Proposed language for third-party outsourcing

(ACTION-6, ISSUE-23, and ISSUE-34)

Third-Party Outsourcing Requirements:
If a first-party website outsources functionality to a third-party website, the third party is exempted from any requirements imposed by this standard so long as all three of the following conditions are met when responding to a Do Not Track request.

1) The third-party website takes reasonable technical precautions to prevent the collection of cross-site tracking data.  When assessing whether a given website's technical precautions are reasonable, relevant considerations include:
-the extent to which the technical precautions prevent the collection of cross-site tracking data
-whether the technical precautions are externally verifiable
-the extent to which the technical precautions impede the third-party website's other functionality
In almost all cases reasonable technical precautions will consist of no less than using the same-origin policy to segregate user information; the approach is effective, auditable, and has negligible collateral effects.  What constitutes a reasonable technical precaution may change over time as research uncovers new approaches for web tracking and mitigating web tracking.

Example Website 1 and Example Website 2 both embed content from Example Analytics.  Example Analytics uses an cookie to track Do Not Track users on both websites.

Example Analytics is not in compliance with Do Not Track because it has not imposed reasonable technical precautions against collecting cross-site tracking data.  Example Analytics should scope its tracking cookies to a unique domain for each customer, e.g. and

2) The third-party website imposes reasonable internal controls to prevent the collection, retention, and use of cross-site tracking data.  Reasonable internal controls may consist of, among other practices, data segregation, encryption, access control, and employee training.

Example Analytics collects data on behalf of first-party websites in a single database table that all employees have access to.

Example Analytics has not imposed reasonable internal controls.

3) The third-party website makes the following public commitments in a form that renders them legally enforceable by its first-party customer, individual users, and regulators.
-the third party will not use the data it collects except as directed by the first party
-the third party will only use the data it collects to provide functionality to the first party; it will not use the data it collects for its own purposes
-the third party will not share the data it collects except with the first party
-if the first party requests, the third party will promptly delete the data it has collected
-if the first party closes its account, the third party will promptly delete the data it has collected

Received on Tuesday, 4 October 2011 02:35:51 UTC