RE: Issue-17, Issue-51 First party obligations; Issue-5 Definition of Tracking


I believe you're asking this in the context of the DNT signal being active and I personally believe that would be correct - a 3rd party would not be able to leverage information collected from a user with a DNT signal to build a profile for targeting purposes.  There are many details to sort through but IMHO this is the very essence of the Traffic Protection Workgroup.

- Shane

From: Jeffrey Chester []
Sent: Friday, December 02, 2011 7:16 AM
To: Shane Wiley
Cc: Chris Pedigo; John Simpson; Roy T. Fielding; <> (
Subject: Re: Issue-17, Issue-51 First party obligations; Issue-5 Definition of Tracking

Thanks.  This is very helpful.   Question:  So if I am on a first party site, and have signaled in some way that I didn't want to be tracked by such outside data sources, they cannot use it to target me?

Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009<>

On Dec 2, 2011, at 7:04 AM, Shane Wiley wrote:


I believe we may be talking past one another in this case and there is already substantial agreement in this area.  For example, when you call out "RTB, DSPs, ad data desks, etc." in the statement below - these would almost always be considered 3rd party - which is where the working group is focusing its attention.  The prevailing position is that all 3rd parties are subject to the DNT signal with limited use exceptions (yet to be determined).   I believe this is aligned with your statements below.

- Shane

From: Jeffrey Chester []
Sent: Thursday, December 01, 2011 8:53 AM
To: Chris Pedigo
Cc: John Simpson; Roy T. Fielding; <<>> (<>)
Subject: Re: Issue-17, Issue-51 First party obligations; Issue-5 Definition of Tracking

The FTC has not yet finally resolved its opinion on First party vs third party sites, according to my discussions with them.  They say they don't have enough information--and we have now supplied them with details showing how the first and third party distinctions today are being obliterated by RTB, DSPs, ad data desks, etc.  Most users do not know the data collection and online profiling/targeting practices of websites, including OPA members.   OBA on a site is not really about recognizing a repeat customer--it's about a wide range of invisible and unaccountable engagement strategies that incorporate data analysis along with rich media, social media marketing, web optimization, "smart" ads, --even neuromarketing, etc.  Rather than seeing DNT as a "kill switch," providing user control over a powerful process designed to influence their behavior and decision-making is a business practice that should benefit everyone.

Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009<>

On Nov 30, 2011, at 3:43 PM, Chris Pedigo wrote:

I appreciate John's note on the role of Consumer Watchdog to provide additional viewpoints for the W3C group to consider. I thought it would be helpful to add the viewpoint of the OPA on this issue.  The following is a summary of comments we submitted earlier this year:

Our members include many of the Internet's most respected brands and they collectively reach an unduplicated audience of 172.5 million unique visitors, or 83% of the U.S. online population.  Last year, OPA members invested approximately $750 million in the creation of high quality digital content, most of which they distribute free of charge.

Publishers know that their future ability to attract large consumer audiences to their digital properties will depend on consumers' trust.  As a result, OPA members are acutely aware of the need to respect consumers' privacy interests while pursing their business objectives.

As noted earlier in a response on this issue, OPA shares the FTC's belief that collection and use of audience information for marketing purposes by companies that stand in a direct, first-party relationship with consumers have very different privacy implications than similar data collection and use by third parties (see ).   In a direct first-party relationship, consumers are more likely to understand why they received tailored recommendations and are in a better position to raise concerns about use of information about them, or to exercise choice by taking their business elsewhere.

These considerations sharply distinguish publishers' first-party data collection practices from the third-party behavioral advertising practices that have been the focus of much of the policy debate surrounding online privacy.  When behavioral advertising involves sharing data with ad networks or other third parties, as the FTC noted, the user "may not understand why he has received ads from unknown marketers based on his activities at an assortment of previously visited websites.  Moreover, he may not know whom to contact to register his concerns or how to avoid the practice."

Online publishers share a direct and trusted relationship with visitors to their websites.  In the context of this relationship, OPA members sometimes collect and use information to target and deliver the online advertising that subsidizes production of quality digital content.  While most advertising on OPA members' sites is contextual, some of this advertising is first-party behavioral or "semantic" advertising.  Such advertising uses information collected from visitors' past interactions with a member's website - typically collected anonymously - to deliver ads tailored to the inferred preferences and interests of visitors.   For example, if a website visitor views articles about NFL football games or searches the site for football coverage, he or she is unlikely to be surprised to receive, while on the same site, marketing for a commemorative Super Bowl coffee table book.  This is true even if the ad for the coffee table book was targeted based on the visitor's activity within the site during a prior browsing session.

The targeting of a behavioral advertisement by a first-party site is analogous to a sales clerk at a men's clothing store who recognizes a repeat customer and makes wardrobe suggestions based on the customer's past preferences for size, color and designers.  The same dynamic is involved when<> suggests books that a consumer might be interested in reading based on titles that the consumer previously purchased.  Given the direct relationship between the consumer and the merchant, the consumer naturally understands that the merchant is in a position to recognize and remember its customers' preferences and is not surprised when the merchant uses that information to suggest future purchases.  Accordingly, OPA strongly supports an exemption for the collection of data from a consumer with whom the company interacts directly for the purposes of marketing to that consumer and for the general operation and personalization of the site.  Such an exemption is also essential to protect the ability of online publishers to continue to monetize their investments in content through the delivery of standard display advertising.

For example, online publishers rely on IP address and cookie information to perform advertising functions as well as the general operation of the website.  Examples include:

*         executing online campaigns in accordance with contractual requirements (such as geographical requirements, category or brand exclusivity commitments);
*         capping the frequency with which an individual ad is displayed - a feature that benefits both advertisers and website users;
*         complying with legal requirements (for example, it may not be lawful to advertise a pharmaceutical product approved in the U.S. to audience members in the U.K. or vice versa - IP addresses are used to  limit campaigns to particular countries or regions);
*         preventing click fraud;
*         synchronizing and sequencing creative content, thereby enabling advertisers to "tell a story" through campaign elements that must unfold in a logical order;
*         Measuring audience size for reporting and inventory;
*         Identifying technical problems (i.e. when a site receives 100 calls to a home page, is it 100 individuals or 10 individuals having to request a page 10 times for a page to load?)

Without a robust first-party exemption (and related exemptions for operational purposes and sharing with service providers), DNT could operate as a "kill switch" for online advertising.  Given the pervasive and inextricable connections between user information and online advertising, the establishment of a choice mechanism to block collection and use of data for any advertising purpose would be tantamount to creating a right to receive news and information content without advertising.  Such a provision would be like requiring television stations to offer programming uninterrupted by commercials to any viewers who found commercials annoying.

OPA believes that a first-party exemption should permit the exchange and use of data among corporate affiliates that share a common brand or otherwise effectively disclose their affiliation relationships and follow substantially similar privacy policies.  Affiliated websites share many resources - including audience data - to improve the efficiency of their operations.  Moreover, it is not uncommon for features of a single website to be provided by separate but affiliated companies.   Any first party exemption should include affiliate-sharing within the scope of the first-party exemption to avoid disrupting the important operating efficiencies that exist in families of affiliated websites. The standard for affiliate sharing should not, however, focus exclusively on whether affiliated sites have the same brand identity because sites may effectively communicate their affiliation relationships to consumers through direct disclosures or in other ways.  OPA accordingly suggests a standard for affiliate sharing that permits the exchange of consumer data for marketing purposes between entities that (1) are affiliated by common majority ownership or management control, (2) adhere to substantially similar policies with respect to use and disclosure of consumer information and (3) disclose their affiliation through common branding or other clear and conspicuous means.

We hope these comments will be helpful for the group to consider.

From: John Simpson []<mailto:[]>
Sent: Tuesday, November 29, 2011 7:08 PM
To: Roy T. Fielding
Cc: <<>> (<>)
Subject: Re: Issue-17, Issue-51 First party obligations; Issue-5 Definition of Tracking


One of the reasons Consumer Watchdog is here, and other public interest organizations have been invited to participate, is to help identify concepts that the usual W3C participants, no matter how well-intentioned, may not have considered from the consumer point of view.

Though some -- perhaps many -- in this group define DNT to mean do not track me across non-same-branded sites, that is not how we believe a user will understand it. Users expect DNT to mean do not track what I'm doing, and don't necessarily make the distinction between activity on one site or across sites. I understand that the forthcoming study from Jon Peha and Aleecia on user expectations of DNT is likely to back this up. (Aleecia - What is the status of this research?)

Yes, it is certainly true that consumers are aware of and expect some 1st party tracking. For example most people expect Amazon to remember purchases and suggest purchases later. But that is primarily because we're all so familiar with Amazon's recommendation service. I have no expectation that the New York Times is tracking my reading habits, and using that information to advertise to me, or filter what articles I see next time I visit<>. Consumers are generally not aware of and do not expect the myriad ways sites track information.

It seems to me that that this group should define DNT to conform as closely as possible to consumers' expectations, and that is much broader than merely limiting DNT to non-same-branded sites. While they expect DNT to apply to 1st party sites, I think they will accept the idea that the DNT requirements on 1st Party tracking are less stringent than those on 3rd party sites.

It then becomes incumbent on us to make clear the reasons for those exceptions and justify them to the user. However, if this group is going to define DNT to merely mean DNT across non-same-branded sites, it will be too far out of synch with user expectations. Consumers are likely to enable DNT, find out they're still being tracked by 1st parties against their expectations, and lose faith in the entire function.

In regards to private browsing mode: Although this feature gives consumers the option of preventing their online activities from being recorded on their own computer, it does not prevent any website, 1st or 3rd party, from collecting information on a session, including identifying user information such as IP address, and retaining it for future use. If it did, we'd already have a usable DNT option. Privacy mode -- aka "porn mode" -- protects the users' privacy from others who share the computer.  The classic public use example is that your spouse won't know you've been shopping for a gift for them...

As to companies not implementing DNT if it applies to analytics: it has already been suggested that analytics is a space where exceptions may apply. Fraud prevention is another area.

Best regards,

Tags: Issue-17,Issue-51, Issue-5
On Nov 28, 2011, at 5:42 PM, Roy T. Fielding wrote:

On Nov 28, 2011, at 5:13 PM, John Simpson wrote:


Sorry, I don't follow you. Why is DNT orthogonal to private browsing?  I'm simply trying to state what my expectation is as a user if I enable DNT.  I intuitively expect to interact with a 1st Party for that transaction, but why would I expect the site to continue to use that information for anything in the future if I have enabled DNT?

Because DNT does not mean "do not track".  It means do not track me
across non-same-branded sites. If you have a user expectation that
differs from that, then we need to fix that expectation (not DNT).

The expectation you expressed above is already implemented in browsers
as private browsing mode.  We have no need to duplicate it in DNT
because it can be turned on in addition to DNT.  That is a user choice.

I, as an implementor, will not implement DNT if it has a significant
impact on analytics beyond sharing data with 3rd parties.
There is no implied right to privacy regarding data provided by
a user when they deliberately choose to enter an establishment,
which means the stuff we see in access logs, first-party cookies,
and contracted analytics providers that silo data per site
should not be impacted by DNT.  It may well be impacted by other
regulations, depending on context, but not by DNT.


John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902<><>

Received on Friday, 2 December 2011 15:02:54 UTC