W3C home > Mailing lists > Public > public-tracking@w3.org > July 2012

RE: ISSUE-154: Are First parties allowed to use data (either offline or online) from third parties

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Wed, 25 Jul 2012 05:25:30 -0700
To: David Singer <singer@apple.com>, Jonathan Mayer <jmayer@stanford.edu>
CC: Chris Pedigo <CPedigo@online-publishers.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <63294A1959410048A33AEE161379C8024F8F92B4CB@SP2-EX07VS02.ds.corp.yahoo.com>
I believe the discussion of offline data and 1st party use is out-of-scope (the proposal we forwarded calls this out).  As offline data is collected from either public sources or through direct user consent (contests, sweepstakes, etc.), if this is matched directly to a 1st party to affect the user's experience on a 1st party, I don't see how this impacts our current discussion (1st party + user consent = out of scope for DNT).  If a 1st party were to attempt to leverage this data anywhere other than their own property, then I see this as 3rd party use and it would then have to honor the DNT signal (example 1 below).

- Shane

From: David Singer [mailto:singer@apple.com]
Sent: Tuesday, July 24, 2012 7:49 PM
To: Jonathan Mayer
Cc: Chris Pedigo; public-tracking@w3.org
Subject: Re: ISSUE-154: Are First parties allowed to use data (either offline or online) from third parties


On Jul 24, 2012, at 14:21 , Jonathan Mayer wrote:


A couple concrete examples might clarify the problem.

Example 1: John Doe signs up on the Example News website.  Doe has Do Not Track enabled.  Example News makes offline contact with Example Data Aggregator to get a consumer profile on John Doe.  Example News then offers ad targeting based on that data in its private ad exchange.  Allowed?

(I think the answer is no, entailed by two other points of consensus.  First: a first party shouldn't be able to share with a third party any information that the third party could not collect itself.  Second: a third party cannot intentionally solicit and collect identifying information about a user.)

Example 2: John Doe is a long-time rewards club member at Example Supermarket.  Example Supermarket has relied on Doe's Example Data Aggregator profile for years to determine which coupons to print for him.  Doe, with DNT enabled, signs up on the Example Supermarket website for online shopping and home delivery.  Example Supermarket recommends products on its website based on Doe's Example Data Aggregator profile.  It also continues to print in-store coupons based on that profile.  Allowed?

(This example is trickier.  My inclination would be to say the supermarket should stop gathering new third-party profiles and, perhaps, stop using old third-party profiles.  I'm curious where others come down.)


I think we might think about behavior that is unwise (but allowed) and behavior that is not allowable.  If the user perceives that the tracking is still going on, that might be unwise on the site's part, even if we decide it's formally allowed.

Previously we had the catch-phrase "treat me a someone about whom you know nothing and remember nothing" and under that, the answer to the question is "no", clearly.  But it's the accumulating of the database that is the real tracking here; the use of pre-existing data may be less egregious (though probably unwise, as I said).



On Tuesday, July 24, 2012 at 12:13 PM, Chris Pedigo wrote:
I have significant concerns about this restriction on first parties.  There has been discussion about including such a restriction, but I do not recall the group reaching any kind of consensus.  In addition, I have asked for text on this restriction and never received it, which begs the question - what have we agreed to (if such agreement has ever been reached)?

That said, restricting first parties from appending data to records of DNT:1 users is problematic for several reasons:

First parties are already prohibited from sharing data about DNT:1 users with third parties and third parties cannot collect/use data about DNT:1 users.  Look at it this way, a DNT:1 user visits a website - the first party can collect data about that user but can't share it with anyone, the third parties on that site can't even collect/use it.  The loophole has already been closed.
Since #1 is true, this means that the data we're talking about restricting is data that has been collected offline or data that has been collected with consent or otherwise in the spirit of DNT.
The primary purpose of appending data to data about DNT:1 users is for first-party marketing, which the FTC recognized as an above-board purpose which generally should not require user consent.  The reason is simple - you can opt out of that marketing, it's obvious and users expect it.

I am open to continuing this discussion on tomorrow's call and/or via email.  But I do not believe this group should restrict the ability of first parties to conduct the long-standing practice of first party marketing.


Chris Pedigo
VP, Government Affairs
Online Publishers Association
(202) 744-2967



David Singer
Multimedia and Software Standards, Apple Inc.
Received on Wednesday, 25 July 2012 12:26:17 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:53 UTC