W3C home > Mailing lists > Public > public-tracking@w3.org > October 2011

Proposed language for third-party outsourcing

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Mon, 3 Oct 2011 19:35:48 -0700
Message-Id: <E6C7F698-99CE-42B4-BA93-F827C1C67D15@stanford.edu>
To: public-tracking@w3.org
(ACTION-6, ISSUE-23, and ISSUE-34)

Third-Party Outsourcing Requirements:
If a first-party website outsources functionality to a third-party website, the third party is exempted from any requirements imposed by this standard so long as all three of the following conditions are met when responding to a Do Not Track request.

1) The third-party website takes reasonable technical precautions to prevent the collection of cross-site tracking data.  When assessing whether a given website's technical precautions are reasonable, relevant considerations include:
-the extent to which the technical precautions prevent the collection of cross-site tracking data
-whether the technical precautions are externally verifiable
-the extent to which the technical precautions impede the third-party website's other functionality
In almost all cases reasonable technical precautions will consist of no less than using the same-origin policy to segregate user information; the approach is effective, auditable, and has negligible collateral effects.  What constitutes a reasonable technical precaution may change over time as research uncovers new approaches for web tracking and mitigating web tracking.

Example:
Example Website 1 and Example Website 2 both embed content from Example Analytics.  Example Analytics uses an exampleanalytics.com cookie to track Do Not Track users on both websites.

Discussion:
Example Analytics is not in compliance with Do Not Track because it has not imposed reasonable technical precautions against collecting cross-site tracking data.  Example Analytics should scope its tracking cookies to a unique domain for each customer, e.g. example1.exampleanalytics.com and example2.exampleanalytics.com.

2) The third-party website imposes reasonable internal controls to prevent the collection, retention, and use of cross-site tracking data.  Reasonable internal controls may consist of, among other practices, data segregation, encryption, access control, and employee training.

Example:
Example Analytics collects data on behalf of first-party websites in a single database table that all employees have access to.

Discussion:
Example Analytics has not imposed reasonable internal controls.

3) The third-party website makes the following public commitments in a form that renders them legally enforceable by its first-party customer, individual users, and regulators.
-the third party will not use the data it collects except as directed by the first party
-the third party will only use the data it collects to provide functionality to the first party; it will not use the data it collects for its own purposes
-the third party will not share the data it collects except with the first party
-if the first party requests, the third party will promptly delete the data it has collected
-if the first party closes its account, the third party will promptly delete the data it has collected
Received on Tuesday, 4 October 2011 02:35:51 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:41 UTC