first party resource

I am unsatisfied by all of the first-party definitions because I don't consider
them to be implementable (e.g., neither "can infer with high probability that the
user knowingly and intentionally" nor "the party that owns the Web site or has
control over the Web site" can be determined programmatically).

I suggest that we simply state:

  1) A first-party resource is a resource that has been designed for direct
     interaction with a user.

  2) When a user interacts with a given first-party resource, all subrequests
     made to that first-party's domain or to any of the domains listed in the
     same-party array within the first-party's tracking status resource are
     also considered first-party resources; all other subrequests are considered
     third-party resources.

  3) The same-party array MUST be limited to domains that are owned or controlled
     by the same legal entity that owns or controls the first-party as well as
     domains that qualify as third parties acting on behalf of this first party.

  4) The same-party array SHOULD be limited to domains that share sufficient
     context with the first-party, such that the user has a reasonable expectation
     that data provided to any of these domains might be shared or combined with
     data provided to the other same-party domains.

  5) Data provided to first-party resources is subject to first-party compliance
     requirements; data provided to third-party resources is subject to third-party
     compliance requirements.


Received on Tuesday, 10 April 2012 21:00:29 UTC