Re: The DAA Commitment from Jonathan Mayer on 2012-02-27 (public-tracking@w3.org from February 2012)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Sun, 26 Feb 2012 17:56:26 -0800
To: Mike Zaneis <mike@iab.net>
Cc: John Simpson <john@consumerwatchdog.org>, Ed Felten <ed@felten.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-Id: <E5C90AE1-4D65-4FDB-B7B1-A98E1381BD6C@stanford.edu>
Mike,

Thanks for the clarifications.  I have a follow-up question about what the DAA principles require after a user opts out.

In your view, no data collection is allowed save "a few limited use cases."  My reading, which I've vetted with several advertising companies, is that the principles impose few additional restrictions for opted out users.  I don't mean to split hairs on the meaning of "limited"; I'm trying to understand exactly which business practices a DAA-compliant website foreswears once a user opts out.

As I read the DAA self-regulatory documents, the exceptions for "Delivery," "Market Research," "Product Development," "Reporting," and "Operations and System Management" encompass all conceivable business practices, such that the only constraint for an opted-out user relative to a not-opted-out user is a use limitation on behavioral personalization.

Is my reading erroneous?  If so, could you please give a few examples of other business practices that become prohibited once a user opts out?

Thanks,
Jonathan

On Feb 25, 2012, at 6:34 AM, Mike Zaneis wrote:

> John, these are very good questions and essentially the same ones that Ed Felton asked me directly, so I will provide one answer to the group. 
> 
> 1.  The DAA Principles apply to data collection through the more recent Multisite Data document. That document states that you cannot collect data once a consumer has opted out except for a few limited cases (Analytics, product development, market research). That document also expanded the original OBA Principles so all cross site data is covered, not just data used for OBA purposes. 
> 
> 2.  The DAA Principles state that notice and choice must be provided on any site where OBA is occurring or where data is being collected for OBA purposes (OBA only covering third party OBA). Therefore, in your scenario, if a publisher is collecting data to sell to a third party or if it is collecting data to do third party OBA, including retargeting, then notice and choice are required. 
> 
> I am sensing many in the group are not intimately familiar with the DAA program. I would be happy to facilitate a briefing for anyone interested in learning more about the existing program.  
> 
> Mike Zaneis
> SVP & General Counsel, IAB
> (202) 253-1466
> 
> On Feb 24, 2012, at 6:21 PM, "John Simpson" <john@consumerwatchdog.org> wrote:
> 
>> Mike,
>> 
>> I appreciate your effort to explain the DAA commitment.  May I please ask a few questions?
>> 
>> 1. Does what you've said mean that the DAA has agreed to recognize DNT headers and respond by not targeting ads based on a user's online behavior, but that tracking and data collection could continue?
>> 
>> 2. Is it the DAA's position that 1st parties would have no obligations whatsoever when DNT is enabled?  Would  a 1st party be able to share data with a 3rd party under the DAA principles?  Could a party use data it had gathered while 1st party when it is acting as a 3rd party?
>> 
>> I'd like to understand the DAA's position.
>> 
>> Thans,
>> John
>> 
>> 
>> On Feb 24, 2012, at 8:50 AM, Mike Zaneis wrote:
>> 
>>> I know in the aftermath of a major announcement such as the one made yesterday that many people are asking for clarity on the commitments that were made.  I appreciate Jonathan's call on Thursday to listen to the principles and try to learn more.  As a DAA Board Member and participant of the W3C Working Group, I am happy to try and explain the agreement between the Obama Administration and the DAA.  I believe what we have agreed to can best be summed up as a commitment by the DAA to implement consistent, easy-to-use browser tools into the existing DAA opt out program, when a consumer chooses to utilize these options.  Our goal is to accomplish this integration over the course of the next 9 months, which we believe is inherently achievable.  It is also important to note that the Obama Administration has recognized the combined DAA, NAI, and CBBB Enforcement Program as a model of success for what they call "enforceable codes of conduct".
>>> 
>>> The more difficult interpretation of these commitments is the effect they might have on the W3C DNT process.  The DAA has not committed to implementing any standard/technology that is inconsistent with the current DAA Principles.  We have committed to immediately begin working with the browser providers to develop a consistent and easy-to-use header tool that educates consumers and allows them to exercise a persistent opt out from the DAA Principles.
>>> 
>>> At the very first face to face meeting of this group I stood up and expressed my sincere desire to work through the W3C process to develop a meaningful consumer tool, but I also expressed concern if the W3C standard was inconsistent with the DAA Principles because that would undermine adoption by companies around the globe.  Neither of those positions has changed following yesterday's announcement.
>>> 
>>> To give an example, the W3C technology standard being developed appears likely to require 1st parties to recognize browser headers and respond accordingly.  The exclusion of 1st parties from such standards is widely accepted and was included in the very first FTC report on self regulation.  Realistically, the likelihood of the DAA changing its position to adopt such a requirement is very low.
>>> 
>>> There were a lot of very positive commitments made yesterday by our industry and the U.S. Government.  On our end, all the credit goes to the companies, which continue to make immense investments to advance consumer privacy.  While I do not want to lose sight of those positive commitments, I need to point out some of the things that we did NOT commit too, including changing the underlying DAA Principles.  We have not extended the program to cover 1st parties.  We have not committed to any specific implementation technology or business practices, those will be worked out with the DAA member companies through a very deliberative process.  We have not agreed to implement standards that differ from the current DAA Principles, be that W3C DNT standards or company-imposed technology standards.  And we have not agreed to a "one click" DNT toolbar button, as has been reported.
>>> 
>>> I hope this answers some of the questions regarding yesterday's announcement.  
>>> 
>>> Mike Zaneis
>>> SVP & General Counsel
>>> Interactive Advertising Bureau
>>> (202) 253-1466
>>> 
>>> Follow me on Twitter @mikezaneis
>>> 
>>> 
>>> 
>>> -----Original Message-----
>>> From: Ed Felten [mailto:ed@felten.com] 
>>> Sent: Friday, February 24, 2012 6:01 AM
>>> To: public-tracking@w3.org (public-tracking@w3.org)
>>> Subject: Re: White House event
>>> 
>>> As Aleecia said, yesterday was a big news day for privacy in the U.S.
>>> The White House announced their Privacy Bill of Rights.  And, more directly relevant for this group, the advertising industry, through the Digital Advertising Alliance (DAA), announced that they would move toward adoption of DNT.  The DAA and its members deserve tons of credit for taking this step and making a strong commitment to follow through.
>>> 
>>> The DAA's statement said the group would "add browser-based header signals to the set of tools by which consumers could express their preferences under the DAA Principles", and the statement referred to a
>>> "browser based header signal uniform consumer choice mechanism".   The
>>> White House put it more succinctly, saying that DAA members "are committing to use Do Not Track technology from the World Wide Web Consortium".
>>> 
>>> DAA participating companies have been playing key roles in this working group from the very beginning, as editors of both DNT documents, drafters of text, and mainstays of the email discussion.
>>> Many of our best ideas have come from DAA participants, and it was a DAA participant who initially asked the W3C to convene this group.  By my count, eighteen members of the working group come from DAA participating companies.
>>> 
>>> Now that the DAA is committed to the success of the DNT technology, it's especially important to keep moving toward completing the standards that define the DNT technology.
>>> 
>>> =====
>>> DAA statement: http://www.aboutads.info/resource/download/DAA_Commitment.pdf
>>> White House fact sheet:
>>> http://www.whitehouse.gov/the-press-office/2012/02/23/fact-sheet-plan-protect-privacy-internet-age-adopting-consumer-privacy-b
>>> 
>>> 
>>> On Thu, Feb 23, 2012 at 4:13 AM, Aleecia M. McDonald <aleecia@aleecia.com> wrote:
>>>> Greetings,
>>>> 
>>>> If anyone has not seen the press yet, there is an event on privacy on Thursday at the White House. DNT is part of the discussion.
>>>> 
>>>> It's an exciting time for user privacy, industry self-regulation groups, and some of our working group members. There have been rumors flying for two months now. I think we're going to be able to get a lot more work done once the dust clears.
>>>> 
>>>> In the short term, (I suspect some of the editors and) I have been distracted by this event, which has slowed work on the compliance draft. Feel free to take a look -- it's coming together -- but we are not quite as far along as I'd hoped. The odds of publishing the Second Public Working Draft on Feb 29th are dimming, but we are not looking at a large slip if there is one.
>>>> 
>>>> In the longer term, the Tracking Protection Working Group continues just as it has been: a fora for stakeholders from a variety of perspectives to work out differences and come to consensus agreements. The self-regulation groups, and their members, are important inputs to that process. That said, we encompass a wide variety of other views and stakeholders. We will naturally be likely to up with different end points than US industry groups.
>>>> 
>>>> And a by now familiar request from me -- kindly recall we have more months of working together. If you're going to grouse at someone, take it off the list and calls, please. I will endeavor to do the same.
>>>> 
>>>> Thanks to all of you for your hard work so far. When the swirl dies down, there will more work to do, first in getting the next drafts out ASAP, and then as we turn to locking down some of the big issues we've been slowly teasing apart. The next few months will not be dull.
>>>> 
>>>>        Aleecia
>>> 
>>> 
>> 
>> ----------
>> John M. Simpson
>> Consumer Advocate
>> Consumer Watchdog
>> 1750 Ocean Park Blvd. ,Suite 200
>> Santa Monica, CA,90405
>> Tel: 310-392-7041
>> Cell: 310-292-1902
>> www.ConsumerWatchdog.org
>> john@consumerwatchdog.org
>>
Received on Monday, 27 February 2012 01:58:12 UTC