RE: Issue-17, Issue-51 First party obligations; Issue-5 Definition of Tracking

I appreciate John's note on the role of Consumer Watchdog to provide additional viewpoints for the W3C group to consider. I thought it would be helpful to add the viewpoint of the OPA on this issue.  The following is a summary of comments we submitted earlier this year:

Our members include many of the Internet's most respected brands and they collectively reach an unduplicated audience of 172.5 million unique visitors, or 83% of the U.S. online population.  Last year, OPA members invested approximately $750 million in the creation of high quality digital content, most of which they distribute free of charge.

Publishers know that their future ability to attract large consumer audiences to their digital properties will depend on consumers' trust.  As a result, OPA members are acutely aware of the need to respect consumers' privacy interests while pursing their business objectives.

As noted earlier in a response on this issue, OPA shares the FTC's belief that collection and use of audience information for marketing purposes by companies that stand in a direct, first-party relationship with consumers have very different privacy implications than similar data collection and use by third parties (see ).   In a direct first-party relationship, consumers are more likely to understand why they received tailored recommendations and are in a better position to raise concerns about use of information about them, or to exercise choice by taking their business elsewhere.

These considerations sharply distinguish publishers' first-party data collection practices from the third-party behavioral advertising practices that have been the focus of much of the policy debate surrounding online privacy.  When behavioral advertising involves sharing data with ad networks or other third parties, as the FTC noted, the user "may not understand why he has received ads from unknown marketers based on his activities at an assortment of previously visited websites.  Moreover, he may not know whom to contact to register his concerns or how to avoid the practice."

Online publishers share a direct and trusted relationship with visitors to their websites.  In the context of this relationship, OPA members sometimes collect and use information to target and deliver the online advertising that subsidizes production of quality digital content.  While most advertising on OPA members' sites is contextual, some of this advertising is first-party behavioral or "semantic" advertising.  Such advertising uses information collected from visitors' past interactions with a member's website - typically collected anonymously - to deliver ads tailored to the inferred preferences and interests of visitors.   For example, if a website visitor views articles about NFL football games or searches the site for football coverage, he or she is unlikely to be surprised to receive, while on the same site, marketing for a commemorative Super Bowl coffee table book.  This is true even if the ad for the coffee table book was targeted based on the visitor's activity within the site during a prior browsing session.

The targeting of a behavioral advertisement by a first-party site is analogous to a sales clerk at a men's clothing store who recognizes a repeat customer and makes wardrobe suggestions based on the customer's past preferences for size, color and designers.  The same dynamic is involved when suggests books that a consumer might be interested in reading based on titles that the consumer previously purchased.  Given the direct relationship between the consumer and the merchant, the consumer naturally understands that the merchant is in a position to recognize and remember its customers' preferences and is not surprised when the merchant uses that information to suggest future purchases.  Accordingly, OPA strongly supports an exemption for the collection of data from a consumer with whom the company interacts directly for the purposes of marketing to that consumer and for the general operation and personalization of the site.  Such an exemption is also essential to protect the ability of online publishers to continue to monetize their investments in content through the delivery of standard display advertising.

For example, online publishers rely on IP address and cookie information to perform advertising functions as well as the general operation of the website.  Examples include:

*         executing online campaigns in accordance with contractual requirements (such as geographical requirements, category or brand exclusivity commitments);
*         capping the frequency with which an individual ad is displayed - a feature that benefits both advertisers and website users;
*         complying with legal requirements (for example, it may not be lawful to advertise a pharmaceutical product approved in the U.S. to audience members in the U.K. or vice versa - IP addresses are used to  limit campaigns to particular countries or regions);
*         preventing click fraud;
*         synchronizing and sequencing creative content, thereby enabling advertisers to "tell a story" through campaign elements that must unfold in a logical order;

*         Measuring audience size for reporting and inventory;

*         Identifying technical problems (i.e. when a site receives 100 calls to a home page, is it 100 individuals or 10 individuals having to request a page 10 times for a page to load?)

Without a robust first-party exemption (and related exemptions for operational purposes and sharing with service providers), DNT could operate as a "kill switch" for online advertising.  Given the pervasive and inextricable connections between user information and online advertising, the establishment of a choice mechanism to block collection and use of data for any advertising purpose would be tantamount to creating a right to receive news and information content without advertising.  Such a provision would be like requiring television stations to offer programming uninterrupted by commercials to any viewers who found commercials annoying.

OPA believes that a first-party exemption should permit the exchange and use of data among corporate affiliates that share a common brand or otherwise effectively disclose their affiliation relationships and follow substantially similar privacy policies.  Affiliated websites share many resources - including audience data - to improve the efficiency of their operations.  Moreover, it is not uncommon for features of a single website to be provided by separate but affiliated companies.   Any first party exemption should include affiliate-sharing within the scope of the first-party exemption to avoid disrupting the important operating efficiencies that exist in families of affiliated websites. The standard for affiliate sharing should not, however, focus exclusively on whether affiliated sites have the same brand identity because sites may effectively communicate their affiliation relationships to consumers through direct disclosures or in other ways.  OPA accordingly suggests a standard for affiliate sharing that permits the exchange of consumer data for marketing purposes between entities that (1) are affiliated by common majority ownership or management control, (2) adhere to substantially similar policies with respect to use and disclosure of consumer information and (3) disclose their affiliation through common branding or other clear and conspicuous means.

We hope these comments will be helpful for the group to consider.

From: John Simpson []<mailto:[]>
Sent: Tuesday, November 29, 2011 7:08 PM
To: Roy T. Fielding
Cc: <<>> (<>)
Subject: Re: Issue-17, Issue-51 First party obligations; Issue-5 Definition of Tracking


One of the reasons Consumer Watchdog is here, and other public interest organizations have been invited to participate, is to help identify concepts that the usual W3C participants, no matter how well-intentioned, may not have considered from the consumer point of view.

Though some -- perhaps many -- in this group define DNT to mean do not track me across non-same-branded sites, that is not how we believe a user will understand it. Users expect DNT to mean do not track what I'm doing, and don't necessarily make the distinction between activity on one site or across sites. I understand that the forthcoming study from Jon Peha and Aleecia on user expectations of DNT is likely to back this up. (Aleecia - What is the status of this research?)

Yes, it is certainly true that consumers are aware of and expect some 1st party tracking. For example most people expect Amazon to remember purchases and suggest purchases later. But that is primarily because we're all so familiar with Amazon's recommendation service. I have no expectation that the New York Times is tracking my reading habits, and using that information to advertise to me, or filter what articles I see next time I visit<>. Consumers are generally not aware of and do not expect the myriad ways sites track information.

It seems to me that that this group should define DNT to conform as closely as possible to consumers' expectations, and that is much broader than merely limiting DNT to non-same-branded sites. While they expect DNT to apply to 1st party sites, I think they will accept the idea that the DNT requirements on 1st Party tracking are less stringent than those on 3rd party sites.

It then becomes incumbent on us to make clear the reasons for those exceptions and justify them to the user. However, if this group is going to define DNT to merely mean DNT across non-same-branded sites, it will be too far out of synch with user expectations. Consumers are likely to enable DNT, find out they're still being tracked by 1st parties against their expectations, and lose faith in the entire function.

In regards to private browsing mode: Although this feature gives consumers the option of preventing their online activities from being recorded on their own computer, it does not prevent any website, 1st or 3rd party, from collecting information on a session, including identifying user information such as IP address, and retaining it for future use. If it did, we'd already have a usable DNT option. Privacy mode -- aka "porn mode" -- protects the users' privacy from others who share the computer.  The classic public use example is that your spouse won't know you've been shopping for a gift for them...

As to companies not implementing DNT if it applies to analytics: it has already been suggested that analytics is a space where exceptions may apply. Fraud prevention is another area.

Best regards,

Tags: Issue-17,Issue-51, Issue-5
On Nov 28, 2011, at 5:42 PM, Roy T. Fielding wrote:

On Nov 28, 2011, at 5:13 PM, John Simpson wrote:


Sorry, I don't follow you. Why is DNT orthogonal to private browsing?  I'm simply trying to state what my expectation is as a user if I enable DNT.  I intuitively expect to interact with a 1st Party for that transaction, but why would I expect the site to continue to use that information for anything in the future if I have enabled DNT?

Because DNT does not mean "do not track".  It means do not track me
across non-same-branded sites. If you have a user expectation that
differs from that, then we need to fix that expectation (not DNT).

The expectation you expressed above is already implemented in browsers
as private browsing mode.  We have no need to duplicate it in DNT
because it can be turned on in addition to DNT.  That is a user choice.

I, as an implementor, will not implement DNT if it has a significant
impact on analytics beyond sharing data with 3rd parties.
There is no implied right to privacy regarding data provided by
a user when they deliberately choose to enter an establishment,
which means the stuff we see in access logs, first-party cookies,
and contracted analytics providers that silo data per site
should not be impacted by DNT.  It may well be impacted by other
regulations, depending on context, but not by DNT.


John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902<><>

Received on Wednesday, 30 November 2011 20:44:36 UTC