- From: Jonathan Mayer <jmayer@stanford.edu>
- Date: Fri, 18 Nov 2011 02:42:14 -0600
- To: Ed Felten <ed@felten.com>
- Cc: Mike Zaneis <mike@iab.net>, "<public-tracking@w3.org>" <public-tracking@w3.org>
- Message-Id: <4D990BC0-860B-4E10-B882-578FBBB0DC31@stanford.edu>
Agreed. Between the discussion in Santa Clara, this thread, and these threads, I think we're very close to a consensus on first-party obligations. Some time ago I drafted this text for the compliance document: > First-Party Requirements: > This standard imposes no requirements on first-party websites. A first-party website MAY take steps to protect user privacy in responding to a Do Not Track request. Here's what I would now propose: First-Party Website Requirements 1. Transfer of Data to a Third-Party Website A first-party website MUST NOT transfer data to a third-party website that the third-party website could not collect itself under this standard. A first-party website MAY otherwise transfer data to a third-party website. 2. Additional Voluntary Measures A first-party website MAY take additional steps to protect user privacy in responding to a Do Not Track request. a. Example Voluntary Measures (Non-Normative) […] ...and then... Third-Party Website Requirements 1. Transfer of Data from a First-Party Website If a third-party website receives data from a first-party website, the data is subject to the same collection, retention, and use limitations under this standard as if the third-party website had collected the data itself. Jonathan (tags: ISSUE-17, ISSUE-51) On Nov 17, 2011, at 2:37 PM, Ed Felten wrote: > It seems to me that there might be substantial agreement here. As I > understand John, he was positing two reasons for sending a DNT flag to > first parties: (1) when DNT is enabled, first parties shouldn't > circumvent the limits on third-party collection by collecting data and > then sharing it with third parties, and (2) some first parties might > choose voluntarily to go beyond what the standard requires when they > see a DNT flag. > > On Thu, Nov 17, 2011 at 3:28 PM, Mike Zaneis <mike@iab.net> wrote: >> This is where there is a fundamental split amongst the parties. We had a >> discussion several weeks ago about the first party obligations and I pointed >> out that IAB and my member companies generally support the U.S. FTC position >> that consumers don't expect first parties to be subject to such >> restrictions. Those positions have not changed. >> >> Mike Zaneis >> SVP & General Counsel, IAB >> (202) 253-1466 >> On Nov 17, 2011, at 2:56 PM, "John Simpson" <john@consumerwatchdog.org> >> wrote: >> >> Shane, >> I don't understand why we would say that a 1st party most likely will not be >> subject to the DNT signal. If we continue to use the 1st party/ 3rd party >> distinction, it will likely (almost certainly) have different and probably >> fewer obligations than a third party. It should still be subject to the >> signal. >> As a user I want the 1st party site to know that I have DNT configured. As >> a 1st party site operator I want to know a visitor has configured DNT and is >> sending me the signal. There will be some "musts", ie not sharing data from >> a DNT configured user with 3rd parties, but if I am a responsible site >> operator I may chose to go further in honoring the DNT request. For >> instance I might chose to not even include the visitor in my analytics. I >> need to know if DNT is configured and the way this happens is by being >> subject to the DNT signal. >> The obligations are different, but its important that we think of all sites >> being subject to the DNT signal, once it is configured in the browser. >> >> 73s, >> John >> On Nov 17, 2011, at 7:22 AM, Shane Wiley wrote: >> >> Karl, >> >> This statement is an attempt to remove the concern that a 1st party, which >> will mostly likely not be subject to the DNT signal, does not have a >> backdoor opportunity to pass user data directly to a 3rd party (aka - >> closing a loop-hole). 3rd parties present on the 1st party's web site >> should honor the DNT signal directly. >> >> - Shane >> >> -----Original Message----- >> From: Karl Dubost [mailto:karld@opera.com] >> Sent: Thursday, November 17, 2011 5:40 AM >> To: Shane Wiley >> Cc: John Simpson; Jules Polonetsky; Nicholas Doty; Roy T. Fielding; Mark >> Nottingham; <public-tracking@w3.org> >> Subject: Re: "cross-site" >> >> >> Le 16 nov. 2011 à 23:30, Shane Wiley a écrit : >> >> Alter statement to read "First parties must NOT share user specific data >> with 3rd parties for those user who send the DNT signal and have not granted >> a site-specific exception to the 1st party." This will leave room for >> sharing with Agents/Service Providers/Vendors to the 1st party -- as well as >> sharing aggregate and anonymous data with "others" (general reporting, for >> example). >> >> I guess you mean >> s/DNT signal/DNT:1 signal" >> >> Trying to understand what you are saying. >> >> 1. User sends DNT:1 to a website with domain name www.example.org >> 2. www.example.org collects data about the user >> (IP address and categories of pages the user visits) >> 3. Company Acme Hosting Inc. (a 3rd party) has access to these >> data NOT through the Web but through an access to the logs file. >> >> >> What is happening? >> >> >> -- >> Karl Dubost - http://dev.opera.com/ >> Developer Relations & Tools, Opera Software >> >> >> >> ---------- >> John M. Simpson >> Consumer Advocate >> Consumer Watchdog >> 1750 Ocean Park Blvd. ,Suite 200 >> Santa Monica, CA,90405 >> Tel: 310-392-7041 >> Cell: 310-292-1902 >> www.ConsumerWatchdog.org >> john@consumerwatchdog.org >> > >
Received on Friday, 18 November 2011 08:42:55 UTC