> permit inclusion in the definition of Affiliate. However, such branding on a
>>> Web site or inclusion in a privacy notice is not required under the
>>> Principles as in some instances the complexity of corporate affiliates
>>> driven by corporate legal principles pose practical operational challenges.
>>> 
>>>  
>>> 
>>> And very best,
>>> 
>>> Rachel
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>> From: Craig Spiezle [mailto:craigs@otalliance.org]
>>> Sent: Tuesday, October 09, 2012 11:58 PM
>>> To: Rachel Thomas; public-tracking@w3.org
>>> Subject: RE: ACTION-267 - Propose first/third party definitions from
>>> existing DAA documents
>>> 
>>>  
>>> 
>>> This is helpful.
>>> 
>>>  
>>> 
>>> Just so we are all on the same page can you clarify affiliate vs.
>>> non-affiliate.   Is it correct to assume affiliate means a wholly owned
>>> entity?
>>> 
>>>  
>>> 
>>> So a Third Party who collects data from an affiliate is not a third party.
>>> So this would or could mean a totally separate brand which the user has no
>>> knowledge of?  
>>> 
>>>  
>>> 
>>> Thanks 
>>> 
>>>  
>>> 
>>> From: Rachel Thomas [mailto:RThomas@the-dma.org]
>>> Sent: Tuesday, October 09, 2012 1:16 PM
>>> To: public-tracking@w3.org
>>> Subject: ACTION-267 - Propose first/third party definitions from existing
>>> DAA documents
>>> 
>>>  
>>> 
>>> Folks ­ As promised, I am submitting the Digital Advertising Alliance (DAA)
>>> definitions of ³first party² and ³third party² for consideration / inclusion
>>> in section 3.5 
>>> <http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#
>>> first-third-parties>  (³First and Third Parties²) of the W3C TPWG "Tracking
>>> Compliance and Scope² document.  Below are both formal definitions and
>>> related commentary from the DAA Self-Regulatory Principles for Multi-Site
>>> Data 
>>> <https://www.aboutads.info/resource/download/Multi-Site-Data-Principles.pdf>
>>> .
>>> 
>>>  
>>> 
>>> FIRST PARTY
>>> 
>>>  
>>> 
>>> Definition: A First Party is the entity that is the owner of the Web site or
>>> has Control over the Web site with which the consumer interacts and its
>>> Affiliates. 
>>> 
>>>  
>>> 
>>> Commentary: The actions of agents and other entities that similarly perform
>>> business operations of First Parties are treated as if they stand in the
>>> shoes of First Parties under these Principles and thus such actions are not
>>> included in Multi-Site Data.
>>> 
>>>  
>>> 
>>> THIRD PARTY
>>> 
>>>  
>>> 
>>> Definition: An entity is a Third Party to the extent that it collects
>>> Multi-Site Data on a non-Affiliate¹s Web site.
>>> 
>>>  
>>> 
>>> Commentary:  As described in the OBA Principles, in certain situations where
>>> it is clear that the consumer is interacting with a portion of a Web site
>>> that is being operated by a different entity than the owner of the Web site,
>>> the different entity would not be a Third Party for purposes of the
>>> Principles, because the consumer would reasonably understand the nature of
>>> the direct interaction with that entity. The situation where this occurs
>>> most frequently today is where an entity through a ³widget² or ³video
>>> player² enables content on a Web site and it is clear that such content and
>>> that portion of the Web sites is provided by the other entity and not the
>>> First Party Web site. The other entity (e.g. the ³widget² or ³video player²)
>>> is directly interacting with the consumer and, from the consumer¹s
>>> perspective, acting as a First Party. Thus, it is unnecessary to apply to
>>> these activities the Principles governing data collection and use by Third
>>> Parties with which the consumer is not directly interacting.
>>> 
>>>  
>>> 
>>> Very best,
>>> 
>>> Rachel
>>> 
>>>  
>>> 
>>> Rachel Nyswander Thomas
>>> 
>>> Vice President, Government Affairs
>>> 
>>> Direct Marketing Association
>>> 
>>> (202) 861-2443 office
>>> 
>>> (202) 560-2335 cell
>>> 
>>> rthomas@the-dma.org <mailto:rthomas@the-dma.org>
>>> 
>>>  
>>> 
>>> Join us at DMA2012 Conference and Exhibition
>>> 
>>> The Global Event for Real-Time Marketers
>>> 
>>> October 13-18, 2012 | Las Vegas, NV
>>> 
>>> Register NOW & SAVE up to $200 |www.dma12.org <http://www.dma12.org/>
>>> 
>>>  
>>> 
>>>  
>> 
>>  
>>      
>   
>  
>  
Received on Thursday, 11 October 2012 16:21:45 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:36 UTC