W3C home > Mailing lists > Public > public-tracking@w3.org > October 2011

Re: Proposed First Party definition

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Sat, 15 Oct 2011 22:35:35 -0700
Cc: "Amy Colando (LCA)" <acolando@microsoft.com>, Matthias Schunter <mts@zurich.ibm.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-Id: <E77F153D-E89E-4572-AC74-147F563A9551@stanford.edu>
To: Shane Wiley <wileys@yahoo-inc.com>
I'm glad to see (what I think is) quite a lot of agreement on the first party vs. third party distinction.  Two comments I'd like to add.

First, in my view, third-party content becoming first-party content through user interaction is very circumstance-specific.  In some cases, e.g. the Facebook Like button, a click seems sufficient to make Facebook a first party.  It's a single-purpose button, and it's styled and branded in such a way that the average user seems likely to understand it's a Facebook service.  In other cases, though, even a few clicks or entering text might not be enough to consider a third party to have become a first party.  For example, take the ShareThis widget: in many cases it looks like little more than a box of well-known sharing widgets.  I'm skeptical that users expect the ShareThis box to track them, let alone retain any comments they provide through the box.  All of the above is to say - I think we'll have to provide some examples, commentary, and general guidelines.  I don't believe we'll be able to draw a consistent line at mouseover vs. click or any other formula.

Second, I'm very hesitant to provide a broad "affiliate" carveout.  In other privacy debates, affiliate relationships have proven to be sizable loopholes.  (In particular, see U.S. financial regulation.)  As for corporate relationships making a third party a first party, I believe such situations are also circumstance-specific and can't be fully captured by neat ownership and control rules.  The Flickr website, for example, quite prominently displays a Yahoo! logo and other Yahoo! content.  I believe the average user would understand Flickr is a Yahoo! service, and so I would consider Yahoo! a first party.  But to take another example, the Wall Street Journal website has nothing to do with the Fox News website.  I believe it would go against consumer expectations to allow the two to share browsing data, even though both are owned by the same parent company (News Corp).

Jonathan

On Oct 15, 2011, at 7:56 PM, Shane Wiley wrote:

> To build upon this excellent direction, I would further suggest the following:
> 
> Impression = 3rd Party Treatment (no interaction from the user) <this would automatically include web beacons since there is no possibility for interaction.>
> 
> Interaction = 1st Party Treatment (mouse over does not count as "interaction") - would REQUIRE branding and link to the party's home page which in turn has a link to the privacy policy or to the privacy policy directly (many widgets may leverage widget branding to serve as this link).  Parties SHOULD include an indicator of the user's "logged-in" state to provide clearer transparency to the user that they are interacting with the widget in a 1st party state.  
> 
> - Shane
> 
> -----Original Message-----
> From: public-tracking-request@w3.org [mailto:public-tracking-request@w3.org] On Behalf Of Amy Colando (LCA)
> Sent: Saturday, October 15, 2011 2:56 PM
> To: Matthias Schunter
> Cc: public-tracking@w3.org
> Subject: RE: Proposed First Party definition
> 
> Thanks Matthias. I look forward to others' points of view on this issue too.
> 
> - Do you mean that a search box/widget is 3rd party until I interact with it (i.e., entering data; hovering the mouse is probably no such interaction).
> 
> AC: Yes, that makes sense to me; if the widget is passively collecting data without interaction from the user, then it would appear to be more in the third party camp than the first party camp.
> 
> - Does this also mean that once I click an element (e.g., an add or a button), then the owner of the button is 'promoted' to 1st party.
> 
> AC: Yes.  This seems to align with the user expectation that once they are actively engaging with widget, that widget is collecting the information (click, add, input) from the user.
> 
> -----Original Message-----
> From: Matthias Schunter [mailto:mts@zurich.ibm.com] 
> Sent: Saturday, October 15, 2011 7:04 AM
> To: Amy Colando (LCA)
> Cc: public-tracking@w3.org
> Subject: Re: Proposed First Party definition
> 
> Hi Amy,
> 
> 
> Thanks a lot for this constructive input.
> 
> Two clarifying questions to enable me to understand the definition:
> 
> - Do you mean that a search box/widget is 3rd party until I interact with it (i.e., entering data; hovering the mouse is probably no such interaction).
> 
> 
> - Does this also mean that once I click an element (e.g., an add or a button), then the owner of the button is 'promoted' to 1st party.
> 
> 
> Regards,
> matthias
> 
> On 10/14/2011 8:47 PM, Amy Colando (LCA) wrote:
>> Nick, I hope that you can help me out by assigning this to the correct issue(s) as necessary? Many thanks.
>> 
>> In response to an earlier request for submission of suggested definitions for First Party, we are submitting the proposed definition draft below.  The proposed definition includes elements from CDT, EFF, DAA and other submissions, so is definitely a mash-up from many different sources. Thanks.
>> 
>> 
>> A First Party is the entity (and its Affiliates) that owns or Controls the Web site the end user visits.  A First Party also includes the owner of a widget, search box or similar service with which a consumer interacts, even if the First Party does not own or have Control over the Web site where its services are displayed to the consumer.
>> 
>> An Affiliate is (1) an entity that Controls, or is Controlled by, or is under common Control with, another entity; or (2) an entity where the relationship to another entity is evident to end users through co-branding or similar means.  
>> 
>> Note1: Control to be defined as management or operational control - see http://www.aboutads.info/principles for sample definition of Control.
>> Note2: Elsewhere, standard should state that First Parties and others may use vendors to carry out otherwise permitted activities on their behalf.
>> 
>> 
>> 
>> 
>> 
> 
> --
> Dr. Matthias Schunter, MBA
> IBM Zurich Research Laboratory,  Ph. +41 (44) 724-8329
> Homepage: www.schunter.org, Email: schunter(at)acm.org
> PGP Fingerprint    989AA3ED 21A19EF2 B0058374 BE0EE10D
> 
> 
> 
> 
Received on Sunday, 16 October 2011 05:36:07 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:41 UTC