W3C home > Mailing lists > Public > public-tracking@w3.org > July 2012

Re: SOX Requirements RE: ACTION-216 - Financial Reporting "Exceptions"

From: Tamir Israel <tisrael@cippic.ca>
Date: Sun, 29 Jul 2012 15:40:48 -0400
Message-ID: <501591C0.4080900@cippic.ca>
To: Shane Wiley <wileys@yahoo-inc.com>
CC: Lee Tien <tien@eff.org>, Craig Spiezle <craigs@otalliance.org>, 'Chris Mejia' <chris.mejia@iab.net>, 'David Wainberg' <david@networkadvertising.org>, 'Jonathan Mayer' <jmayer@stanford.edu>, "'Dobbs, Brooks'" <Brooks.Dobbs@kbmg.com>, "public-tracking@w3.org" <public-tracking@w3.org>, 'Nicholas Doty' <npdoty@w3.org>

I have not looked into SOX reporting in detail, but at bottom the 
reporting obligations and internal accountability mechanisms seem 
premised on the need to take reasonable steps to ensure accurate 
reporting of assets/transactions.

So if, for example, you can use jonathan/arvind's algorithm to ensure 
that 5,000 advertisements were served and none violated a frequency cap, 
you should have your transaction record w/out need to resort to unique 
ID (assuming the algorithm can work).


On 7/29/2012 1:02 PM, Shane Wiley wrote:
> Tamir,
> We use unique IDs for both the impression and the individual to validate the transaction.  I believe this is where the physical world and digital world diverge a bit.  The question is if the grocery store collected a user's loyalty information to discount the price of the good received, are they responsible for saving the loyalty card info with the transaction to prove the discount was fairly and legally applied.  I believe the answer is yes but haven't asked our Finance team that exact question before.
> - Shane
> -----Original Message-----
> From: Tamir Israel [mailto:tisrael@cippic.ca]
> Sent: Sunday, July 29, 2012 9:58 AM
> To: Shane Wiley
> Cc: Lee Tien; Craig Spiezle; 'Chris Mejia'; 'David Wainberg'; 'Jonathan Mayer'; 'Dobbs, Brooks';public-tracking@w3.org; 'Nicholas Doty'
> Subject: Re: SOX Requirements RE: ACTION-216 - Financial Reporting "Exceptions"
> On 7/29/2012 12:22 PM, Shane Wiley wrote:
>> (b) if so, does the retention requirement apply to the actual ad-serving transactional records that are generated by users' interactions with 3rd-party ad networks/companies?
>> (Part of what I'm asking is what data/records the companies are currently retaining because of Sarb-Ox compliance -- and also, I think, the legal standard that defines the compliance line.)
>> [Yes - as this is considered a "receipt" of the transaction as it's the billed element.  It's like asking if a grocery store must keep a record of each item purchased or if they can simply say a customer spent X in their store.  When ads are sold by impression - each impression must be retained to prove its validity and to be the actual record of receipt.]
>> (c) if so, must the records contain user- or device-identifying information, or is that unnecessary?
>> (Again, the legal standard may be ambiguous, but it would be helpful to know what that legal standard is....
>> [Alteration of a legal record could be considered "evidence tampering" and therefore companies tend to stay on the conservative side of this line.]
> This is where you lose me. If, as Jonathan and others have suggested, it
> is possible to confirm the # of transactions without unique IDs, why
> would the SEC care if you are or are not collecting identifiers? To pick
> up your grocery store example, no one forces Walmart to force customers
> to present a drivers license as a condition of cash payments....
> Best,
> Tamir
Received on Sunday, 29 July 2012 19:41:30 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:53 UTC