- From: Jonathan Mayer <jmayer@stanford.edu>
- Date: Mon, 3 Oct 2011 19:35:48 -0700
- To: public-tracking@w3.org
- Message-Id: <E6C7F698-99CE-42B4-BA93-F827C1C67D15@stanford.edu>
(ACTION-6, ISSUE-23, and ISSUE-34) Third-Party Outsourcing Requirements: If a first-party website outsources functionality to a third-party website, the third party is exempted from any requirements imposed by this standard so long as all three of the following conditions are met when responding to a Do Not Track request. 1) The third-party website takes reasonable technical precautions to prevent the collection of cross-site tracking data. When assessing whether a given website's technical precautions are reasonable, relevant considerations include: -the extent to which the technical precautions prevent the collection of cross-site tracking data -whether the technical precautions are externally verifiable -the extent to which the technical precautions impede the third-party website's other functionality In almost all cases reasonable technical precautions will consist of no less than using the same-origin policy to segregate user information; the approach is effective, auditable, and has negligible collateral effects. What constitutes a reasonable technical precaution may change over time as research uncovers new approaches for web tracking and mitigating web tracking. Example: Example Website 1 and Example Website 2 both embed content from Example Analytics. Example Analytics uses an exampleanalytics.com cookie to track Do Not Track users on both websites. Discussion: Example Analytics is not in compliance with Do Not Track because it has not imposed reasonable technical precautions against collecting cross-site tracking data. Example Analytics should scope its tracking cookies to a unique domain for each customer, e.g. example1.exampleanalytics.com and example2.exampleanalytics.com. 2) The third-party website imposes reasonable internal controls to prevent the collection, retention, and use of cross-site tracking data. Reasonable internal controls may consist of, among other practices, data segregation, encryption, access control, and employee training. Example: Example Analytics collects data on behalf of first-party websites in a single database table that all employees have access to. Discussion: Example Analytics has not imposed reasonable internal controls. 3) The third-party website makes the following public commitments in a form that renders them legally enforceable by its first-party customer, individual users, and regulators. -the third party will not use the data it collects except as directed by the first party -the third party will only use the data it collects to provide functionality to the first party; it will not use the data it collects for its own purposes -the third party will not share the data it collects except with the first party -if the first party requests, the third party will promptly delete the data it has collected -if the first party closes its account, the third party will promptly delete the data it has collected
Received on Tuesday, 4 October 2011 02:35:51 UTC