W3C home > Mailing lists > Public > public-tracking@w3.org > October 2011

Re: Summary of First Party vs. Third Party Tests

From: Ashkan Soltani <ashkan.soltani@gmail.com>
Date: Sun, 30 Oct 2011 10:50:05 -0700
Message-ID: <CAK6Xr4XH3_XYJHov7N=jGSY08ZtRkT96i4BGRPg+QB1GXA6WNg@mail.gmail.com>
To: Mike Zaneis <mike@iab.net>
Cc: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
FWIW

In 2009, we looked into this issue somewhat in 2009 and found that many
large web companies can have as many as 2000 'affiliates' based on the GLB
definition <http://www.sec.gov/rules/final/34-42974.htm#P84_20157> (average
was 297).  Summary here <http://knowprivacy.org/affiliates.html> and full
report <http://knowprivacy.org/full_report.html>. Additionally, the privacy
policies of most of these sites stated that they shared data with
affiliates<http://knowprivacy.org/images/policies_large.jpg> but
they did not share data with 3rd parties.

I think one issue here is that most consumers would not immediately
comprehend this technical distinction and would potentially consider a
company like Fox separate from say the social network, Myspace.

Perhaps something to consider as we work through these definitions.
-a



On Sun, Oct 30, 2011 at 6:37 AM, Mike Zaneis <mike@iab.net> wrote:

> Jonathan, this is a very helpful discussion, providing the scenarios and
> possible real examples. My only comment is that I believe your second
> possible definition - legal business relationships - is overly broad. The
> corporate ownership factor is correct, but I don't think most/anyone would
> argue that a contract with a non-related company would make that company a
> first party (it could make them an agent of the first party if the data is
> only used for the benefit of the first party, but that is a different
> discussion). Most U.S. laws treat legal "affiliates", companies with some
> common ownership, as first parties (i.e. ESPN and ABC are treated as first
> party to the parent company Disney). I think that is the more useful straw
> man to use for this discussion.
>
> Mike Zaneis
> SVP & General Counsel, IAB
> (202) 253-1466
>
> On Oct 29, 2011, at 1:11 AM, "Jonathan Mayer" <jmayer@stanford.edu> wrote:
>
> > (ACTION-25)
> >
> > As I understand it, there are four camps on how to distinguish between
> first parties and third parties.
> >
> > 1) Domain names (e.g. public suffix + 1).
> >
> > 2) Legal business relationships (e.g. corporate ownership + affiliates).
> >
> > 3) Branding.
> >
> > 4) User expectations.
> >
> > Here are some examples that show the boundaries of these definitions.
> >
> > Example: The user visits Example Website at example.com.  Example
> Website embeds content from examplestatic.com, a domain controlled by
> Example Website and used to host static content.
> >
> > Discussion: Content from the examplestatic.com domain is first-party
> under every test save the first.
> >
> > Example: Example Website (example.com) strikes a deal with Example
> Affiliate (affiliate.com), an otherwise unrelated company, to share user
> data.  The user visits Example Website, and it embeds content from Example
> Affiliate.
> >
> > Discussion: Content from Example Affiliate is third-party under every
> test save the second.
> >
> > Example: Example Website embeds a widget from Example Social Aggregator.
>  The widget includes a prominent logo for Example Social Aggregator, though
> a user is unlikely to recognize it.
> >
> > Discussion: Content from Example Social Aggregator is third-party under
> every test save the third.
> >
> >
>
>
Received on Sunday, 30 October 2011 17:51:39 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:41 UTC