Re: [meetings] Privacy Principles for Web Advertising Features - Editorial Group (#18)

I'm unable to join the call today. The following are my initial observations concerning the draft W3C Privacy Principles. @AramZS @seanturner please could you draw the groups attention to this comment during the agenda item.

The W3C Privacy Principles document as drafted is not fit to be included in the work of the PATCG or the contemplated Working Group for at least the following reasons.

Consumers make decisions based on factors including brand recognition, their understanding of the agreement, laws and rules, and the risk of harm. This document proposes restricting consumer sovereignty, interfering in trust choices between service providers and consumers, and perpetuates misinformation related to first and third parties [1].

It would be a matter of concern for policy makers if consumer sovereignty were undermined or usurped by corporate interests.

The W3C Privacy Principles need to assist consumers, not perpetuate the goals of highly recognizable brands.

A more detailed analysis of the W3C Privacy Principles will be provided in due course to this group, W3C members, and TAG.

W3C Director establishing a Legal Advisory Group would provide horizontal review of W3C Privacy Principles document concerning competition and privacy matters.

[1] See their [joint statement from ICO (privacy) and CMA (competition) May 2021](https://ico.org.uk/media/about-the-ico/documents/2619797/cma-ico-public-statement-20210518.pdf). Extract follows.

> Data is sometimes categorised according to the relationship between the party collecting and processing it and the individual or circumstance it relates to:

> • First-party data: data that is collected by a business through direct interaction with an individual providing or generating the data. For example, data collected by an online retailer regarding purchases made by consumers on its site. 

> • Third-party data: data collected by a business not in direct interaction with the individual providing or generating the data, for example, through business partners. Digital firms that do not have a direct relationship with users frequently rely on third-party data.

> The boundaries between first and third-party data according to the above definition are not always clear, particularly when large companies own a variety of businesses, some of which have a relationship with the user and some of which do not.
Both first-party and third-party data as defined above can include personal and non personal data. Whether information is personal data depends on whether it relates to an identified or identifiable individual. There is no explicit reference to the distinction between first-party and third-party data in data protection law.

> The descriptions of ‘first party’ and ‘third party’ are also used (though with a different meaning) in the context of cookies and similar technologies,10 which collectively form the key means by which information (including personal data) is collected and disseminated in online advertising. A cookie is generally identified as being first-party if the domain of the cookie matches the domain of the page visited and as being third-party in instances where the domain of the cookie does not match the domain of the website. This is not a rigid distinction. Some functions typically delivered through third party cookies can be done via first party cookies, even if a third party’s code and associated service is still involved.

> The rules on the use of cookies and similar technologies are specified in Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (as amended) (‘PECR’), and oversight of these rules is one of the ICO’s regulatory functions. PECR provides more specific rules than the UK GDPR in a number of areas such as cookie use. It is also important to note that PECR’s provisions in this area apply whether or not personal data is processed.

-- 
GitHub Notification of comment by jwrosewell
Please view or discuss this issue at https://github.com/patcg/meetings/issues/18#issuecomment-1131931624 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 19 May 2022 16:26:44 UTC