W3C home > Mailing lists > Public > public-tracking@w3.org > October 2011

RE: Summary of First Party vs. Third Party Tests

From: Amy Colando (LCA) <acolando@microsoft.com>
Date: Sun, 30 Oct 2011 19:15:59 +0000
To: Ashkan Soltani <ashkan.soltani@gmail.com>, Mike Zaneis <mike@iab.net>
CC: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Message-ID: <58271C264AD16547AC61CAFA53FBEAF934EDD374@TK5EX14MBXC136.redmond.corp.microsoft.com>
Mike's point is well-taken.  And from Ashkan's paper, I see a consensus that arguing that an independent ad network is somehow an affiliate of a publisher site is a non-starter (noting that I haven't heard any working group participants arguing for this POV).

In many ways, this corporate relationship status is more amenable to objective compliance measurement than common branding (for example, Jonathan's example that if a 3rd party social networking button is large enough, does that signify that it may collect data on another site absent user interaction?).

To help provide some additional text to consider when discussing Jonathan's framework, it may be helpful to look at the existing self-reg definition of control, which relies on both ownership control and similar privacy policies.  Consider whether we could look at adherence to DNT standard as an element of appropriate common Control. http://www.aboutads.info/resource/download/seven-principles-07-01-09.pdf

Control of an entity means that one entity (1) is under significant common ownership or operational control of the other entity, or (2) has the power to exercise a controlling influence over the management or policies of the other entity. In addition, for an entity to be under the Control of another entity and thus be treated as a First Party under these Principles, the entity must adhere to Online Behavioral Advertising policies that are not materially inconsistent with the other entity's policies.



From: Ashkan Soltani [mailto:ashkan.soltani@gmail.com]
Sent: Sunday, October 30, 2011 10:50 AM
To: Mike Zaneis
Cc: public-tracking@w3.org Group WG
Subject: Re: Summary of First Party vs. Third Party Tests

FWIW

In 2009, we looked into this issue somewhat in 2009 and found that many large web companies can have as many as 2000 'affiliates' based on the GLB definition<http://www.sec.gov/rules/final/34-42974.htm#P84_20157> (average was 297).  Summary here<http://knowprivacy.org/affiliates.html> and full report<http://knowprivacy.org/full_report.html>. Additionally, the privacy policies of most of these sites stated that they shared data with affiliates<http://knowprivacy.org/images/policies_large.jpg> but they did not share data with 3rd parties.

I think one issue here is that most consumers would not immediately comprehend this technical distinction and would potentially consider a company like Fox separate from say the social network, Myspace.

Perhaps something to consider as we work through these definitions.
-a



On Sun, Oct 30, 2011 at 6:37 AM, Mike Zaneis <mike@iab.net<mailto:mike@iab.net>> wrote:
Jonathan, this is a very helpful discussion, providing the scenarios and possible real examples. My only comment is that I believe your second possible definition - legal business relationships - is overly broad. The corporate ownership factor is correct, but I don't think most/anyone would argue that a contract with a non-related company would make that company a first party (it could make them an agent of the first party if the data is only used for the benefit of the first party, but that is a different discussion). Most U.S. laws treat legal "affiliates", companies with some common ownership, as first parties (i.e. ESPN and ABC are treated as first party to the parent company Disney). I think that is the more useful straw man to use for this discussion.

Mike Zaneis
SVP & General Counsel, IAB
(202) 253-1466<tel:%28202%29%20253-1466>

On Oct 29, 2011, at 1:11 AM, "Jonathan Mayer" <jmayer@stanford.edu<mailto:jmayer@stanford.edu>> wrote:

> (ACTION-25)
>
> As I understand it, there are four camps on how to distinguish between first parties and third parties.
>
> 1) Domain names (e.g. public suffix + 1).
>
> 2) Legal business relationships (e.g. corporate ownership + affiliates).
>
> 3) Branding.
>
> 4) User expectations.
>
> Here are some examples that show the boundaries of these definitions.
>
> Example: The user visits Example Website at example.com<http://example.com>.  Example Website embeds content from examplestatic.com<http://examplestatic.com>, a domain controlled by Example Website and used to host static content.
>
> Discussion: Content from the examplestatic.com<http://examplestatic.com> domain is first-party under every test save the first.
>
> Example: Example Website (example.com<http://example.com>) strikes a deal with Example Affiliate (affiliate.com<http://affiliate.com>), an otherwise unrelated company, to share user data.  The user visits Example Website, and it embeds content from Example Affiliate.
>
> Discussion: Content from Example Affiliate is third-party under every test save the second.
>
> Example: Example Website embeds a widget from Example Social Aggregator.  The widget includes a prominent logo for Example Social Aggregator, though a user is unlikely to recognize it.
>
> Discussion: Content from Example Social Aggregator is third-party under every test save the third.
>
>
Received on Sunday, 30 October 2011 19:16:32 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:41 UTC