Proposed Amendments to the DAA Proposal

Hi Peter and the rest of the TPWG,

Here are my proposed amendments to the DAA proposal.  Let me know if you need them in a different format for the Wiki.

Amendment #1:  Change the definition of Service Provider

Proposed new language:  Most sites, services, or resources on the Web involve multiple parties that process the data received in a given interaction. For example, the parties involved during an interaction might include domain name services, network access points, content distribution networks, load balancing services, security filters, cloud platforms, and software-as-a-service providers. Likewise, additional parties might be engaged after an interaction, such as when services or contractors are used to perform specialized data analysis or records retention.
For the data received in a given network interaction, a party is considered to be a service provider if it:
(1) processes the data on behalf of another party;
(2) ensures that the data is only retained, accessed, and used as directed by that party;
(3) has no independent right to use the data other than in a de-identified manner (e.g., for monitoring service integrity, aggregated industry trend reports, load balancing, capacity planning, or billing); and,
(4) has a contract in place with that party which is consistent with the above limitations.

Explanation:  The current definition of service provider is unworkable; and no company that either has multiple clients or its own business would qualify as a service provider.  This proposed language fixes that; and fits in better line with expectations of service providers.  Please note that this language will require changes to the business practice of numerous service providers; so this language is not trying to carve out all service providers.

Amendment #2 -- Editorial Comments:  Definition of de-identified data

In subclause (2), the proposal uses 'non-affiliates' instead of 'third parties', where I believe the text should read 'third parties'.  And, the first use of 'entities' should be 'third parties'; second use of 'entity' should be 'original party'.

In subclause (3), I suggest changing 'non-affiliate' to 'third party', since that is the language we're using in this standard.

In subclause (4), its unclear what 'this data' is referring to.  The data before it is de-identified?  The de-identified data itself?  The end results of the de-identified data (such as an aggregated report saying 'x% of the web now uses iPhones'?  Or, perhaps the data when it is in the to-be-renamed later 'Yellow' state?  I would strongly suggest clarifying the intent; though I'd like to stress that we should not place limits on reports generated from aggregated & de-identifed data.

Amendment #3 -- Editorial Comments:  Definition of delinked

In subclause (1), its introducing new terms that are not clear what it means, such as 'internally linked'.  I think it would be clearer if it says "has achieved a reasonable level of confidence that data has been de-identified and that there are controls in place such that the party (or any of that party's service providers when acting on that party's behalf)) cannot be linked to a specific user, computer, or other device.

Subclause (2) is very confusing.  Instead, how about 'has taken reasonable steps to ensure that there are controls in place (such as operational or administrative controls) that prevent the data from being reverse engineered back to data that can be linked to a specific user, computer or other device'?

Amendment #4  -- Editorial Comments:  Definition of Third Party Compliance

There seems to be inconsisentency with how this document describes consent.  In First Party compliance, it says 'consent'.  In a previous section, it says 'user granted exeption'.  Now, in this section, it says 'explicity granted exception'.  I ask the editors to review this for consistency.

-Vinay




--
Vinay Goel
Privacy Product Manager
Adobe
1540 Broadway - 17th Floor
New York, NY, 10036
917.934.0867 (tel)