Re: ACTION-255: Work on financial reporting text as alternative to legal requirements

Hi Alan,

On Sep 24, 2012, at 9:38 AM, Alan Chapell <achapell@chapellassociates.com> wrote:
>> Would this proposal prohibit retention and use of user browsing data for behavioral targeting of online ads? If I sign a contract that I will only show a particular ad to users who previously visited a certain set of web pages, would I then be permitted regardless of DNT signal to retain and use any information from requests in order to verify that an ad is only shown to such visitors? Or to bill differently for visitors who had visited certain sites in the past? 
> 
> I'M NOT INTENDING TO ALLOW SOMEONE TO OVERRIDE DNT SIMPLY BY ADDING 'WE DON'T HAVE TO HONOR DNT' IN CONTRACT TERMS. PERHAPS WE CAN CLARIFY THAT IN NON-NORMATIVE LANGUAGE.

Good that we have that common understanding. However, it seems like this is a pretty fundamental concept that we would want as a normative requirement. If you agree that contract terms don't override DNT compliance (for servers that are complying with DNT), it might be useful to enumerate when data can be retained and used if required by contract and when it can't. (Again, my attempt, based on discussions with Shane and Tom in the past, had been to rely on financial reporting requirements in law.)

>> Similarly, your final example is a case of remarketing or retargeting -- as I understand it, you're suggesting that ad networks must continue to retain data of who saw which ad where so that they can confirm that a certain ad is only shown to visitors who had previously seen a particular ad on a particular site. I was under the impression that the group had certainly agreed that alteration of future requests based on past requests on other sites would generally be prohibited.
> 
> THE FINAL EXAMPLE IS A REAL WORLD EXAMPLE. I RAISED IT ON THE CALL A FEW WEEKS AGO AND ALEECIA ASKED ME TO DOCUMENT IT. FRANKLY, I'M STILL WORKING THROUGH EXACTLY HOW WE ADDRESS IT. IF A CONSUMER ENABLES DNT AFTER THEY HAVE SEEN THE RETARGETED AD BUT PRIOR TO THE REQUEST FROM THE PCMCP, THE AD NETWORK THAT SERVED THAT AD WOULD NEED TO PROVIDE PROOF TO THEIR AD AGENCY AND THE PCMCP. "SORRY, WE CAN'T HELP YOU BECAUSE THAT USER TURNED ON DNT" IS UNLIKELY TO BE AN ACCEPTABLE ANSWER.

I appreciate your documenting the example. I apologize if I misunderstood the examples, I thought they were all intended as examples where data retention and use would continue for DNT:1 communications under this particular permitted use, but maybe you were just intending them as use cases that we ought to discuss.

In this case, I don't think the spec or the group has held that a user who starts sending a DNT:1 signal after receiving a re-targeted ad expects as part of that preference for previously collected data (not under DNT:1) to be retroactively removed or its use limited. If the case is a non-DNT user receiving a retargeted ad, then I don't think this spec would have any bearing on what data could be turned over to PCMCP. If the case is a user arriving with DNT:1 on the news.co.uk site, my understanding is that the user wouldn't be served a retargeted ad (based on their having seen the ad on a particular US-based website) at all.

>> I'm also curious about the "subsequent action or conversion" purpose and corresponding post-impression conversion example. Does retention of data about a request and correlation of that data with other requests on other sites qualify as data to confirm that a "request met various criteria set forth by the contract"? I would generally be afraid that it would be hard to explain to users that their browsing activity was being tracked under DNT:1 because certain contracts granted different financial terms based on past or future online activity.
> 
> THE SUBSEQUENT ACTION OR CONVERSION PURPOSE IS IMPORTANT TO THE COST PER ACTION MODEL. BROOKS HELPED WITH THIS LANGUAGE SO HE MAY WANT TO EXPLAIN FURTHER.

I can certainly see that model as being affected. For some cases of conversion tracking (I click on an ad, browse the product site and ultimately buy the product), I would expect first-party compliance to be sufficient -- I believe we had a common understanding that clicking on an ad would count as a meaningful interaction.

> ALSO, REGARDLESS OF THE DEFINITIONS WE ULTIMATELY CHOOSE, USER ACTIVITY IS GOING TO BE TRACKED – FOR EXAMPLE, UNDER ONE OF THE ENUMERATED EXCEPTIONS. I'M A BIT UNCOMFORTABLE GOING TOO FAR DOWN THE "HOW DO WE EXPLAIN XXXXX TO USERS" WHEN WE'VE CLEARLY PUNTED ON THAT BY NOT REQUIRING THE BROWSERS TO DO SO. 

I trust that all stakeholders have a common interest in developing a compliance standard that will be meaningful to users.

What I was trying to get at here was that this example (correlating an ad impression, absent any meaningful interaction, with subsequent browsing activity and possible conversion) seemed like a practice I thought the group had agreed wouldn't be compliant with a user's Do Not Track preference. I did my best in my draft [0] to provide one possible coherent theme for our evaluation of permitted uses and be explainable to an end user -- compliance with DNT preventing retention of data by a third-party except where it doesn't imply a user's Web browsing history or where it's consistent with the context of the interaction.

[0] http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0141.html

Thanks,
Nick

>> I would like to hope that our permitted use text can avoid a detailed list of which contractual practices are allowed and which are prohibited, but it may be helpful to determine whether the group has a common understanding there. I could certainly understand a concern that this form of proposal would allow any contractual relationship to override a user's expressed preference, which I don't believe to be our common intent.
> 
> I'M NOT SURE HOW ELSE WE APPROACH, BUT I'M OPEN TO SUGGESTIONS. KEEPING IT HIGH LEVEL MAY WORK FOR SOME, BUT WILL UNDOUBTEDLY CAUSE HEARTBURN FOR OTHERS IN THE WG.
> 
> THANKS NICK!
> 
>> Thanks,
>> Nick