- From: JC Cannon <jccannon@microsoft.com>
- Date: Fri, 18 Nov 2011 15:43:24 +0000
- To: Shane Wiley <wileys@yahoo-inc.com>, Jonathan Mayer <jmayer@stanford.edu>, Ed Felten <ed@felten.com>
- CC: Mike Zaneis <mike@iab.net>, "<public-tracking@w3.org>" <public-tracking@w3.org>
- Message-ID: <DB4282D9ADFE2A4EA9D1C0FB54BC3BD7681C1BD9@TK5EX14MBXC139.redmond.corp.microsoft.>
I would expect an exclusion for first parties sending data to a third party as needed to fulfill a transaction on the part of the first party such as order fulfillment. JC Twitter<http://twitter.com/jccannon7> From: Shane Wiley [mailto:wileys@yahoo-inc.com] Sent: Friday, November 18, 2011 7:32 AM To: Jonathan Mayer; Ed Felten Cc: Mike Zaneis; <public-tracking@w3.org> Subject: RE: "cross-site" Jonathan, I believe this is very close. 2 Possible Issues: - 1. Transfer of Data to a Third-Party Website: As long as "under this standard" can be taken to mean "when the DNT:1 signal is received" - then we're good. The way this is written now is could be implied that this is true in all cases which is beyond the scope of this working group. - 1. Transfer of Data from a First-Party Website: As long as is "with respect to honoring a user's DNT:1 signal" then we're good. The way this is written now is could be implied that this is true in all cases which is beyond the scope of this working group. - Shane From: Jonathan Mayer [mailto:jmayer@stanford.edu] Sent: Friday, November 18, 2011 12:42 AM To: Ed Felten Cc: Mike Zaneis; <public-tracking@w3.org> Subject: Re: "cross-site" Agreed. Between the discussion in Santa Clara, this thread, and these<http://lists.w3.org/Archives/Public/public-tracking/2011Oct/0001.html> threads<http://lists.w3.org/Archives/Public/public-tracking/2011Oct/0021.html>, I think we're very close to a consensus on first-party obligations. Some time ago I drafted this text for the compliance document: First-Party Requirements: This standard imposes no requirements on first-party websites. A first-party website MAY take steps to protect user privacy in responding to a Do Not Track request. Here's what I would now propose: First-Party Website Requirements 1. Transfer of Data to a Third-Party Website A first-party website MUST NOT transfer data to a third-party website that the third-party website could not collect itself under this standard. A first-party website MAY otherwise transfer data to a third-party website. 2. Additional Voluntary Measures A first-party website MAY take additional steps to protect user privacy in responding to a Do Not Track request. a. Example Voluntary Measures (Non-Normative) [...] ...and then... Third-Party Website Requirements 1. Transfer of Data from a First-Party Website If a third-party website receives data from a first-party website, the data is subject to the same collection, retention, and use limitations under this standard as if the third-party website had collected the data itself. Jonathan (tags: ISSUE-17, ISSUE-51) On Nov 17, 2011, at 2:37 PM, Ed Felten wrote: It seems to me that there might be substantial agreement here. As I understand John, he was positing two reasons for sending a DNT flag to first parties: (1) when DNT is enabled, first parties shouldn't circumvent the limits on third-party collection by collecting data and then sharing it with third parties, and (2) some first parties might choose voluntarily to go beyond what the standard requires when they see a DNT flag. On Thu, Nov 17, 2011 at 3:28 PM, Mike Zaneis <mike@iab.net<mailto:mike@iab.net>> wrote: This is where there is a fundamental split amongst the parties. We had a discussion several weeks ago about the first party obligations and I pointed out that IAB and my member companies generally support the U.S. FTC position that consumers don't expect first parties to be subject to such restrictions. Those positions have not changed. Mike Zaneis SVP & General Counsel, IAB (202) 253-1466 On Nov 17, 2011, at 2:56 PM, "John Simpson" <john@consumerwatchdog.org<mailto:john@consumerwatchdog.org>> wrote: Shane, I don't understand why we would say that a 1st party most likely will not be subject to the DNT signal. If we continue to use the 1st party/ 3rd party distinction, it will likely (almost certainly) have different and probably fewer obligations than a third party. It should still be subject to the signal. As a user I want the 1st party site to know that I have DNT configured. As a 1st party site operator I want to know a visitor has configured DNT and is sending me the signal. There will be some "musts", ie not sharing data from a DNT configured user with 3rd parties, but if I am a responsible site operator I may chose to go further in honoring the DNT request. For instance I might chose to not even include the visitor in my analytics. I need to know if DNT is configured and the way this happens is by being subject to the DNT signal. The obligations are different, but its important that we think of all sites being subject to the DNT signal, once it is configured in the browser. 73s, John On Nov 17, 2011, at 7:22 AM, Shane Wiley wrote: Karl, This statement is an attempt to remove the concern that a 1st party, which will mostly likely not be subject to the DNT signal, does not have a backdoor opportunity to pass user data directly to a 3rd party (aka - closing a loop-hole). 3rd parties present on the 1st party's web site should honor the DNT signal directly. - Shane -----Original Message----- From: Karl Dubost [mailto:karld@opera.com] Sent: Thursday, November 17, 2011 5:40 AM To: Shane Wiley Cc: John Simpson; Jules Polonetsky; Nicholas Doty; Roy T. Fielding; Mark Nottingham; <public-tracking@w3.org<mailto:public-tracking@w3.org>> Subject: Re: "cross-site" Le 16 nov. 2011 à 23:30, Shane Wiley a écrit : Alter statement to read "First parties must NOT share user specific data with 3rd parties for those user who send the DNT signal and have not granted a site-specific exception to the 1st party." This will leave room for sharing with Agents/Service Providers/Vendors to the 1st party -- as well as sharing aggregate and anonymous data with "others" (general reporting, for example). I guess you mean s/DNT signal/DNT:1 signal" Trying to understand what you are saying. 1. User sends DNT:1 to a website with domain name www.example.org<http://www.example.org> 2. www.example.org<http://www.example.org> collects data about the user (IP address and categories of pages the user visits) 3. Company Acme Hosting Inc. (a 3rd party) has access to these data NOT through the Web but through an access to the logs file. What is happening? -- Karl Dubost - http://dev.opera.com/ Developer Relations & Tools, Opera Software ---------- John M. Simpson Consumer Advocate Consumer Watchdog 1750 Ocean Park Blvd. ,Suite 200 Santa Monica, CA,90405 Tel: 310-392-7041 Cell: 310-292-1902 www.ConsumerWatchdog.org<http://www.ConsumerWatchdog.org> john@consumerwatchdog.org<mailto:john@consumerwatchdog.org>
Received on Friday, 18 November 2011 15:43:55 UTC