W3C home > Mailing lists > Public > public-tracking@w3.org > October 2011

Re: Summary of First Party vs. Third Party Tests

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Sun, 30 Oct 2011 18:51:55 -0700
Cc: "Amy Colando (LCA)" <acolando@microsoft.com>, Ashkan Soltani <ashkan.soltani@gmail.com>, Mike Zaneis <mike@iab.net>, "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Message-Id: <614E663E-2BDD-4508-8983-F7D99F794229@stanford.edu>
To: Aleecia M. McDonald <aleecia@aleecia.com>
It seems to me that there are two key components of a business relationship test:

1) What forms of business relationships are covered?  Dimensions include hierarchical relationships (immediate parent, direct subsidiary, and more distant relations) and types of relationships (ownership, control, partial ownership, partial control, etc.).

Here's an example to show the sort of complicated scenario the rule would have to untangle: Suppose the user is on Example Website.  Example Website is wholly owned by Example Subsidiary 1, which is substantially controlled by the holding company Example Parent 1.  Example Parent 1 completely controls (but does not own) Example Subsidiary 2, which has substantial (but minority) ownership of Example Analytics.  Example Parent 2, another holding company, also has substantial (but minority) ownership of Example Analytics.  When the user visits Example Website and it embeds a script from Example Analytics, is Example Analytics a first party?

2) If affiliates are first parties, are an affiliate's affiliates also first parties?  That is, is there a transitive property of affiliation?

An example: Suppose Company A has an affiliate Company B, and Company B has an affiliate Company C.  Company C is not an affiliate of Company A.  The user visits the Company A website, and it embeds Company B content, which in turn embeds Company C content.  Is Company C a first party?


A very permissive business relationship test, as some around the table have expressed support for, and as some have interpreted the current self-regulatory principles to impose, would devolve into a contractual test.  Suppose Company A and Company B are unrelated but want to share web tracking data.  The two companies incorporate Company A-B and divide ownership evenly, making it an affiliate of both companies.  The companies then use Company A-B as a conduit for web tracking data.


On Oct 30, 2011, at 12:44 PM, Aleecia M. McDonald wrote:

> Jumping in very quickly:
> 
> I believe Jonathan's point was that, for example, the Facebook f logo is so well recognized that everyone knows it's Facebook without needing text that says "This Like button brought to you by Facebook". This is about branding requirements. It was not an argument that data collection can happen without interaction.
> 
> Jonathan can, and certainly will, correct me if I misunderstood. :-) But I wanted to jump in quickly before there's confusion here.
> 
> 	Aleecia
> 
> On Oct 30, 2011, at 12:15 PM, Amy Colando (LCA) wrote:
> 
>> Mikeís point is well-taken.  And from Ashkanís paper, I see a consensus that arguing that an independent ad network is somehow an affiliate of a publisher site is a non-starter (noting that I havenít heard any working group participants arguing for this POV).
>>  
>> In many ways, this corporate relationship status is more amenable to objective compliance measurement than common branding (for example, Jonathanís example that if a 3rd party social networking button is large enough, does that signify that it may collect data on another site absent user interaction?).
>>  
>> To help provide some additional text to consider when discussing Jonathanís framework, it may be helpful to look at the existing self-reg definition of control, which relies on both ownership control and similar privacy policies.  Consider whether we could look at adherence to DNT standard as an element of appropriate common Control. http://www.aboutads.info/resource/download/seven-principles-07-01-09.pdf
>>  
>> Control of an entity means that one entity (1) is under significant common ownership or operational control of the other entity, or (2) has the power to exercise a controlling influence over the management or policies of the other entity. In addition, for an entity to be under the Control of another entity and thus be treated as a First Party under these Principles, the entity must adhere to Online Behavioral Advertising policies that are not materially inconsistent with the other entityís policies.
>>  
>>  
>>  
>> From: Ashkan Soltani [mailto:ashkan.soltani@gmail.com] 
>> Sent: Sunday, October 30, 2011 10:50 AM
>> To: Mike Zaneis
>> Cc: public-tracking@w3.org Group WG
>> Subject: Re: Summary of First Party vs. Third Party Tests
>>  
>> FWIW
>>  
>> In 2009, we looked into this issue somewhat in 2009 and found that many large web companies can have as many as 2000 'affiliates' based on the GLB definition (average was 297).  Summary here and full report. Additionally, the privacy policies of most of these sites stated that they shared data with affiliates but they did not share data with 3rd parties.
>>  
>> I think one issue here is that most consumers would not immediately comprehend this technical distinction and would potentially consider a company like Fox separate from say the social network, Myspace.
>>  
>> Perhaps something to consider as we work through these definitions.
>> -a
>>  
>>  
>>  
>> On Sun, Oct 30, 2011 at 6:37 AM, Mike Zaneis <mike@iab.net> wrote:
>> Jonathan, this is a very helpful discussion, providing the scenarios and possible real examples. My only comment is that I believe your second possible definition - legal business relationships - is overly broad. The corporate ownership factor is correct, but I don't think most/anyone would argue that a contract with a non-related company would make that company a first party (it could make them an agent of the first party if the data is only used for the benefit of the first party, but that is a different discussion). Most U.S. laws treat legal "affiliates", companies with some common ownership, as first parties (i.e. ESPN and ABC are treated as first party to the parent company Disney). I think that is the more useful straw man to use for this discussion.
>> 
>> Mike Zaneis
>> SVP & General Counsel, IAB
>> (202) 253-1466
>> 
>> On Oct 29, 2011, at 1:11 AM, "Jonathan Mayer" <jmayer@stanford.edu> wrote:
>> 
>> > (ACTION-25)
>> >
>> > As I understand it, there are four camps on how to distinguish between first parties and third parties.
>> >
>> > 1) Domain names (e.g. public suffix + 1).
>> >
>> > 2) Legal business relationships (e.g. corporate ownership + affiliates).
>> >
>> > 3) Branding.
>> >
>> > 4) User expectations.
>> >
>> > Here are some examples that show the boundaries of these definitions.
>> >
>> > Example: The user visits Example Website at example.com.  Example Website embeds content fromexamplestatic.com, a domain controlled by Example Website and used to host static content.
>> >
>> > Discussion: Content from the examplestatic.com domain is first-party under every test save the first.
>> >
>> > Example: Example Website (example.com) strikes a deal with Example Affiliate (affiliate.com), an otherwise unrelated company, to share user data.  The user visits Example Website, and it embeds content from Example Affiliate.
>> >
>> > Discussion: Content from Example Affiliate is third-party under every test save the second.
>> >
>> > Example: Example Website embeds a widget from Example Social Aggregator.  The widget includes a prominent logo for Example Social Aggregator, though a user is unlikely to recognize it.
>> >
>> > Discussion: Content from Example Social Aggregator is third-party under every test save the third.
>> >
>> >
>> 
> 
Received on Monday, 31 October 2011 01:52:41 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:41 UTC