From Shane

Action-5

Third-Party Outsourcing Requirements:
If a first-party website outsources functionality to a third-party website, the third party MAY ignore the Do Not Track signal if ANY of the following conditions are met:

1) The third-party website makes public commitments (such as through a privacy policy) to not leverage data collected across non-commonly branded or affiliated sites to develop a "profile" of activity and/or derived outcomes of interest for a user, specific web browser, or device.
2) The third-party takes reasonable technical precautions to prevent the collection of cross-site data in such a manner that it cannot be used to develop a "profile" of activity and/or derived outcomes of interest for a user, specific web browser, or device. This standard does not prescribe specifics for the technologies to be leveraged to ensure this standard is met (anonymization, encryption, hashing, physical/logical data isolation, internal employee contracts, in-person employee training, computer based training, etc.).
3) The third-party leverages the data collected purely in the effort to detect and defend against fraudulent activity to the benefit of the first party sites it serves.

These responsibilities MUST cascade to all parties involved in cross-site data collection (n-party position in cross-site data collection).

Example:
Example Website 1 and Example Website 2 pay for the analytics services of Example Analytics. Example Analytics uses an exampleanalytics.com cookie to track Do Not Track users on both websites.

Discussion:
Example Analytics must publically declare its compliance with this standard and that cross site collected data will not be leveraged to develop user/browser/device profiles, institute commercially reasonable technical safeguards to the same, and/or limit their use of cross-site (non-commonly branded or affiliated) collected data for the detection  and defense against fraudulent activity.

Received on Wednesday, 5 October 2011 16:07:53 UTC