RE: Issue-17, Issue-51 First party obligations; Issue-5 Definition of Tracking

Thank you Ninja.

1.  I believe users do generally understand what a 1st party is and that their concept of "tracking across sites" is not limited in this case.  I believe Aleecia will be providing some research in this area soon.  No matter the outcome, we'll need to educate users as to what is meant by DNT and how each organization complies with this standard.  The concept of "DNT" is loose enough that I believe we'll find users will each have a slightly different perspective of what is and is not covered by their personally interpretations of the literal meeting of "Track" - reinforcing the importance of user education.

To the Flickr note - since the user needs to log into their Yahoo! account to load images, I don't there is any user confusion here (weak argument even in the logged-out case).  In fact, I believe that example highlights why first parties should not be subject to DNT (outside of the agreed upon items of Widgets and 3rd party data sharing).

2.  With only 14 of 27 member states having transposed or suggest current laws already cover the amended ePrivacy Directive (was required by May 25th 2011 by law), I believe it's far too early to draw upon that perspective in the DNT discussion.  I'm at the IAPP EU event and there is considerable disagreement even across DPAs as to the true intentions of the ePrivacy Directive and how this should be managed in practice with users (data subjects).  The ePrivacy Directive does not require consent for "legitimate" cookie use to deliver a service and most DPAs I've spoken to have felt this covers 1st party cookie use and that only "3rd party advertising cookies" are the true target of the ePrivacy Directive.  Do you agree with this perspective?  What is the formal stance of your country?

Thank you again,
- Shane

-----Original Message-----
From: Ninja Marnau [] 
Sent: Wednesday, November 30, 2011 10:35 AM
To: Jeffrey Chester
Cc: John Simpson; Roy T. Fielding; <> (
Subject: Re: Issue-17, Issue-51 First party obligations; Issue-5 Definition of Tracking

I support what John and Jeffrey said for 2 reasons

1. User expectations:
	Of course, it is difficult considering user expectations without having 
actually done comprehensive user studies. But as Jeffrey pointed out, 
from my experience it is not too farfetched to say that most users do 
not know or comprehend how and when data collection occurs online.

	If the majority of the Working Group decides on not addressing first 
party tracking, we need to think about our definition of "cross-site". 
The Yahoo! example shows quite nicely that it gets more and more 
complicated for the average user to identify which services or sites 
belong to the same corporation. Flickr clearly states in the title of 
the website that it is a Yahoo! service. Nevertheless, I would not be 
surprised if a significant number of users just overlooks this 
information and would be surprised by being tracked from Flickr to 
Yahoo!Chat while having DNT on. And there are a lot of services that 
make their "branding" not as clear as Flickr.

2. European regulation:
	If you agree on not including first party tracking, you decide to not 
address in which way soever the requirements of Art. 5 III of the 
E-Privacy Directive concerning first parties. Lost opportunity.

Best regards,

p.s. Sorry, I am travelling and will not be able to make it for the 
weekly call today.

Am 30.11.2011 02:39, schrieb Jeffrey Chester:
> I agree with John Simpson. Users expect a DNT function to operate
> uniformly throughout the commercial digital media environment
> (platforms, sites, applications, etc). I see very little distinction
> between first and third party tracking and targeting, because few users
> know or can comprehend how data collection occurs online involving
> interactive campaigns (including through rich media applications, RTB,
> social media marketing, etc). So DNT should enable a user to decide they
> do not want to be tracked on any site, including the ability to decline
> specific targeting/data collection methodologies.
> Jeffrey Chester
> Center for Digital Democracy
> 1621 Connecticut Ave, NW, Suite 550
> Washington, DC 20009
> <>
> On Nov 29, 2011, at 7:07 PM, John Simpson wrote:
>> Colleagues,
>> One of the reasons Consumer Watchdog is here, and other public
>> interest organizations have been invited to participate, is to help
>> identify concepts that the usual W3C participants, no matter how
>> well-intentioned, may not have considered from the consumer point of view.
>> Though some -- perhaps many -- in this group define DNT to mean do not
>> track me across non-same-branded sites, that is not how we believe a
>> user will understand it. Users expect DNT to mean do not track what
>> I'm doing, and don't necessarily make the distinction between activity
>> on one site or across sites. I understand that the forthcoming study
>> from Jon Peha and Aleecia on user expectations of DNT is likely to
>> back this up. (Aleecia - What is the status of this research?)
>> Yes, it is certainly true that consumers are aware of and expect some
>> 1st party tracking. For example most people expect Amazon to remember
>> purchases and suggest purchases later. But that is primarily because
>> we're all so familiar with Amazon's recommendation service. I have no
>> expectation that the New York Times is tracking my reading habits, and
>> using that information to advertise to me, or filter what articles I
>> see next time I visit <>. Consumers are
>> generally not aware of and do not expect the myriad ways sites track
>> information.
>> It seems to me that that this group should define DNT to conform as
>> closely as possible to consumers' expectations, and that is much
>> broader than merely limiting DNT to non-same-branded sites. While they
>> expect DNT to apply to 1st party sites, I think they will accept the
>> idea that the DNT requirements on 1st Party tracking are less
>> stringent than those on 3rd party sites.
>> It then becomes incumbent on us to make clear the reasons for those
>> exceptions and justify them to the user. However, if this group is
>> going to define DNT to merely mean DNT across non-same-branded sites,
>> it will be too far out of synch with user expectations. Consumers are
>> likely to enable DNT, find out they're still being tracked by 1st
>> parties against their expectations, and lose faith in the entire
>> function.
>> In regards to private browsing mode: Although this feature gives
>> consumers the option of preventing their online activities from being
>> recorded on their own computer, it does not prevent any website, 1st
>> or 3rd party, from collecting information on a session, including
>> identifying user information such as IP address, and retaining it for
>> future use. If it did, we'd already have a usable DNT option. Privacy
>> mode -- aka "porn mode" -- protects the users' privacy from others who
>> share the computer. The classic public use example is that your spouse
>> won't know you've been shopping for a gift for them...
>> As to companies not implementing DNT if it applies to analytics: it
>> has already been suggested that analytics is a space where exceptions
>> may apply. Fraud prevention is another area.
>> Best regards,
>> John
>> Tags: Issue-17,Issue-51, Issue-5
>> On Nov 28, 2011, at 5:42 PM, Roy T. Fielding wrote:
>>> On Nov 28, 2011, at 5:13 PM, John Simpson wrote:
>>>> Roy,
>>>> Sorry, I don't follow you. Why is DNT orthogonal to private
>>>> browsing? I'm simply trying to state what my expectation is as a
>>>> user if I enable DNT. I intuitively expect to interact with a 1st
>>>> Party for that transaction, but why would I expect the site to
>>>> continue to use that information for anything in the future if I
>>>> have enabled DNT?
>>> Because DNT does not mean "do not track". It means do not track me
>>> across non-same-branded sites. If you have a user expectation that
>>> differs from that, then we need to fix that expectation (not DNT).
>>> The expectation you expressed above is already implemented in browsers
>>> as private browsing mode. We have no need to duplicate it in DNT
>>> because it can be turned on in addition to DNT. That is a user choice.
>>> I, as an implementor, will not implement DNT if it has a significant
>>> impact on analytics beyond sharing data with 3rd parties.
>>> There is no implied right to privacy regarding data provided by
>>> a user when they deliberately choose to enter an establishment,
>>> which means the stuff we see in access logs, first-party cookies,
>>> and contracted analytics providers that silo data per site
>>> should not be impacted by DNT. It may well be impacted by other
>>> regulations, depending on context, but not by DNT.
>>> ....Roy
>> ----------
>> John M. Simpson
>> Consumer Advocate
>> Consumer Watchdog
>> 1750 Ocean Park Blvd. ,Suite 200
>> Santa Monica, CA,90405
>> Tel: 310-392-7041
>> Cell: 310-292-1902
>> <>
>> <>


Ninja Marnau
mail: -
Telefon: +49 431/988-1285, Fax +49 431/988-1223
Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein
Independent Centre for Privacy Protection Schleswig-Holstein

Received on Wednesday, 30 November 2011 15:47:25 UTC