W3C home > Mailing lists > Public > public-tracking@w3.org > February 2012

Re: ACTION-75: Write-up a hybrid of Do Not Profile and Do Not Cross-Site Track

From: Nicholas Doty <npdoty@w3.org>
Date: Fri, 3 Feb 2012 13:27:56 -0800
Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-Id: <79C3EB02-D6E4-4029-8668-C072DD9F88A0@w3.org>
To: Shane Wiley <wileys@yahoo-inc.com>
Hi Shane,

Sorry for the confusion, but this gives me more questions, as I didn't realize the Service Provider concept was important for this proposal.

Do you mean "Service Provider" in the sense of the outsourcing exception currently defined in http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#TypesofTrackingOutsourcing? I thought the Cross-Site Track proposal allowed third parties to collect siloed data for their own purposes (targeting advertising, etc.) which would be contrary to the current text as I understand it.

If this proposal is compatible with the current outsourcing exemption, then that's great news and I think we're one step closer to consensus.

On Feb 3, 2012, at 12:22 PM, Shane Wiley wrote:
> 3rd parties MUST NOT collect data across multiple, non-affiliated or branded websites.
> <Non-Normative> Data collected by a 3rd party MUST be segregated according to the 1st party from which it was collected.  A 3rd party MUST NOT aggregate, correlate or use together data that was collected on different 1st party sites.
> Do these next three statements only apply to data collected across multiple sites? Or to any data that a third party collects about a user?  [Correct  only data collected across multiple sites  as profiling only for a single site falls under the 1st party definition (as a Service Provider with no independent rights to use this data elsewhere).]
> 3rd parties MUST NOT add collected data to a "profile" of a user.
> 3rd parties MUST NOT leverage previously collected data to profile a user or to alter a user's experience.
> 3rd parties MUST NOT attempt to personally identify a user.
> If these only apply to data collected across multiple sites, I'm not sure the first at least is necessary. If I can't collect data about a user across sites, it would be impossible to use that not-collected data to add to a profile of them, right? 
> [Logically you could argue it that way but we added this statements to make the prohibition very clear and to lower the risk of logic entanglement arguments.]

I see now, thanks. I still find the language confusing per the below, but I'm all for making statements clear even if it requires some level of redundancy.

> Also, if that assumption is right, then the language seems confusing to me; 3rd-parties would be allowed to add data to profiles, leverage previously collected data to alter a user's experience or identify a user, as long as they were doing so with data they hadn't combined across sites, right?
> [Correct  as a Service Provider to a 1st party with no independent rights to use this data elsewhere.]


Received on Friday, 3 February 2012 21:28:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:33 UTC