Re: "cross-site"

Agreed.  Between the discussion in Santa Clara, this thread, and these threads, I think we're very close to a consensus on first-party obligations.  Some time ago I drafted this text for the compliance document:

> First-Party Requirements:
> This standard imposes no requirements on first-party websites.  A first-party website MAY take steps to protect user privacy in responding to a Do Not Track request.

Here's what I would now propose:

First-Party Website Requirements

1. Transfer of Data to a Third-Party Website
A first-party website MUST NOT transfer data to a third-party website that the third-party website could not collect itself under this standard.  A first-party website MAY otherwise transfer data to a third-party website.

2. Additional Voluntary Measures
A first-party website MAY take additional steps to protect user privacy in responding to a Do Not Track request.

a. Example Voluntary Measures (Non-Normative)
[…]

...and then...

Third-Party Website Requirements

1. Transfer of Data from a First-Party Website
If a third-party website receives data from a first-party website, the data is subject to the same collection, retention, and use limitations under this standard as if the third-party website had collected the data itself.

Jonathan

(tags: ISSUE-17, ISSUE-51)

On Nov 17, 2011, at 2:37 PM, Ed Felten wrote:

> It seems to me that there might be substantial agreement here.  As I
> understand John, he was positing two reasons for sending a DNT flag to
> first parties: (1) when DNT is enabled, first parties shouldn't
> circumvent the limits on third-party collection by collecting data and
> then sharing it with third parties, and (2) some first parties might
> choose voluntarily to go beyond what the standard requires when they
> see a DNT flag.
> 
> On Thu, Nov 17, 2011 at 3:28 PM, Mike Zaneis <mike@iab.net> wrote:
>> This is where there is a fundamental split amongst the parties. We had a
>> discussion several weeks ago about the first party obligations and I pointed
>> out that IAB and my member companies generally support the U.S. FTC position
>> that consumers don't expect first parties to be subject to such
>> restrictions.  Those positions have not changed.
>> 
>> Mike Zaneis
>> SVP & General Counsel, IAB
>> (202) 253-1466
>> On Nov 17, 2011, at 2:56 PM, "John Simpson" <john@consumerwatchdog.org>
>> wrote:
>> 
>> Shane,
>> I don't understand why we would say that a 1st party most likely will not be
>> subject to the DNT signal.  If we continue to use the 1st party/ 3rd party
>> distinction, it will likely (almost certainly) have different and probably
>> fewer obligations than a third party. It should still be subject to the
>> signal.
>> As a user I want the 1st party site to know that I have DNT configured.  As
>> a 1st party site operator I want to know a visitor has configured DNT and is
>> sending me the signal.  There will be some "musts", ie not sharing data from
>> a DNT configured user with 3rd parties, but if I am a responsible site
>> operator I may chose to go further in honoring the DNT request.  For
>> instance I might chose to not even include the visitor in my analytics. I
>> need to know if  DNT is configured and the way this happens is by being
>> subject to the DNT signal.
>> The obligations are different, but its important that we think of all sites
>> being subject to the DNT signal, once it is configured in the browser.
>> 
>> 73s,
>> John
>> On Nov 17, 2011, at 7:22 AM, Shane Wiley wrote:
>> 
>> Karl,
>> 
>> This statement is an attempt to remove the concern that a 1st party, which
>> will mostly likely not be subject to the DNT signal, does not have a
>> backdoor opportunity to pass user data directly to a 3rd party (aka -
>> closing a loop-hole).  3rd parties present on the 1st party's web site
>> should honor the DNT signal directly.
>> 
>> - Shane
>> 
>> -----Original Message-----
>> From: Karl Dubost [mailto:karld@opera.com]
>> Sent: Thursday, November 17, 2011 5:40 AM
>> To: Shane Wiley
>> Cc: John Simpson; Jules Polonetsky; Nicholas Doty; Roy T. Fielding; Mark
>> Nottingham; <public-tracking@w3.org>
>> Subject: Re: "cross-site"
>> 
>> 
>> Le 16 nov. 2011 à 23:30, Shane Wiley a écrit :
>> 
>> Alter statement to read "First parties must NOT share user specific data
>> with 3rd parties for those user who send the DNT signal and have not granted
>> a site-specific exception to the 1st party."  This will leave room for
>> sharing with Agents/Service Providers/Vendors to the 1st party -- as well as
>> sharing aggregate and anonymous data with "others" (general reporting, for
>> example).
>> 
>> I guess you mean
>> s/DNT signal/DNT:1 signal"
>> 
>> Trying to understand what you are saying.
>> 
>> 1. User sends DNT:1 to a website with domain name www.example.org
>> 2. www.example.org collects data about the user
>>   (IP address and categories of pages the user visits)
>> 3. Company Acme Hosting Inc. (a 3rd party) has access to these
>>   data NOT through the Web but through an access to the logs file.
>> 
>> 
>> What is happening?
>> 
>> 
>> --
>> Karl Dubost - http://dev.opera.com/
>> Developer Relations & Tools, Opera Software
>> 
>> 
>> 
>> ----------
>> John M. Simpson
>> Consumer Advocate
>> Consumer Watchdog
>> 1750 Ocean Park Blvd. ,Suite 200
>> Santa Monica, CA,90405
>> Tel: 310-392-7041
>> Cell: 310-292-1902
>> www.ConsumerWatchdog.org
>> john@consumerwatchdog.org
>> 
> 
> 

Received on Friday, 18 November 2011 08:42:55 UTC