Re: "cross-site" (tags: ISSUE-17, ISSUE-51)

Hi Chris,

Of course your are correct about the 2009 OBA report. Thanks for pointing that out.  I was focusing on the preliminary "Protecting Consumer Privacy in Era of Rapid Change" and didn't think about the OBA report.  As you know the current privacy report was released for comments and is being revised in light of them. It's expected to be released by the end of the year.

The OBA principles are all about online behavioral advertising.  In that context the principles make a distinction between 1st and 3rd parties for the purpose of behavioral advertising and say most consumers would be comfortable with it on 1st Party sites.

But tracking is about much more than online behavioral advertising.  It's about gathering information about users and then using that information for a variety of purposes; targeted advertising is only one such purpose. As far as I know,  the FTC has not taken a position on 1st and 3rd party distinctions and obligations in the broader context of tracking.

I believe the FTC's privacy report will address some of those broader issues when the final version is issued.  There have also been indications that the commission's views on 1st and 3rd party distinctions may be evolving.

As others have pointed out, the FTC's views may be useful to consider, but at the end of the day, the task of our working group is to come up with our own standards recommendation. It could be stronger than the FTC's minimum recommendations.

As we go forward, the 1st party and 3rd party distinction may be a helpful way to frame the discussion, if we can clearly define who is a 1st and 3rd party.

Treating 1st and 3rd parties differently may make sense. But even if you make the distinction, it does not mean you should conclude that 1st parties have no obligations under DNT.   For example, as Jonathan suggested, I would say that a 1st party MUST not share data with a 3rd party when DNT is enabled.

Would you agree generally with that principle?

Best regards,
John

On Nov 18, 2011, at 4:56 AM, Chris Pedigo wrote:

> John,
> 
> The FTC Commissioners voted to release the FTC staff report on Behavioral Advertising in February 2009.  Clearly, they supported the staff position that there is a difference in user expectations with regard to first and third parties. 
> 
> http://www.ftc.gov/opa/2009/02/behavad.shtm
> 
> What's more is that the FTC's recently-issued revisions to the COPPA rules (which govern kids-oriented sites) include a provision for sites to collect personal information without triggering any of COPPA's requirements so long as the data is used for "internal operations" of the site. Again, the FTC recognizes a difference between first and third parties. 
> 
> In addition, many of the privacy bills introduced in the US Congress include provisions to differentiate between first and third party uses of data.  
> 
> On the whole, if you were to discard the views of extreme fringes of both sides of the political spectrum, you would find a broad middle ground that understands first and third parties have different relationships with consumers and have different uses of data, and, therefore, should be treated differently in any workable standard. 
> 
> Sincerely,
> 
> Chris Pedigo
> VP, Government Affairs
> Online Publishers Association
> (202) 744-2967
> 
> 
> 
> On Nov 17, 2011, at 7:33 PM, "John Simpson" <john@consumerwatchdog.org> wrote:
> 
>> Mike,
>> 
>> The FTC hasn't taken a position on this.  That only happens when the commissioners vote and they have not.  I think what you're doing is predicting what you think a majority would say if they voted.
>> 
>> Best,
>> John
>> 
>> On Nov 17, 2011, at 12:28 PM, Mike Zaneis wrote:
>> 
>>> This is where there is a fundamental split amongst the parties. We had a discussion several weeks ago about the first party obligations and I pointed out that IAB and my member companies generally support the U.S. FTC position that consumers don't expect first parties to be subject to such restrictions.  Those positions have not changed.
>>> 
>>> Mike Zaneis
>>> SVP & General Counsel, IAB
>>> (202) 253-1466
>>> 
>>> On Nov 17, 2011, at 2:56 PM, "John Simpson" <john@consumerwatchdog.org> wrote:
>>> 
>>>> Shane,
>>>> 
>>>> I don't understand why we would say that a 1st party most likely will not be subject to the DNT signal.  If we continue to use the 1st party/ 3rd party distinction, it will likely (almost certainly) have different and probably fewer obligations than a third party. It should still be subject to the signal.
>>>> 
>>>> As a user I want the 1st party site to know that I have DNT configured.  As a 1st party site operator I want to know a visitor has configured DNT and is sending me the signal.  There will be some "musts", ie not sharing data from a DNT configured user with 3rd parties, but if I am a responsible site operator I may chose to go further in honoring the DNT request.  For instance I might chose to not even include the visitor in my analytics. I need to know if  DNT is configured and the way this happens is by being subject to the DNT signal.
>>>> 
>>>> The obligations are different, but its important that we think of all sites being subject to the DNT signal, once it is configured in the browser.
>>>> 
>>>> 73s,
>>>> John
>>>> 
>>>> On Nov 17, 2011, at 7:22 AM, Shane Wiley wrote:
>>>> 
>>>>> Karl,
>>>>> 
>>>>> This statement is an attempt to remove the concern that a 1st party, which will mostly likely not be subject to the DNT signal, does not have a backdoor opportunity to pass user data directly to a 3rd party (aka - closing a loop-hole).  3rd parties present on the 1st party's web site should honor the DNT signal directly.
>>>>> 
>>>>> - Shane
>>>>> 
>>>>> -----Original Message-----
>>>>> From: Karl Dubost [mailto:karld@opera.com] 
>>>>> Sent: Thursday, November 17, 2011 5:40 AM
>>>>> To: Shane Wiley
>>>>> Cc: John Simpson; Jules Polonetsky; Nicholas Doty; Roy T. Fielding; Mark Nottingham; <public-tracking@w3.org>
>>>>> Subject: Re: "cross-site"
>>>>> 
>>>>> 
>>>>> Le 16 nov. 2011 à 23:30, Shane Wiley a écrit :
>>>>>> Alter statement to read "First parties must NOT share user specific data with 3rd parties for those user who send the DNT signal and have not granted a site-specific exception to the 1st party."  This will leave room for sharing with Agents/Service Providers/Vendors to the 1st party -- as well as sharing aggregate and anonymous data with "others" (general reporting, for example).  
>>>>> 
>>>>> I guess you mean 
>>>>> s/DNT signal/DNT:1 signal"
>>>>> 
>>>>> Trying to understand what you are saying.
>>>>> 
>>>>> 1. User sends DNT:1 to a website with domain name www.example.org
>>>>> 2. www.example.org collects data about the user 
>>>>>   (IP address and categories of pages the user visits)
>>>>> 3. Company Acme Hosting Inc. (a 3rd party) has access to these 
>>>>>   data NOT through the Web but through an access to the logs file. 
>>>>> 
>>>>> 
>>>>> What is happening?
>>>>> 
>>>>> 
>>>>> -- 
>>>>> Karl Dubost - http://dev.opera.com/
>>>>> Developer Relations & Tools, Opera Software
>>>>> 
>>>>> 
>>>> 
>>>> ----------
>>>> John M. Simpson
>>>> Consumer Advocate
>>>> Consumer Watchdog
>>>> 1750 Ocean Park Blvd. ,Suite 200
>>>> Santa Monica, CA,90405
>>>> Tel: 310-392-7041
>>>> Cell: 310-292-1902
>>>> www.ConsumerWatchdog.org
>>>> john@consumerwatchdog.org
>>>> 
>> 
>> ----------
>> John M. Simpson
>> Consumer Advocate
>> Consumer Watchdog
>> 1750 Ocean Park Blvd. ,Suite 200
>> Santa Monica, CA,90405
>> Tel: 310-392-7041
>> Cell: 310-292-1902
>> www.ConsumerWatchdog.org
>> john@consumerwatchdog.org
>> 
> 

----------
John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902
www.ConsumerWatchdog.org
john@consumerwatchdog.org

Received on Friday, 18 November 2011 20:05:54 UTC