------

Contributors to this proposal:  John M. Simpson

Part I: Parties

A.  A "party" is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person, that an ordinary user would perceive to be a discrete entity for purposes of information collection and sharing.  A party MAY also include affiliates if the affiliates are commonly owned and controlled, and the relationship is clear to consumers through common branding. A party MUST NOT include more than five affiliates.

Example 0: If a user visits flickr.com, which is branded "from Yahoo!", are Flickr and Yahoo one party? Yes.
Example 1: If a user visits google.com, are other parts of Google, Inc. (adwords, analytics, YouTube, gmail, Google Maps) also the same party as google.com? Yes.
Example 2: If a user visits geico.com, is See's Candies also the same party? No.
Example 3: If Mozilla and Opera form a jointly-owned and controlled company called Moperilla, and a user visits Moperilla, are Mozilla and Opera part of the same party as Moperilla? No.

B. A "first party" is any party, in a specific network interaction, that can infer with high probability that the user knowingly and intentionally communicated with it.  Otherwise, a party is a  "third party."   If a party cannot infer with a high degree of probability that it is a "first party," it MUST behave as a third party.

To comply with DNT, a first party MUST NOT share data with a third party, outside of permitted uses as defined in this standard or specific user-granted exceptions.
To comply with DNT, a first party MAY take additional privacy enhancing steps, such as treating each session with a user as an entirely new session unless it has been given permission to store her information and use it again.

C. A "third party" is any party, in a specific network interaction, that cannot infer with high probability that the user knowingly and intentionally communicated with it.  If a party does not know its status, it MUST behave as a third party.

To comply with DNT, if the operator of a third-party domain receives a communication to which a [DNT:1] header is attached:
  1. that operator MUST NOT collect, share, or use information related to that communication outside of the permitted uses as defined within this standard and any explicitly-granted exceptions, provided in accordance with the requirements of this standard;
  2. that operator MUST NOT use information about previous communications in which the operator was a third party, outside of the explicitly expressed permitted uses as defined within this standard;
  3. that operator MUST NOT retain information about previous communications in which the operator was a third party, outside of the explicitly expressed permitted uses as defined within this standard.
  4. that operator MUST NOT use information associated with the user agent that was gathered and stored when the operator was acting as a first party.


D. A third party acting as a first party (as an agent) MUST be under contract to provide a specific service for the first party.

To comply with DNT, a third party acting as a first party MUST NOT combine any data obtained from the first party to perform the contracted service with any other data.
To comply with DNT, a third party acting as a first party MUST retain the data only as long as necessary to perform the contracted service for the first party.
To comply with DNT, a third party acting as a first party MUST NOT collect data that could be combined across first parties.





---------
John M. Simpson
Privacy Project Director
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902