W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011

RE: Issue-17, Issue-51 First party obligations

From: Amy Colando (LCA) <acolando@microsoft.com>
Date: Tue, 29 Nov 2011 16:29:23 +0000
To: Sean Harvey <sharvey@google.com>, Jeffrey Chester <jeff@democraticmedia.org>
CC: JC Cannon <jccannon@microsoft.com>, John Simpson <john@consumerwatchdog.org>, "<public-tracking@w3.org> (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <81152EDFE766CB4692EA39AECD2AA5B6D40550@TK5EX14MBXC221.redmond.corp.microsoft.com>
Thanks Sean.  The only element I would add to your explanation is that in the event the first party website has tags or other content from third parties on the first party page, those third parties would also receive the DNT signal (via redirects) and would respect that DNT signal as third parties.

Absent some sort of user override, of course.

From: Sean Harvey [mailto:sharvey@google.com]
Sent: Tuesday, November 29, 2011 8:10 AM
To: Jeffrey Chester
Cc: JC Cannon; John Simpson; <public-tracking@w3.org> (public-tracking@w3.org)
Subject: Re: Issue-17, Issue-51 First party obligations

Hi Jeff,

On the point below I think you are expressing the majority opinion of the group, and that everyone is largely saying the same thing. If anyone disagrees, please speak up because this is I think the understanding the editors were under based on all of the previous discussions on the email chains and the in-person meetings.

My current understanding based on the dialogue we've had thus far is that first parties are not allowed to pass DNT-on user info to a third party data provider, or leverage third party data in the customization of the ad unit for a DNT-on user.

The key point is that "third party" is not limited to the "third party" that the browser sees, e.g. a third party domain relative to the web page's base URL. And in fact in some cases a "third party" may be a first party, i.e. a Facebook like button after it has been clicked/"liked".

Given the extensive conversation we've had on this topic to date, I do believe this is everyone's understanding already. Please speak up if I am mistaken.

With respect to Mr. Simpson's statement, I do not believe that this has been the understanding of the group to date. For example, if I as a voracious nytimes.com<http://nytimes.com> reader have DNT on, the consensus to date of the group had been prior to Mr. Simpson's email been that the New York Times can still know who I am, but that they cannot pass this information on to third party advertising/data partners, and that those who advertise on the New York Times are not allowed to collect my user data. I'm not suggesting we can't re-open this conversation, merely stating the status of the conversations of this committee to date.


On Tue, Nov 29, 2011 at 9:50 AM, Jeffrey Chester <jeff@democraticmedia.org<mailto:jeff@democraticmedia.org>> wrote:
If a DNT system is to work, it must address how first party sites incorporate third party data and also use ad exchanges.  If a user has said they do not want to be tracked via a third party data service, such as eXelate, BlueKai or Experian (for example) then such user data should not be automatically imported or used by the First party site.  Sites increasingly mix in-house data with third party targeting data.  A user should have reasonable control of this process under DNT.

Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009

On Nov 28, 2011, at 7:59 PM, JC Cannon wrote:


I believe we are already in agreement that DNT will not apply to 1st party sites. I understand the need to clarify that 3rd-party sharing will be limited to certain exceptions, but I don't want to revisit something we have already agreed on.


From: John Simpson [mailto:john@consumerwatchdog.org<mailto:john@consumerwatchdog.org>]
Sent: Monday, November 28, 2011 4:47 PM
To: <public-tracking@w3.org<mailto:public-tracking@w3.org>> (public-tracking@w3.org<mailto:public-tracking@w3.org>)
Subject: Issue-17, Issue-51 First party obligations


I've been thinking a bit more about the idea of "1st Party" obligations if we use the frame of a 1st Party and 3rd Party distinction.  It seems clear to me that there is consensus that the 1st Party must not share data (some will say there are exceptions) with a 3rd party when DNT is enabled.

It does seem to me there are further obligations.  When I go to a 1st party  site and interact with it, I assume it is using my information for that transaction.  If I
have DNT enabled, I don't have ANY expectation that it will continue to use that information beyond that transaction.  The site should ask me if it can continue to store the information and use it beyond that specific visit to the site.

In other words from my perspective as a user, a 1st Party site should treat me as if I had cleared all my cookies the next time I visit the site if I have DNT enabled.

When DNT is enabled, a 1st party should treat each session with a user as an entirely new session unless it has been given permission to store his information and use it again.

John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041<tel:310-392-7041>
Cell: 310-292-1902<tel:310-292-1902>

Sean Harvey
Business Product Manager
Google, Inc.
Received on Tuesday, 29 November 2011 16:30:44 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:42 UTC