- From: Justin Brookman <jbrookman@cdt.org>
- Date: Tue, 8 Oct 2013 17:57:47 -0400
- To: David Wainberg <dwainberg@appnexus.com>
- Cc: "public-tracking@w3.org" <public-tracking@w3.org>
- Message-Id: <DA4CEBFF-B633-4EC9-9BDF-FC021D7FBE76@cdt.org>
On Oct 8, 2013, at 5:46 PM, David Wainberg <dwainberg@appnexus.com> wrote: > Hi Justin, > > First, note that I will propose contextual definitions to replace the party definitions under 221. The matrix of rules was intended to illustrate how thinking contextually greatly simplifies the expression of the rules. > > I agree the current draft is highly context dependent. In fact, that's my point. It's all context dependent, yet it's written in terms of parties. The rules apply to context and data, not to parties, especially since parties change or data is passed between parties. By defining the rules in terms of context, we make the rules much clearer. Thanks, David, this is helpful. If I understand it correctly, nearly all of this is editorial then. You would still need definitions of "first party" and "third party" but they would be adjectives (to describe context) instead of nouns. That said, I don't quite take what you mean by "parties change, or data is passed between parties" --- presumably the underlying rules for what a party could do with data don't actually change under your proposed revision. Or are you proposing to delete the word "party" too? > > And, yes, a number of editorial changes would flow from the change to make the draft consistent with the contextual rather than party approach. > > Here's an example. The current draft says in section 5.2.2: > > Third parties must provide public transparency of the time periods for which data collected for permitted uses are retained. The third party may enumerate different retention periods for different permitted uses. Data must not be used for a permitted use once the data retention period for that permitted use has expired. After there are no remaining permitted uses for given data, the data must be deleted or de-identified. > > This is a requirement that applies outside of a network interaction. Who are the Third Parties to whom this transparency requirement applies? What we really mean is that the rule applies for data collected in a 3rd party context: > > "All parties must provide public transparency for the time periods for which data collected in a 3rd party context is retained for permitted uses. Parties may enumerate * * *. Data that was collected in a 3rd party context must not be used for a permitted use once the data retention period for that permitted use has expired. * * *" Right, but presumably parties that never appear in a third-party context would not have to make such representations. That is, publishers wouldn't have to affirmatively say "We don't collect or retain data in a third-party context." Again, all this is editorial I think. > > -David > > > On 2013-10-08 5:21 PM, Justin Brookman wrote: >> Hi David, >> >> I'm still struggling to understand what your proposal means, or even how it differs in principle from the current editors' draft. >> >> Under the current compliance standard, the rules for collection and use are already *heavily dependent upon context*: If you're a third party, you can only collect and use data pursuant to operational permitted uses or user-granted exception. This remains true even when the third party later engages with the user in a first party context. >> >> For first parties, they can do whatever they want in the first party context except evade the standard (details on how that works still being worked out). There is an open issue over what first parties who collect data can do in a later third-party context. >> >> So the standard is already heavily context-dependent --- your matrix is currently addressed in the standard. I read your proposal to just ask for the deletion of first and third party from the compliance spec, which would remove (some of) the contextual language from the current standard without offering replacement text. Simply deleting the definitions of first and third party without more doesn't make logical sense within the current document; you would need to change the subsequent operational language as well. And I'm afraid I don't understand how what you're envisioning differs from what the document currently accomplishes. >> >> On Oct 8, 2013, at 5:02 PM, David Wainberg <dwainberg@appnexus.com> wrote: >> >>> Hi All, >>> >>> Proposal: eliminate the definitions for first and third party and instead define the contexts of data collection and use, per ISSUE-221. >>> >>> Rationale: Defining contexts of collection and use, rather than parties, is more precise and clear, and so will avoid confusion and misinterpretation of the spec. Speaking in terms of context goes right to the point. Parties are not inherently one or the other. Company X is a party. Is it a first party or a third party? We don't know until we see the context in which it is collecting or using data at any given moment. So let's just talk about the context, then. >>> >>> Or, to put it slightly differently, parties can morph between 1st and 3rd. They can hold data that was collected in either context and they can use data in either context. But what matters is that context in which the data is collected or used. And the DNT signal carries over with the data, even as the party switches contexts. Therefore 1st or 3rd-ness is really a property of the data, not of the party. And, it follows that it's clearer to talk about applying rules to the data rather than to parties. >>> >>> Thanks for considering this change. >>> >>> -David >> >
Received on Tuesday, 8 October 2013 21:58:19 UTC