- From: Nicholas Doty <npdoty@w3.org>
- Date: Fri, 3 Feb 2012 13:27:56 -0800
- To: Shane Wiley <wileys@yahoo-inc.com>
- Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
- Message-Id: <79C3EB02-D6E4-4029-8668-C072DD9F88A0@w3.org>
Hi Shane, Sorry for the confusion, but this gives me more questions, as I didn't realize the Service Provider concept was important for this proposal. Do you mean "Service Provider" in the sense of the outsourcing exception currently defined in 3.6.1.2 http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#TypesofTrackingOutsourcing? I thought the Cross-Site Track proposal allowed third parties to collect siloed data for their own purposes (targeting advertising, etc.) which would be contrary to the current text as I understand it. If this proposal is compatible with the current outsourcing exemption, then that's great news and I think we're one step closer to consensus. On Feb 3, 2012, at 12:22 PM, Shane Wiley wrote: > 3rd parties MUST NOT collect data across multiple, non-affiliated or branded websites. > <Non-Normative> Data collected by a 3rd party MUST be segregated according to the 1st party from which it was collected. A 3rd party MUST NOT aggregate, correlate or use together data that was collected on different 1st party sites. > > Do these next three statements only apply to data collected across multiple sites? Or to any data that a third party collects about a user? [Correct – only data collected across multiple sites – as profiling only for a single site falls under the 1st party definition (as a Service Provider with no independent rights to use this data elsewhere).] > > 3rd parties MUST NOT add collected data to a "profile" of a user. > > 3rd parties MUST NOT leverage previously collected data to profile a user or to alter a user's experience. > > 3rd parties MUST NOT attempt to personally identify a user. > > If these only apply to data collected across multiple sites, I'm not sure the first at least is necessary. If I can't collect data about a user across sites, it would be impossible to use that not-collected data to add to a profile of them, right? > > [Logically you could argue it that way but we added this statements to make the prohibition very clear and to lower the risk of logic entanglement arguments.] I see now, thanks. I still find the language confusing per the below, but I'm all for making statements clear even if it requires some level of redundancy. > Also, if that assumption is right, then the language seems confusing to me; 3rd-parties would be allowed to add data to profiles, leverage previously collected data to alter a user's experience or identify a user, as long as they were doing so with data they hadn't combined across sites, right? > > [Correct – as a Service Provider to a 1st party with no independent rights to use this data elsewhere.] Thanks, Nick
Received on Friday, 3 February 2012 21:28:02 UTC