- From: Georg Philip Krog <georg@signatu.com>
- Date: Wed, 1 Jul 2020 18:51:45 +0200
- To: "Harshvardhan J. Pandit" <me@harshp.com>
- Cc: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
- Message-ID: <CAPOUEwms-bhGX1EX51rB6f3o3F-mnfwvBjYCFf4x5nEJoQLJZA@mail.gmail.com>
Hi Harsh, Everyone. Thank you for your comments. Please see my answers to your comments. 3) Analytics Several of the vendors in Signatu 3rd party registry offer analytic tools that are integrated into sites (e.g. Matomo, Google Analytics, Hotjar etc). Several of these tools offer analytics/insights into end user behaviour without combining these tools with other tools. Hence, the “output” of such tools is “analytics” alone, e.g. events on URLs. It is up to the website owner to use this insight to achieve another purpose, e.g. personalisation. In my view, that is a new purpose. 4) Advertising Advertising is a “big bucket” if one includes all the technologies that are used to programmatically serve an ad to an end user. However, if one looks at the end result for the end user, it is the end user that sees an ad on a site/app, and that ad was served based on different parameters which may or may not include the end user profile. If the latter was the case, then one could say it was a personalised ad. “Marketing” is often used for direct marketing towards an end user, e.g. communication of marketing info via e-mail, sms etc. A topic of discussion in the e-Privacy Reg. is whether ad serving based on profiling is direct marketing. 5) Cloud infrastructure and traffic distribution Agree. “Cloud infrastructure and traffic distribution” is a further specification. 6) Communication is the same as customer care. 7) Document consent are the words used in the GDPR (Article 7.1). I am fine with record consent. However, some contend that “record” is not a requirement. 8) Content Management Agree that it falls under Service Provision. So does “Cloud infrastructure and traffic distribution”. Our customers wanted to be more specific, and thus wanted “Content Management” to enable end users to understand that one technology allows a site owner to create, design and store content while another technology would distribute the content. 9) Customer Management is about managing the lifecycle of a customer (who are prospective customers? Who are existing customers one can “upsale” to? Who are terminated customers? etc) and is not about customer support. 11) Marketing should be added. It is defined in the ePD and in the upcoming ePR and also in many national marketing laws. 13) Payment and fraud detection should be separate classes/categories. 14) Personalisation depends on/is enabled by profiling, so are these two different purposes or one? 15) Survey and Reviews - agree that it is what is being done with the survey data that is the purpose. 16) Search can be search within or outside a site, so not necessarily Service Provision. 17) Security - agree with you. 18) Single Sign-on - agree with you. 19) Social Media - Isn't this part of Marketing? Yes. One can integrate social media on a site to lead end users to the site´s social media accounts, or one can embed social sharing buttons etc to enable end users to share content from the site. 20) Tag management is a technology that allows a site to determine which tags that should fire where and when etc. Regards, Georg On Tue, Jun 30, 2020 at 3:40 PM Harshvardhan J. Pandit <me@harshp.com> wrote: > Hi Georg, Everyone. > Thank you for suggesting the purpose categories. > > There are two things within the email that I want to separate in terms > of context here: purpose and purpose category. > My interpretation of this is that the category is a top-level abstract > concept and the purpose is a more specific iteration of it. > > 1) Network Communication > - I honestly do not understand this in terms of 'purpose', but from what > little I can grasp - it concerns network connectivity? Someone better > informed about this should identify how this fits with the DPV taxonomies.. > - As an additional note on the email: We do not quantify within the > DPVCG (yet) about the legal bases required for certain purposes. > Therefore, I have ignored aspects of legal bases e.g. requires consent > - This raises an interesting body of work: should the DPV provide a way > to associate legal bases for specific purposes or processing items or > personal data categories (or combinations thereof). From my pov - this > is specifying policies and interpretations of laws. So if there is > interest - we should note it as an use-case and work on best supporting > it in terms of providing necessary vocabulary. > > 2) Essential functionality > - This is again completely subjective given that essentiality changes > with context. I also do not understand this as a purpose category. > - In line with the earlier point - should DPV provide a way to indicate > a purpose is 'essential', or to put it in more legal terms - specify a > purpose as based on a certain legal basis such as legitimate interest or > legal obligation to indicate it is not optional. > > 3) Analytics > - This is tricky for me to clarify. DPV does not have 'analytics' as a > purpose because (if I remember the workshop discussions correctly) we > decided that whatever the analytics is being used for is the actual > purpose e.g. personalisation, optimisation. > - So within this context, how to indicate analytics as a (sub-)purpose > associated with a larger purpose? Is 'analytics' possible to be > expressed as a combination of analytics (processing) for personalisation > (purpose) > > 4) Advertising > - DPV does not contain 'advertising' as a purpose category (again some > discussion happened at the workshop) > - DPV does contain personalised products, recommendations, benefits. So > where does 'advertising' fit in to these? > - To me, when 'advertising' is a purpose it means 'personalised > advertising' -> which should be a subset of personalised > recommendations? Is there some weird cross with Marketing here? > > 5) Cloud infrastructure and traffic distribution > - I don't understand this as a 'purpose' - same issue as (1) network > - Seems to me that this is relevant to 'Service Provision' that is > present in DPV? > > 6) Communication > - Where does this fit into the existing DPV taxonomy? > - We have customer care, is this the same? > > 7) Document consent > - alternative title for this should be 'record consent' which is IMHO > more clear and consistent with common usage > - I would suppose this is a legal requirement, so as a purpose where > does this fit? Service Provision? > - This also brings up the larger issue of what to call purposes that are > there because they are legal obligations e.g. share data with the > authorities > > 8) Content Management > - This falls under Service Provision IMO > - However, the definition notes that this applies also to 3rd party > content including advertising - so I'm skittish about this because this > makes the purpose not independent of advertising > > 9) Customer Management > - DPV has customer care - but the definition is different from Signatu's > - Customer Management here is defined in terms of registering > prospective customers etc -> is this profiling? is this analytics? > > 10) E-commerce > - DPV has sell products to data subject > > 11) Marketing > - DPV does not have marketing, we have dpv:CreateProductRecommendations > which meantions svpu:Marketing (SPECIAL) as a related term > - IMHO it should have marketing as a basic purpose category > - Note: Personalised Marketing is then a subset of Marketing > > 12) Optimisation > - DPV has optimisations for consumer, controller, optimisation of UI/UX > > 13) Payment > - DPV does not have payment > - IMHO it should have payment - but the title needs to better reflect > its indication of transaction > - Fraud Prevention and Detection - which is mentioned in the description > of payment in Signatu's description, is present in DPV > - This raises the issue of purpose dependencies - here fraud detection > is a 'sub-purpose' of payment. How to specify this using the DPV? > - When done by subclassing both (payment + fraud detection), it is not > clear which is 'primary' and 'secondary' in terms of application here. > > 14) Personalisation > - DPV provides personalisation for recommendations, benefits, and > service personalisation > - Signatu's description mentions ads and user profiling which are > different purposes (continuing from previous points on this) > > 15) Survey and Reviews > - Not sure how one would intepret this, but DPV has R&D as well as > improvement of existing products > - IMHO provision of a survey is not a purpose into itself. It is what is > being done with the survey data that is the purpose. So if it is > understanding user requirements - then the purpose should be analytics > or R&D (AFAIK) > - Other aspects mentioned in the description e.g. review, rate service, > read other reviews - seem to me to be Service Provision > > 16) Search > - Service Provision? > > 17) Security > - DPV has Security as a purpose but the description only mentions data > which IMO should be amended to a more generic description of security > > 18) Single Sign-on > - DPV has identity verification - so this would be a subset of that? > - Defining this purpose seems to imply using a third-party for identity > verification purposes > > 19) Social Media > - Isn't this part of Marketing? > > 20) Tag management > - I don't know what this purpose means or how this relates to purposes > in DPV > > 21) Registration and Authentication > - IMO this is covered with Identity Verification > > Regards, > Harsh > > > On 23/06/2020 10:36, Georg Philip Krog wrote: > > Dear DPV folks, > > > > Signatu contributes to the DPV with some *purpose categories* (in the > > table below). > > These are typical processing purposes of the 3rd parties (in Signatu 3rd > > party registry) that load remote resources on websites to track end > users. > > > > Some of these categories overlap with those in the existing DPV. > > > > Purpose category Tag vendorCategoriesDescription Purpose > > Network Communication signatu:network-communication Site sets cookies > to > > carry out the transmission of a communication over an electronic > > communications network (to route information over a network by > > identifying the communication ‘endpoints’, or to exchange data items in > > their intended order, or to detect transmission errors or data loss) > > Does not require consent. to transmit users’ communication to us and > > from us back to users over an electronic communications network. If the > > cookies are disabled, the requested functionality will not work. > > Essential Functionality signatu:service-provision A resource > used on a > > site that 1)the user takes a positive action to request the service with > > a clearly defined perimeter, 2)is strictly needed to enable the service; > > if the resources are disabled, the service will NOTwork. Does not > > require consent. to deliver this service as requested by the user. > If > > the cookies are disabled, the requested functionality will not work. > > Non-essential Functionality signatu:service-functionality A resource > > used on a site that 1)the user did NOTtake a positive action to request > > the service with a clearly defined perimeter, 2)is NOTstrictly needed to > > enable the service; if the resources are disabled, the service will > > work. Requires consent. to deliver functionalities that the user > did not > > request or that are not strictly needed to enable the service. If the > > cookies are disabled, the requested functionality may not work. > > Analytics signatu:analytics A platform that measures and > reports user > > interaction with a website. to report user behaviour and events on > this > > service and traffic on pages. > > Advertising signatu:audience-targeting A provider of technology > and data > > to define a target audience of a target market for a particular > > advertisement or message. to deliver to users personalised adds that > we > > predict users like to view based on users’ profile and previous browsing > > behaviour. > > Cloud Infrastructure and Traffic Distribution signatu:cloud An > > infrastructure of servers, software and network to support computing in > > a cloud computing model. to distribute the content of this service, > > analyze the data to optimize server performance, or to find and resolve > > problems of our software that prevent its correct operation. > > Communication: email, phone, sms, chat, push messages > > signatu:communication A technology that enables communication bewteeen > > parties such as email, phone or chat between a website and its users. to > > communicate with users via email, phone, sms, chat or push messages > > regarding your requests. > > Document Consent signatu:compliance A technology that enables > a website > > or app to comply with the law, such as a Consent Management Platform > > that records end users consent. to record users’ consent events, > dates > > and times of consents, user IDs or unique cookie IDs. > > Content Management signatu:content-management A platform to > manage the > > 1st and 3rd party content (including advertising) of a website. to > > enable users to view, listen to and interact with content delivered on a > > page of this service. > > Customer Management signatu:crm A platform that registers > prospective, > > existing and lost customers. to register prospective, existing and lost > > customers to track sales. > > E-commerce signatu:e-commerce A platform that sells products > and/or > > services online. to offer and carry out sales of products and > services > > online. > > Marketing signatu:marketing-tool A technology that enables > companies to > > market their services and/or products. to register users’ phone > number > > and/or email on our marketing phone list and/or email list, and to phone > > you, send you sms, send you email messages and/or web and mobile push > > messages. These messages contain information about our products, > > services, promotions. You can unsubscribe at any time. > > Optimisation signatu:optimisation A platform that enables websites, > apps > > etc to improve sales and users’ experience. to test and compare > versions > > of a page of this service to know which version that performs best, and > > to identify and correct errors in our software. > > Payment signatu:payment A platform that transacts a payment. to > process > > users’ payment transactions, and send emails to users regarding users’ > > payments, and to monitor, prevent and detect fraudulent payment > > transactions. > > Personalisation signatu:personalisation A technology that enables > the > > creation of user profiles and showing users content or ads that are > > tailored to the interests and preferences of the user. to deliver > to > > users content that we predict users like to see on this service. > > Surveys and Reviews signatu:reviews A platform that enables users to > > review and rate a service and/or a product, and also to read other > > users’ reviews. to collect users’ market research answers or > enable > > users to review and rate a service or a product or to read other users’ > > reviews. > > Search signatu:search A web search engine that searches the > World Wide > > Web in a systematic way for particular information specified in a > > textual web search query. to search for particular information > specified > > in users’ textual search query. > > Security signatu:security A technology that enables breach > protection. > > to find security flaws, monitor our software for compromise, contain > > threats, and protect and secure our own and our users' environments. > > Single Sign On signatu:single-sign-on A technology that enables > users to > > use one set of login credentials (e.g., name and password) to access > > multiple applications. SSO can be used by enterprises, smaller > > organizations to sign up or log in to this service by using social media > > authentication credentials. > > Social Media signatu:social A platform that enables users to interact, > > communicate and share content with other users. to optimise the > > advertisement and increase economic opportunity of this service by > > making it visible on social media. > > Tag Management signatu:tag-management A technology used by > websites to > > more easily activate, deactivate and manage 3rd party technologies, and, > > more recently, the data that they collect. to activate or deactivate > the > > technologies (tags, scripts etc) used on this service. > > Registration and Authentication signatu:verification A > technology that > > enables a website or an app to authenticate users and prevent fraud. to > > register, authenticate and identify users to enable users to sign up or > > log in to this service. > > > > > > Best regards, > > > > -- > > Georg Philip Krog > > > > signatu <https://signatu.com> > > -- > --- > Harshvardhan Pandit, Ph.D > Researcher at ADAPT Centre, Trinity College Dublin > https://harshp.com/research/ > -- Georg Philip Krog signatu <https://signatu.com>
Received on Wednesday, 1 July 2020 16:52:26 UTC