ACTION 100: machine readable lists Amy, Joanne and Kevin

I'm not sure that there is an issue number assigned, but this is an Action that came out of David Singer's session.



Possible Use cases for machine readable assertions of party affiliations in TPE specification

Scenario Discussed: When a user grants an exception [or override] to 3rd party A on first party site B, they could be asked [by party A] to grant an exception to all sites affiliated with party A.  A machine readable list could aid in that override by minimizing the number of override requests.

Proposed Text: Scope of any override granted to a 3rd party will be determined by the language of the consent obtained from the user by the party.  The scope and enforceability of user consent are determined by local legal requirements, rather than a machine readable list or other mechanism implemented by the party.

There are significant concerns about the expense and difficulty of maintaining an up-to-date, accurate machine-readable list of all domains owned by a party, and particularly whether the benefits (to the user and to the party) could outweigh such costs.  Costs also included concern about impact of browser redirects (Kevin identifies 2 requests to parent and child pages before page loads).  As such, we do not recommend that this be a required item in order to obtain consent.

Example:
Newsy.org (a site that aggregates interesting third party content from around the web) displays a post from blog Techy.com.  Arrington Co. owns Techy.com, and also owns and operates Fund.com and NoHuff.com, a fact that is disclosed in the privacy policies of those sites.  When a user with DNT:1 visits Newsy.org, Arrington Co. asks the user to provide an override to allow Arrington Co. to track the user on Newsy.org and on all sites owned by Arrington Co.  The user clicks "I agree," and Arrington Co. then may track the user on Newsy.org, Techy.com, Fund.com and NoHuff.com.