CDT's proposals re: template for parties and business uses

Contributors to this proposal: Justin Brookman, Erica Newland
 
This proposal seeks to address Issues 10, 17, 19, 22, 24, 25, 31, 49, and 73
 
Summary of compromise suggestion:
 
Discoverable affiliate definition of party used
Market research removed from permitted uses unless data de-identified within two weeks
Product improvement removed from permitted uses in favor of debugging
All permitted uses require retention only as reasonably required by exempted purpose, and clear statement of data retention periods
Data collected by a company as a first-party may be used by that company to customize content in a third-party settings (logged-in state irrelevant, though could be justified)
“Clear and prominent” notice and consent required for user-granted exceptions (logged-in state irrelevant)
 
Part I: Parties
 
A.  A party is . . .
 
[CDT would prefer a test based on reasonable expectations of a user, but would be willing to compromise on the Amy/Shane definition of discoverable affiliates if concessions are made on other issues (see below)]
 
Discoverable Affiliates
 
Normative Discussion
A party is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person. For unique corporate entities to qualify as a common party with respect to this standard, those entities must be commonly owned and commonly controlled, and must make their parent affiliation (if any) easy discoverable to users.
 
Non-Normative Discussion
This may be accomplished in many ways, including but not limited to, prominent and common branding on site pages, "one click away" within Privacy Policies, and, if available, a programmatic list of domains that share common ownership (affiliation).
 
Example 0: If a user visits flickr.com, which is branded "from Yahoo!", are Flickr and Yahoo one party?  CDT: YES
 
Example 1: If a user visits google.com, are other parts of Google, Inc. (adwords, analytics, YouTube, gmail, Google Maps) also the same party as google.com? CDT: YES
 
Example 2: If a user visits geico.com, is See's Candies also the same party? CDT: YES, although this must be easily discoverable per the specification.
 
Example 3: If Mozilla and Opera form a jointly-owned and controlled company called Moperilla, and a user visits Moperilla, are Mozilla and Opera part of the same party as Moperilla? CDT: NO, Mozilla, Opera, and Moperilla all have different owners and control structures.  Only Moperilla is a first party, and Mozilla and Opera may not use that data as a first party.
 
B.  A first party is . . .
 
CDT recommends that the definition capture the idea that a first-party site is the site that the user intended to visit.  This definition is intended to distinguish between a link that the user intended to visit as opposed to a link shortening service, or the news site that a user typed into a browser as opposed to the operator of any widgets on that site.  The “meaningful interaction” test can still turn a third party into a first party.
 
Meaningful User Interaction: A "first party" is any party, in a specific network interaction, that can infer with high probability that the user knowingly and intentionally communicated with it. Otherwise, a party is a third party.
 
To comply with DNT, a first party MUST...

[CDT: no affirmative obligations]
 
To comply with DNT, a first party MUST NOT…
 
CDT: share information about the communication with a third party in a form that can allow the information to be correlated with the same user’s activity on other third-party domains, UNLESS the first party ensures that the third party provide technical or legal assurances that it will honor the same obligations to protect the information that the first party is required to honor, OR the sharing is a permitted uses as defined in this standard or pursuant to specific, user-granted exceptions.
 
CDT: The language above is designed to ensure that first parties cannot help third-party ad networks circumvent a DNT signals through backchannel means.
 
C. A third party is…
 
CDT: any entity that is not a first party or the end user.
 
To comply with DNT, a third party MUST...
 
CDT:  If the operator of a third-party domain receives a communication to which a [DNT-ON] header is attached:

that operator MUST NOT collect, share, or use information related to that communication outside of either the permitted uses or any explicitly-granted exceptions, as provided in accordance with the requirements of this standard;
that operator MUST NOT use information about previous communications in which the operator was a third party, outside of the permitted uses as defined within this standard; and
that operator SHOULD NOT retain information about previous communications in which the operator was a third party, outside of the permitted uses as defined within this standard.
that operator, upon receiving data from a distinct, standard-compliant party, must treat that data with at least the level of protection that the other party was required to afford that data under this standard.
 
D. A third party acting as a first party (as an agent) is: 

[CDT: We suggest this section be moved under the definition of first party:]
 
Outsourcing Partner of First-Party:
 
A third-party service may operate as a first-party site if all the following conditions hold:

the third party's data collection, retention, and use practices comply with at least the requirements for first-parties;
the data collected by the third party is available only to the first party, and the third party has no independent right to use the data (unless that data is deidentified or aggregated);
the third party makes commitments that are consistent with compliance with this standard and they do so in a form that is legally enforceable (directly or indirectly) by the first party, individual users, and regulators; data retention by the third party must not survive the end of this legal enforceability;
the third party undertakes reasonable technical precautions to prevent the retention of data that could be correlated across first parties.

Examples and use cases:
ExampleAnalytics collects analytic data for ExampleProducts Inc.. It operates a site under the DNS analytics.exampleproducts.com. It collects and analyzes data on visits to ExampleProducts, and provides that data solely to ExampleProducts, and does not access or use it itself, although it may use and sell aggregate reports about generic user behavior on ExampleProducts.com.

 
Part II: Permitted Uses
 
Note: unless you specifically document otherwise, this section is understood to ONLY APPLY TO THIRD PARTIES.
 
For each of the seven potential business uses below, please indicate if:
                        A. this particular use is never allowed under DNT
                        B. this particular use is allowed as long as data is "unlinkable" as described in section 0
                        C. this particular use is allowed with retention limits (describe)
                        D. this particular use is allowed with aggregation (describe)
                        E. this particular use is allowed (describe any other limitations that apply)
 
As needed, feel free to define and scope the potential business uses.
 
0. "Reasonably Unlinkable" data:
 
CDT: E (allowed, no limits) if the following definition applies:  A party holds information about a communication that is "reasonably unlinkable" to an individual or device provided that this party: 

takes reasonable measures to ensure that the data is de-identified — this includes removing IP address or persistent device ID;
publicly commits not to try to re- identify the data; and 
contractually prohibits downstream recipients from trying to re-identify the data.

Information that is not "reasonably unlinkable" is referred to as "reasonably linkable" information. A set of precise geo-location data points compiled over time, for example, is likely to be reasonably linkable absent de-identification efforts.
 
[This definition tracks the specific language of the recent FTC report and also tracks the language in Recital 23 of the European Data Protection Regulation legislation.  If data meets this definition, it does not matter to what purpose it is used or how long it is retained.]
 
1. Frequency Capping - A form of historical tracking to ensure the number of times a user sees the same ad is kept to a minimum. 

CDT: OK if the data will satisfy the criteria in B/D within two weeks OR
CDT: OK so long as the data is only retained for as long as is reasonably required for this purpose and the third-party’s privacy policy (or equivalent, readily-discoverable document) explains with reasonable precision how soon personal information will be deleted or rendered unidentifiable (“C” under the template above) 

2. Financial Logging - Ad impressions and clicks (and sometimes conversions) events are tied to financial transactions (this is how online advertising is billed) and therefore must be collected and stored for billing and auditing purposes.

CDT: OK if the data will satisfy the criteria in B/D within two weeks OR
CDT:  OK so long as the data is only retained for as long as is reasonably required for this purpose and the third-party’s privacy policy (or equivalent, readily-discoverable document) explains with reasonable precision how soon personal information will be deleted or rendered unidentifiable (“C” under the template above)

3. 3rd Party Auditing - Online advertising is a billed event and there are concerns with accuracy in impression counting and quality of placement so 3rd party auditors provide an independent reporting service to advertisers and agencies so they can compare reporting for accuracy.

CDT: OK if the data will satisfy the criteria in B/D within two weeks OR
CDT: OK so long as the data is only retained for as long as is reasonably required for this purpose and the third-party’s privacy policy (or equivalent, readily-discoverable document) explains with reasonable precision how soon personal information will be deleted or rendered unidentifiable (“C” under the template above)

4. Security - From traditional security attacks to more elaborate fraudulent activity, ad networks must have the ability to log data about suspected bad actors to discern and filter their activities from legitimate transactions. This information is sometimes shared across 3rd parties in cooperatives to help reduce the daisy-chain effect of attacks across the ad ecosystem.

CDT: OK if the data will satisfy the criteria in B/D within two weeks OR
CDT: OK so long as the data is only retained for as long as is reasonably required for this purpose and the third-party’s privacy policy (or equivalent, readily-discoverable document) explains with reasonable precision how soon personal information will be deleted or rendered unidentifiable (“C” under the template above)
 
5. Contextual Content or Ad Serving: A third-party may collect and use information contained with the user agent string (including IP address and referrer url) to deliver content customized to that information.

CDT: OK if the data will satisfy the criteria in B/D within two weeks OR
CDT: OK so long as the data is only retained for as long as is reasonably required for this purpose and the third-party’s privacy policy (or equivalent, readily-discoverable document) explains with reasonable precision how soon personal information will be deleted or rendered unidentifiable (“C” under the template above)

6. Research / Market Analytics

 CDT: OK if the data will satisfy the criteria in B/D within two weeks

7. Debugging

CDT: OK if the data will satisfy the criteria in B/D within two weeks OR
CDT:  OK so long as the data is only retained for as long as is reasonably required for this purpose and the third-party’s privacy policy (or equivalent, readily-discoverable document) explains with reasonable precision how soon personal information will be deleted or rendered unidentifiable (“C” under the template above)

III. Additional potentially relevant, but likely irrelevant, information
 
Definition of Tracking (Issue-5):

[CDT:  We strongly urge silence.  We believe this is defined by the spec; it will be incumbent upon implementers to message to users what the spec accomplishes.]
 
Logged In (Issue-65):

[CDT: We urge silence.  If there is an exception for logged-in state, we recommend that it be as a limitation on when third parties can use information they received previously as a first-party:
 
Under the current language of the compliance specification, a party is allowed to use data that it received as a first-party in a third-party context to deliver content.  For example, I often see LinkedIn ads around the web based on my LinkedIn profile but not based on cross-site behavioral data or even the context of the page that I am on.
 
If we were to have an exception for logged-in state, CDT would prefer that it be limited to allowing the use of first-party data in the third-party context to only those scenarios where the user is in a logged-in state for the first-party: E.g., Facebook may render social widgets based on logged-in state and information it received as first-party on Washington Post, but Weather.com may not render widgets based on first-party data on New York Times for users who never registered for Weather.com]
 
Definition of Consent/Affirmative, Informed Consent to be Tracked (Issue 69): 

CDT: means consent given by an affirmative action such as clicking a consent box in response to a clear and prominent request to ignore a "Do Not Track" setting that is distinct and separate from any other notifications or requested permissions. 

[We believe very strongly that a user-stated rule for “Do Not Track” must be circumvented by third parties ONLY with the user’s clear and informed permission.  This has nothing to do with any first or third parties’ preexisting legal obligations under any regime.]


Erica Newland
Policy Analyst
Center for Democracy & Technology
1634 Eye Street NW, Suite 1100
Washington, DC 20006
202.407.8836
enewland@cdt.org
http://www.cdt.org
Follow us on Twitter at @CenDemTech

Received on Saturday, 7 April 2012 05:13:46 UTC