W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011


From: Jonathan Mayer <jmayer@stanford.edu>
Date: Tue, 1 Nov 2011 10:38:08 -0700
Message-Id: <38784E8F-E734-45AF-A6BE-2F71737E4E31@stanford.edu>
To: Tracking Protection Working Group WG <public-tracking@w3.org>

The text below reflects (I think) our consensus in Santa Clara on outsourcing.

If a first-party website outsources functionality to a third-party website, the third party may act as a first party under this standard so long as all of the following conditions are met when responding to a Do Not Track request.

1) The third-party website takes reasonable technical precautions.

Non-normative: One component of reasonable technical precautions may be using the same-origin policy to segregate information for each first-party customer.

2) The third-party website makes public commitments in a form that renders them legally enforceable by its first-party customer, individual users, and regulators.

This leaves at least four open sub-issues on outsourcing:

1) What is the scope of "outsourcing"?  Is the third party just stepping into the first party's shoes?  Or does it have some independent discretion in using data for its own purposes (e.g. for "product improvement" and "aggregate statistics" as Shane and Jules have proposed)?  Here's my language from earlier in the month:
> -the third party will not use the data it collects except as directed by the first party
> -the third party will only use the data it collects to provide functionality to the first party; it will not use the data it collects for its own purposes
> -the third party will not share the data it collects except with the first party
> -if the first party requests, the third party will promptly delete the data it has collected
> -if the first party closes its account, the third party will promptly delete the data it has collected

2) What are the third party's technical precautions for?  Preventing the collection of cross-site tracking data?  Siloing data per first-party customer?

3) What are the factors that go into a reasonable technical precaution?  (Note: this depends on what the precaution is for.)  Here's my old language:
> -the extent to which the technical precautions prevent the collection of cross-site tracking data
> -whether the technical precautions are externally verifiable
> -the extent to which the technical precautions impede the third-party website's other functionality

4) Is there a MUST or SHOULD for reasonable internal controls?  Old language:
> 2) The third-party website imposes reasonable internal controls to prevent the collection, retention, and use of cross-site tracking data.  Reasonable internal controls may consist of, among other practices, data segregation, encryption, access control, and employee training.
> Example:
> Example Analytics collects data on behalf of first-party websites in a single database table that all employees have access to.
> Discussion:
> Example Analytics has not imposed reasonable internal controls.
Received on Tuesday, 1 November 2011 17:41:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:27 UTC