Re: issues 23 and 34, happy new year's initial text for all...


I like your suggestion. We should ask Rob about it as I think the restrictions 
even match the definition of a data processor under the EU Directive, thus 
giving the entire responsibility to the first party (data controller in EU 

Can we resolve?


On Tuesday 03 January 2012 15:18:30 David Singer wrote:
> Issue number: 23
> Issue name: Possible exemption for analytics
> Suggested retitle: Possible exemption for outsourcing
> Issue URL:
> Section number in the FPWD: 3.4 Types of Tracking
> Contributors to this text: (Draft) David Singer, (Edit) Jonathan Mayer
> Specification:
> A third-party site may operate as a first-party site if all the following
> conditions hold: the data collection, retention, and use, complies with at
> least the requirements for first-parties; the data collected is available
> only to the first party, and the third party has no independent right to
> use the data; the third party makes commitments to adhere to this standard
> in a form that is legally enforceable (directly or indirectly) by the first
> party, individual users, and regulators; data retention by the third party
> must not survive the end of this legal enforceability; the third party
> undertakes reasonable technical precautions to prevent collecting data that
> could be correlated across first parties.
> Non-normative Discussion:
> The rationale for rule (2) is that we allow the third party to stand in the
> first party’s shoes – but go no further.  The third party may not use the
> data it collects for “product improvement,” “aggregate analytics,” or any
> other purpose except to fulfill a request by a first party, where the
> results are shared only with the first party.
> Rule (3) allows for the possibility of more than one level of outsourcing.
> In rule (4), one component of reasonable technical precautions will often be
> using the same-origin policy to segregate information for each first-party
> customer.
> Note that any data collected by the third party that is used, or may be
> used, in any way by any party other than the first party, is subject to the
> requirements for third parties.
> Example:
> ExampleAnalytics collects analytic data for ExampleProducts Inc..  It
> operates a site under the DNS It collects
> and analyzes data on visits to ExampleProducts, and provides that data
> solely to ExampleProducts, and does not access or use it itself.
> Text that possibly belongs in other sections:
> When the third party sends a response header, that header must indicate that
> that they are a third party and that they are operating under this
> exception. Note that a third party that operates under a domain name or
> other arrangement that makes it appear to the user as if they are the first
> party, or a part or affiliate of the first party, is nonetheless a third
> party and is subject to the requirements of this clause ("DNS
> masquerading").
> Issue number: 34
> Issue name: Possible exemption for aggregate analytics
> Suggested retitle: Possible exemption for unidentifiable data
> Issue URL:
> Section number in the FPWD: 3.4 Types of Tracking
> Contributors to this text: (Draft) David Singer, (Edit) Jonathan Mayer
> Specification:
> A third party may collect, retain, and use any information from a user or
> user agent that, with high probability, could not be used to: 1) identify
> or nearly identify a user or user agent; or
> 2) correlate the activities of a user or user agent across multiple network
> interactions.
> Examples:
> 1. A third-party advertising network records the fact that it displayed an
> ad. 2. A third-party analytics service counts the number of times a popular
> page was loaded.
> Non-Normative Discussion:
> This exception (like all exceptions) may not be combined with other
> exceptions unless specifically allowed.  A third party acting within the
> outsourcing exception, for example, may not make independent use of the
> data it has collected even though the use involves unidentifiable data.  A
> rule to the contrary would provide a perverse incentive for third parties
> to press all exceptions to the limit and then use the collected data within
> this exception. A potential ‘safe harbor’ under this clause could be to
> retain only aggregate counts, not per-transaction records.
> Text that possibly belongs elsewhere:
> Possible advances in de-anonymization that make previously non-identifiable
> data, identifiable, should be considered. [Maybe need an issue: whose
> problem is it when data from disparate sources, all but one of which are
> anonymous, is combined to achieve de-anonymization?]

Received on Monday, 9 January 2012 17:42:15 UTC