Re: Change proposal for ISSUE-5 ¡© Definition of Tracking

Thanks, Justin. Here's an example that was used on my IAPP panel today.

In my example, there are two groups of websites.
Group A is owned by Justin, and group B is managed by Matthias.

Each website in group A has a different privacy policy and different privacy
practices.
Each website in group B has a different privacy policy and different privacy
practices.

Each website in group A has a link that clearly states "You are visiting a
Justin-owned website"
Each website in group B has a link that clearly states "You are visiting a
websites on the Matthias network"

Each website in group A is presumably subject to some form of contract for
serving ads across each of Justin's sites.
Each website in group B is definitely subject to a contract for serving ads
across each of Matthias' sites.

Under our current definitions and policy regime, Justin is allowed to track
across his sites, but Matthias is not.

What is the policy justification for this distinction?

Thanks.

Alan



From:  Justin Brookman <jbrookman@cdt.org>
Date:  Tuesday, October 1, 2013 2:13 PM
To:  Alan Chapell <achapell@chapellassociates.com>
Cc:  <public-tracking@w3.org>
Subject:  Re: Change proposal for ISSUE-5 ¡© Definition of  Tracking

> Thanks for the precise and documented change proposal!
> 
> Whether or not this issue gets addressed in the definition of tracking, I
> think it has to get addressed in the definition of party either way.  That is,
> because *tracking* is not an operational term in the document, a company's
> cross-site activities might not be considered tracking under your definition,
> but they still might be prohibited by the standard because of a narrow
> definition of parties and a prohibition on third-party collection absent an
> operational permitted use or UGE.  So I think you should adapt your language
> below to a proposal on ISSUE-10 (as well or in lieu of this) --- if you can
> provide specific language for the call tomorrow great; otherwise we can
> discuss the concept and expect a proposal by October 9.
> 
> Also, if you could provide some examples for how this might work in practice
> under a common branding/contract regime, I think that would be useful for the
> group to consider.  One example I brought up on the call last week was DAA/IAB
> membership --- would multiples companies (including publishers, ad networks,
> and others) publicly ascribing to those codes render them one party under your
> definition?  Or would the branding have to be more robust than that?  I just
> want to tease out what this means!
> 
> Both ISSUE-5 and ISSU-10 will be discussed tomorrow, and I think we can fold
> your new issue into those discussions.
> 
> On Oct 1, 2013, at 1:47 PM, Alan Chapell <achapell@chapellassociates.com>
> wrote:
> 
>> I propose the following change proposal for ISSUE-5 ¡© Definition of Tracking
>>  
>> This builds on a definition that was previously submitted by Roy.
>>  
>> ¡°Tracking is the act of following a particular user's browsing activity
>> across multiple distinct contexts, via the collection or retention of data
>> that can associate a given request to a particular user, user agent, or
>> device, and the retention, use, or sharing of data derived from that activity
>> outside the context in which it occurred. For the purposes of this
>> definition, a context is a set of resources that EITHER: a) share the same
>> owner, data controller and a common branding, such that a user would expect
>> that data supplied to one of the resources is available to all of the others
>> within the same context, OR b) enter into contract with other parties
>> regarding the collection, retention, and use of data, share a common branding
>> that is easily discoverable by a user, and describe their tracking practices
>> clearly and conspicuously in a place that is easily discoverable by the
>> user." 
>>  
>> Rationale: I believe that we have WG consensus that common ownership, control
>> and branding provides sufficient transparency and privacy controls. Building
>> on some of David Wainberg¡¯s recent posts, I believe that branding and
>> contractual provisions provide an equivalent level of transparency and
>> control.
>>  
>> I¡¯m not sure if this concept should reside in the definition of of tracking,
>> or if it should sit elsewhere. I¡¯m open to the input of the group.
>>  
>> Alternatively, we can insert this concept into the definition of First Party
>> or attempt to address data collection by context rather than by party. The
>> rationale behind the latter is that it reduces likely confusion about who is
>> a party under each specific use case, and aligns better with user
>> understanding and expectations about how data will be processed.
>>  
>> As this is an important issue that could be placed in a number of sections of
>> our specification, I¡¯m opening up a separate issue to help ensure it doesn¡¯t
>> fall through the cracks.
>> 
>> Alan 
> 

Received on Wednesday, 2 October 2013 21:50:02 UTC