RE: first parties

Catching up on email - I also prefer the simpler version, especially as we seemed to be nearing consensus on that point.

I do think that we need to concentrate on some basic definitions, too, in order to ensure that we are all talking about the same scenario.

Thanks,

Amy

From: David Wainberg [mailto:dwainberg@appnexus.com]
Sent: Friday, October 07, 2011 12:19 PM
To: Shane Wiley
Cc: Clay Webster; Amy Colando (LCA); Aleecia M. McDonald; public-tracking@w3.org
Subject: Re: first parties

I tend to prefer the initial version: "This standard imposes no requirements on first-party websites.  A first-party website MAY take steps to protect user privacy in responding to a Do Not Track request." (Though, the MAY clause is superfluous. See below.)

However, I am still concerned that we have not agreed on a definition of first party. I even wonder whether ultimately 1st vs 3rd party is the right paradigm for applying DNT. We don't know until we dig into the definitions and start to think out the distinctions that are relevant to the meaning of DNT. As we've discussed, the technical definition of a 3rd party call does not map perfectly to a real-world view of who is a 1st party.

As to the proposed MAY's or SHOULD's, while I certainly share the desire to encourage appropriate notice from all companies, we should constrain the definition of the DNT standard to what exactly parties must do in response to receiving a DNT signal. In my view it is beyond the scope of this standard to make any suggestions regarding entities' practices outside of their data collection or use upon receipt of a DNT. Moreover, we have enough complex issues to sort in regard to what parties must actually do that it's not worthwhile to burn cycles delving into mushy standards for what parties may or should do. And, finally, whereas a SHOULD is clearly optional in a technical context, this use is in a legal/policy context, and could be interpreted more strongly than intended.


On 10/7/11 12:51 AM, Shane Wiley wrote:
Clay,

"This standard imposes no requirements on first-party websites.  A first-party website MAY take steps to protect user privacy in responding to a Do Not Track request and SHOULD provide appropriate notice in what manner they support Do Not Track."

I should have called it out more expressly but it was my assumption the standard will outline "appropriate notice" for any party (primarily 3rd party) to disclose their support of DNT so I left it as an open element yet to be defined in the latest draft of this statement.

- Shane

From: Clay Webster [mailto:clay.webster@cbsinteractive.com]
Sent: Thursday, October 06, 2011 5:58 PM
To: Shane Wiley; Amy Colando (LCA); Aleecia M. McDonald; public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: first parties

On Thu, Oct 6, 2011 at 5:34 PM, Shane Wiley <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>> wrote:

With Tom's Addition:
"This standard imposes no requirements on first-party websites.  A first-party website MAY take steps to protect user privacy in responding to a Do Not Track request and SHOULD improve notice with respect to DNT."

I agree with the Initial Statement but feel that Tom's request was out of scope to suggest first parties must improve notice across the board (not just with respect to DNT).

I would suggest the following (hopefully a winning middle-ground):
"This standard imposes no requirements on first-party websites.  A first-party website MAY take steps to protect user privacy in responding to a Do Not Track request and SHOULD provide appropriate notice in what manner they support Do Not Track if they chose to do so."

I could agree with this.  I think the "if they chose to do so" could be left off given that it's a SHOULD.

What form(s) would "appropriate notice" normally take?

--cw

Clay Webster
Associate Vice President, Platform Infrastructure
T 908-541-3724   F 908-575-7474
1200 Route 22 East, Bridgewater NJ 08807

[https://gadgets.cbsinteractive.com/resources/cbs-interactive-logo.gif]