Re: Parties and First Party vs. Third Party (ISSUE-10)

Amy,

The standard has to specify two separate tests for parties:

1) Substance: What delineates one party from another?
2) Transparency: To what extent does a party have to make its boundaries clear to consumers?

On the transparency test, my sense is that we have a consensus in favor of some flavor of "reasonable" transparency requirement (e.g. "discoverable").  There's plenty of room in the operative text, non-normative discussion, and best practices document for making the test more concrete.

As for the substantive test, we have a consensus that corporate affiliation is necessary for two entities to be considered in the same party.  We do not have a consensus on whether corporate affiliation is sufficient, or whether there will be a second prong to the test involving consumer expectations or branding.

There is, to be sure, some relationship between the two tests.  A heightened transparency requirement increases the likelihood that consumers will understand which entities belong to a party.  (I do not believe a "discoverable" transparency requirement is sufficient to inform ordinary consumers.  It is well established that consumers don't read privacy policies and similar disclosures.)

With that clarification: I believe the group shares your interest in "establish[ing] objective metrics . . around sufficient transparency."  The FTC staff has likewise repeatedly emphasized the importance of notice and transparency in online privacy.  That's all within the scope of the transparency test.

What I'm trying to get clarity on here is the substantive test.  The FTC staff has rejected a corporate affiliation approach that is, as best I can tell, the very same approach you (and others) have advocated.  You indicated that you believe what you've proposed aligns with the FTC staff position.  Could you help me understand how?

Thanks,
Jonathan

On Mar 22, 2012, at 12:48 PM, Amy Colando (LCA) wrote:

> Hi Jonathan,
>  
> Thanks for being open to this discussion.  I think that the key is to think about how we can establish objective metrics (examples?) around sufficient transparency, while recognizing the realities of the online ecosystem for both users and companies.
>  
> I also agree with you that “FTC staff does not appear to have addressed the precise role of branding, affiliation, and other factors that contribute to user expectations,” and perhaps this is an area that we may work to develop in this group.
>  
>  
> Thanks,
>  
> Amy
> 
>  
> From: Jonathan Robert Mayer [mailto:jmayer@stanford.edu] 
> Sent: Thursday, March 22, 2012 12:08 PM
> To: Amy Colando (LCA)
> Cc: Lauren Gelman; Alan Chapell; John Simpson; Tracking Protection Working Group WG
> Subject: Re: Parties and First Party vs. Third Party (ISSUE-10)
>  
> Amy,
>  
> I understand and share your (and many others') concern that the standard be objective and readily implementable. I don't follow, however, how the corporate affiliation approach that you've advocated in group discussions differs from the corporate affiliation approach that the FTC staff rejected. Could you please explain how the two differ? If they don't, could you suggest how user expectations might be rendered sufficiently objective for you to be comfortable with the test?
>  
> Thanks,
> Jonathan 
> 
> On Mar 22, 2012, at 12:01 PM, "Amy Colando (LCA)" <acolando@microsoft.com> wrote:
> 
> Thanks Lauren (and Jonathan and John). If it helps, I am urging that this group help to develop a standard that will encourage adoption by establishing objective criteria so that implementers can clearly understand what their obligations are.  I am not urging that W3C adopt a position that is different than FTC guidance, as you suggest.
>  
>  
> From: Lauren Gelman [mailto:gelman@blurryedge.com] 
> Sent: Thursday, March 22, 2012 11:23 AM
> To: Alan Chapell
> Cc: John Simpson; Jonathan Mayer; Tracking Protection Working Group WG
> Subject: Re: Parties and First Party vs. Third Party (ISSUE-10)
>  
> 
> My understanding was the first/third party definition was the "facebook exception" which is to say that whatever privacy issues you have with facebook, it is pretty darn clear that users understand they are giving their information to facebook.  Every single page has the facebook logo and every page has the facebook url. 
> 
> Of course, the Google asks why they should be penalized for not rebranding Youtube as Google Video and Yahoo asks the same with Flickr as Yahoo Photos.
> 
> Of course if these guys are going to be first parties, then Disney.com and ABC.com should.  Wired.comand Newyorker.com  
> 
> And my favorite, the list of assets owned by News Corporation 
> http://en.wikipedia.org/wiki/List_of_assets_owned_by_News_Corporation
> 
> Since the FTC was the first to create this distinction, I certainly think it is useful to consider why they started down this road.  Based on the report, as cited by John below, they stated the line should be drawn based on the circumstances as they are understood by the user or, whether a relationship is "sufficiently transparentand consistent with reasonable customer expectations." In the parlance of W3C this seems to require anAND as in:
>  
> For parties to be considered first parties their relationship must be "reasonably discoverable" AND "consistent with reasonable customer expectations.
> 
> So Alan I don't think we are mired in different interpretations of what the FTC said.  I think that people on this list want the W3C to adopt a position that is DIFFERENT from what the FTC said.  And it is certainly within this group's charter to do it.  It may even be the right choice after deliberation.  But I think John is correct that as a historical matter the record is not fuzzy on this point.
> 
> On Mar 22, 2012, at 10:51 AM, Alan Chapell wrote:
> 
> 
> 
> Thanks John. I think the point that I was trying to draw here is that we risk getting mired into an debate over individual interpretations of what the FTC 'meant.' And given that you, Amy, Jonathan and others have expressed some very different interpretations, I'm wondering whether these references are productive in the end… You may feel differently, and I respect your opinion.
> 
> 
> Cheers,
> 
> Alan Chapell
> Chapell & Associates
> 917 318 8440
> 
> 
> From: John Simpson <john@consumerwatchdog.org>
> Date: Thu, 22 Mar 2012 10:40:28 -0700
> To: Jonathan Mayer <jmayer@stanford.edu>
> Cc: Alan Chapell <achapell@chapellassociates.com>, Tracking Protection Working Group WG <public-tracking@w3.org>
> Subject: Re: Parties and First Party vs. Third Party (ISSUE-10)
> 
> I certainly agree that we are attempting to reach consensus on an international standard that should not be tied to any particular jurisdiction's law.  I do believe that various policymakers' and regulators' views on some of the issues we are grappling with can be informative, which is why I offered the language from the FTC documents.
> 
> You'll note that I also said that the FTC should not be the only benchmark we use.
> 
> John
> 
> 
> 
> 
> On Mar 21, 2012, at 8:48 PM, Jonathan Mayer wrote:
> 
> 
> 
> I believe we have a consensus that DNT should not be pinned to any particular jurisdiction's law, but should instead be international.
> 
> It does not follow, of course, that policymakers' thinking on DNT is irrelevant.  Their input is a valuable perspective on the issues we're grappling with.  Furthermore, for many in the group, one of the several aims of DNT is to satisfy legal obligations and policymaker demands.
> 
> Jonathan
> 
> On Mar 21, 2012, at 8:36 PM, Alan Chapell wrote:
> 
> 
> 
> I'm unclear why we keep focusing how one jurisdiction approaches privacy standards. We also spent time on todays call discussing whether or not to include the framework utilized by the EU re: data processors in the core document. And here, we seem to be focusing on how the FTC approach to first party vs third party.
> 
> Given that different jurisdictions have different (and perhaps even at times conflicting) frameworks, using this approach to extrapolate to a global standard may prove difficult. 
> 
> So I'm left wondering, what is the end goal of this type of analysis? 
> 
> Cheers,
> 
> 
> Alan Chapell
> 917 318 8440
> From: Jonathan Mayer <jmayer@stanford.edu>
> Date: Wed, 21 Mar 2012 20:06:42 -0700
> To: Tracking Protection Working Group WG<public-tracking@w3.org>
> Subject: Re: Parties and First Party vs. Third Party (ISSUE-10)
> 
> Amy,
> 
> It seems to me that, in a plain reading, the FTC's reports establish two positions on first party vs. third party:
> 
> 1) The determination should be based on case-by-case, context-specific considerations, not corporate affiliation alone.
> 
> 2) User expectations are the touchstone of those context-specific considerations.
> 
> The FTC staff does not appear to have addressed the precise role of branding, affiliation, and other factors that contribute to user expectations.
> 
> Does that seem a fair characterization to you?
> 
> Jonathan
> 
> On Mar 21, 2012, at 11:03 AM, Amy Colando (LCA) wrote:
> 
> 
> 
> John, thanks for sharing this text.  The branding discussion below your email (as described by Jonathan and Jeff) goes way beyond the FTC guidance on the relationships between multiple affiliated companies.  Under that “brand only” approach, a single company would effectively have to separate each of its different brands into a stand-alone entity, and I simply don’t think that is something will occur in the real world.
>  
> From: John Simpson [mailto:john@consumerwatchdog.org] 
> Sent: Tuesday, March 20, 2012 4:09 PM
> To: Tracking Protection Working Group WG
> Subject: Re: Parties and First Party vs. Third Party (ISSUE-10)
>  
> Colleagues:
>  
> Apologies. I dropped key words from the FTC's OBA report; it should read (emphasis added):
>  
> "Staff believes that whether data sharing among affiliated companies should be considered 'first party,' and thus outside the scope of these Principles, should turn on whether the relationship among sites -- and the possibility that they may share data -- is sufficiently transparent and consistent with reasonable customer expectations. For instance, although one might expect that Citibank and Citifinancial are closely linked entities, the link between affiliates Smith Barney and Citibank is likely to be much less obvious. Such a determination will depend on particular circumstances. " (Page 28, note 59).
>  
> On Mar 20, 2012, at 10:38 AM, John Simpson wrote:
> 
> 
> Colleagues,
>  
> I have been following this thread with interest and am interested in figuring out how to bridge the apparent gap in views.   Though I don't necessarily share the view that 1st parties should generally be exempt from most obligations when they receive a DNT:1 signal, I understand the WG's consensus to be that they should be, except that a 1st party receiving a DNT: 1 must not share data with a 3rd party. I accept that and will support it as the consensus view if we continue to use the 1st and 3rd party model.  Could there be another approach, however?
>  
> I understand the logic for the 1st and 3rd party model to be based on user expectations:  The user has a relationship with the site she visits, presumably trusts the site visited and is comfortable with data being collected there for such things as offering suggestions about products based on activity on the site, etc.
>  
> So, I am truly puzzled when it's suggested that user expectations are inappropriate when determining what constitutes an affiliate.  The FTC's views shouldn't be the only benchmark, but it does seem appropriate to weigh them as we move forward with the TCS specification, if we use the 1st -3rd party model.
>  
> The February 2009 "FTC Staff Report: Self-Regulatory Principles For Online Behavioral Advertising" says:
>  
> "Staff believes that whether data sharing among affiliated companies should be considered 'first party,' and thus outside the scope of these Principles, should turn on whether the relationship among sites -- and the possibility that they may share data -- is sufficiently transparent and consistent with reasonable customer expectations. For instance, although one might expect that Citibank and Citifinancial are closely linked entities, the link between affiliates and Smith Barney. Such a determination will depend on particular circumstances. " (Page 28, note 59).
>  
> The FTC's December 2010 Preliminary Staff Report, "Protecting Consumer Privacy in an Era of Rapid Change" offers this:
>  
> "If a company shares data with a third party other than a service provider acting on the company's behalf -- including a business affiliate unless the affiliate relationship is clear through common branding or similar means -- the company's practices would not be considered first-party marketing and thus they would fall outside of 'commonly accepted practices,' as discussed below. (Page 55).
>  
> We should know within a week or so what the FTC will say in its final privacy report.   
>  
> My question, though, is this: Would the working group be better served by avoiding  the 1st-3rd party model altogether and using the Data Controller and Data Processor model?  I do not know, but is it worth exploring?
>  
> Regards,
> John
>  
>  
>  
>  
>  
> On Mar 18, 2012, at 11:56 AM, Shane Wiley wrote:
>  is likely to be much less obvious. 
> 
> “I'm sensitive to the economic impact of this standard, and I hope stakeholders will continue to explain precisely where and how the standard might impose burdens.  In future, I would find it much more helpful if objections rested on concrete explanations of difficulty and cost, rather than bare assertions that companies will not implement.”
>  
> I doubt the legitimacy of true sensitivity here from some in the working group.  If it is truly a goal of having the DNT standard implemented, then every element of the standard should be reviewed with the “likelihood of adoption” in mind.  I don’t believe that is the case today.  In fact, I believe there are several in the working group that have no other goal in mind other than to cement their consumer advocacy positions in the standard regardless of the likelihood of industry implementation. 
>  
> If we’re serious about “likelihood of adoption” in this working group (aka – economic impact), I would ask that we ask this question of each element of the standard as its drafted.  I believe we’ve tried to do this already but each time this is decried as some “bare assertion”.   I’ve not personally seen any “bare assertions that companies will not implement” as each time that this perspective has been raised it has always been couched in a real and direct significant impact to those being asked to adopt this standard.
>  
> - Shane
>  
> From: Jonathan Mayer [mailto:jmayer@stanford.edu] 
> Sent: Friday, March 16, 2012 12:14 PM
> To: Kevin Smith
> Cc: JC Cannon; Jeffrey Chester; Amy Colando (LCA); Shane Wiley; Mike Zaneis; Sean Harvey; Tracking Protection Working Group WG
> Subject: Re: Parties and First Party vs. Third Party (ISSUE-10)
>  
> Kevin,
>  
> Caveat: I'm not aiming to pry open the political debates surrounding Do Not Track here.  The W3C process has been apolitical, and I hope it will continue that way.  Rather, I'm trying to explain my thinking as we calibrate the toughness of the Do Not Track standard.
>  
> In my view, immediate adoption is far from the sole criterion for this process.  If it were, we'd have declared the standard to be the status quo and packed up months ago.
>  
> This process is about providing an effective consumer choice mechanism that protects privacy and balances economic interests.  We're going to continue to have conversations that stretch each stakeholder's comfort zone.  That's the very purpose of a multi-stakeholder process.
>  
> Furthermore, a company's preferences are far from the sole factor motivating Do Not Track adoption.  The choice to implement does not happen in a vacuum: customers, policymakers, media, civil society, and more will use the tools at their disposal to influence decision making.  On the issue of affiliate data sharing, for example, both the FTC and EU regulators have suggested that they would like to see consumer control.
>  
> I'm sensitive to the economic impact of this standard, and I hope stakeholders will continue to explain precisely where and how the standard might impose burdens.  In future, I would find it much more helpful if objections rested on concrete explanations of difficulty and cost, rather than bare assertions that companies will not implement.
>  
> Best,
> Jonathan
>  
> On Mar 16, 2012, at 11:29 AM, Kevin Smith wrote:
> 
> 
> 
> > As for the practical impact of a branding standard, it's difficult to say.  Some companies may choose to add corporate parent branding to their various web properties.  Other may decide to silo data.  Either would be an improvement in consumer awareness and control.
>  
> I think this is a fair assessment.  But we also need to remember that for some (and I think P&G is a good example), neither of these solutions is practical.  There has to be a practical alternative if we want many of the major players to participate.  I think we could define the floor as - Brand Affiliation is a minimum requirement - and then encourage heightened measures such as discoverability, branding and siloing as preferred methodologies in as much as they are practical.
>  
> That way, we make a significant step forward from where we are now and highlight the direction we would like to move towards, without ostracizing the very corporations we need to adopt the standard in order for it to gain credibility.
>  
> -kevin
>  
> From: Jonathan Mayer [mailto:jmayer@stanford.edu] 
> Sent: Friday, March 16, 2012 11:41 AM
> To: JC Cannon
> Cc: Jeffrey Chester; Amy Colando (LCA); Shane Wiley; Mike Zaneis; Sean Harvey; Tracking Protection Working Group WG
> Subject: Re: Parties and First Party vs. Third Party (ISSUE-10)
>  
> I'd like to distinguish two objections JC just raised.
>  
> 1) It is excessively burdensome to require siloed information practices for the Tide brand (and other brands).  I imagine this is a conversation that will continue to play out.
>  
> 2) Users understand they are sharing data with Proctor & Gamble (and other corporate parents).  I don't think that's at all the case.  If it were, we wouldn't be debating affiliation vs. user expectations.
>  
> As for the practical impact of a branding standard, it's difficult to say.  Some companies may choose to add corporate parent branding to their various web properties.  Other may decide to silo data.  Either would be an improvement in consumer awareness and control.
>  
> On Mar 16, 2012, at 10:32 AM, JC Cannon wrote:
> 
> 
> 
> 
> That position is not practical. Tide is not even a company. It should be clear to the consumer that they are dealing with P&G. Are you suggesting that P&G change the branding of all their sites?
>  
> JC
>  
> From: Jeffrey Chester [mailto:jeff@democraticmedia.org] 
> Sent: Friday, March 16, 2012 10:28 AM
> To: Amy Colando (LCA)
> Cc: Shane Wiley; Jonathan Mayer; Mike Zaneis; Sean Harvey; Tracking Protection Working Group WG
> Subject: Re: Parties and First Party vs. Third Party (ISSUE-10)
>  
> P & G has many different data models for its brands.  The copyright notice doesn't tell consumers what the individual brand's data practices are.  People may comfortable with interacting with Tide (and its social media practices, for example).  But they won't know how P&G operationalizes its data collection on its many diverse brands and respective campaigns: http://www.pg.com/en_US/brands/all_brands.shtml
>  
> Tide is First party, not P&G.
>  
>  
>  
>  
>  
> Jeffrey Chester
> Center for Digital Democracy
> 1621 Connecticut Ave, NW, Suite 550
> Washington, DC 20009
> www.democraticmedia.org
> www.digitalads.org
> 202-986-2220
>  
> On Mar 16, 2012, at 1:08 PM, Amy Colando (LCA) wrote:
> 
> 
> 
> 
> 
> On “branding,” can you please consider the example of http://www.tide.com/en-US/index.jspx ?  The branding is “Tide”, but Tide is not a legal entity, nor does it own web servers or contract with analytics providers or ad networks.  Tide is a brand owned by Proctor & Gamble.  You can see the P&G copyright notice at the bottom of the website, and the privacy policy and legal terms both link directly to http://www.pg.com/en_US/terms_conditions/index.shtml .
>  
> So who is the first party here? 
>  
> From: Shane Wiley [mailto:wileys@yahoo-inc.com] 
> Sent: Wednesday, March 14, 2012 11:27 AM
> To: Jonathan Mayer
> Cc: Mike Zaneis; Sean Harvey; Tracking Protection Working Group WG
> Subject: RE: Parties and First Party vs. Third Party (ISSUE-10)
>  
> Thank you for the clarification Jonathan – that helps me better understand your perspective.
>  
> After speaking more with multi-brand publishers (most large publishers are multi-brand but surprisingly there are a good amount of medium and small advertisers that operate across multiple brands) and better understanding the real costs to forcing a common branding standard for the 1st party definition, you are correct that I support an affiliate standard and have offered up the “easily discoverable” addition to hopefully address concerns.
>  
> In the spirit of building a standard that will be implemented by industry, I would recommend we state Affiliation + Easily Discoverable as a MUST in the 1st party definition and push common branding as a SHOULD.
>  
> - Shane
>  
> From: Jonathan Mayer [mailto:jmayer@stanford.edu] 
> Sent: Wednesday, March 14, 2012 10:57 AM
> To: Shane Wiley
> Cc: Mike Zaneis; Sean Harvey; Tracking Protection Working Group WG
> Subject: Re: Parties and First Party vs. Third Party (ISSUE-10)
>  
> We agreed in Brussels that corporate affiliation is a *necessary* condition for two entities to be part of the same party.
>  
> We did not agree that corporate affiliation is a *sufficient* condition for two entities to be part of the same party.
>  
> To be clear: I have *never* said I would accept a corporate affiliation standard.  In fact, the writeup I did with Tom dedicates some length to pointing out the flaws in using affiliation.
>  
> On the contrary, I thought Shane had expressed substantial interest in a branding approach.  But apparently he was only willing to accept "branding or affiliation" - in other words, "affiliation."
>  
> Jonathan
>  
>  
> On Mar 14, 2012, at 7:16 AM, Shane Wiley wrote:
>  
> 
> Jonathan,
>  
> As I work for a publically traded organization and this is a public email list I’m unable to provide financial details with respect to the cost of rebranding but did my best to convey a truthful order of magnitude of the costs involved in converting a corporate infrastructure from a single entity basis through either front-end (branding, marketing materials, web site design, user impact assessment, focus groups, collateral updates across the board, etc.) and/or back-end modification (separate data collection systems, separate storage systems, rewrite reporting systems to address separate data storage, create/modify/test back-end scripts to address data separation, divide internal teams access structures, create/implement internal programs to educate employees about new separation requirements, implement monitoring and compliance tools to enforce data separation, etc.).  When this is multiplied across all of the companies on the globe that will have a desire to implement DNT to advance enhanced consumer data protection tools, the cost is AT LEAST 100s of millions of dollars.
>  
> I echo Mike’s confusion as I thought you had discussed corporate ownership as an acceptable 1st party definition in Brussels.
>  
> And to Mike’s point, I’ve offered up the “easily discoverable” as a compromise position for industry with only anecdotal feedback from large brands and haven’t had the opportunity or access to test this compromise across a larger pool of publishers.  I did this more as a testing ground to see if this could become acceptable to the working group prior to engaging in that significant of an endeavor.  If there is a hard-line that common branding is the end-point, then there will be no need for a larger survey of publishers in this area as we can be fairly confident most multi-brand publishers will not implement the W3C’s DNT standard due to prohibitive costs surrounding the definition of a 1st party.
>  
> - Shane
>  
> From: Mike Zaneis [mailto:mike@iab.net] 
> Sent: Wednesday, March 14, 2012 4:15 AM
> To: Jonathan Mayer
> Cc: Shane Wiley; Sean Harvey; Tracking Protection Working Group WG
> Subject: Re: Parties and First Party vs. Third Party (ISSUE-10)
>  
> This is a strange conversation to me because I believe there was widespread support expressed at the Brussels meeting for corporate affiliation deciding the 1st party issue. This was part of the proposal Jonathan proposed that included corporate affiliation OR branding (and a couple of other possible factors). 
>  
> If I am misremembering that entire discussion then I apologize and will simply state our position that corporate affiliation is the key determinate for what properties constitute a 1st party. I am not yet prepared to endorse even Shane's assertion of corporate affiliation + easy discovery as that proposal has not been widely vetted throughout the publisher community. 
> 
> Mike Zaneis
> SVP & General Counsel, IAB
> (202) 253-1466
> 
> On Mar 14, 2012, at 1:51 AM, "Jonathan Mayer" <jmayer@stanford.edu> wrote:
> 
> 
> 
> Time we can deal with - I would support a phase-in period from corporate affiliation to branding.
>  
> Expense is a different matter.  It would be helpful to hear from the other multi-brand businesses in the group how much they believe engineering support for DNT would cost.  Specifics would greatly assist in understanding; bald assertions like "[a]ny other solution will cost industry 100s of millions of dollars" do us little good.
>  
> I'll be very disappointed if industry participants newly decide, six months into this process and over a year into defining DNT, that *any* shift from status quo party boundaries is unacceptable.  But if that happens, we'll have to balance economics against privacy.  We would, after all, be considering a Do Not Track standard that necessarily allows information flows that violate user expectations and cross brand boundaries.
>  
> Jonathan
>  
> On Mar 13, 2012, at 9:54 PM, Shane Wiley wrote:
> 
> 
> 
> 
> 
> 
> 
> Jonathan,
>  
> We may need to take the pulse of those in industry again as I believe through further discussion that Industry is firmly on the side of corporate affiliation + easy discovery (single click).  Any other solution will cost industry 100s of millions of dollars globally to either rebrand all of their online efforts and/or reengineer back-end systems to develop separation between brands.  These appears to be a non-starter for an “easy implementable” goal as small and mid size publishers will be looking to larger publishers to provide the tools to implement DNT on their properties.  And most of the larger publishers in the world operate under a multi-brand structure and would likely not implement DNT due to the expense.  I personally wish it were less expensive to unwind several hundred years of branding strategy across the globe, but I don’t believe that will be possible in the timeframe of this working group.
>  
> - Shane
>  
> From: Jonathan Mayer [mailto:jmayer@stanford.edu] 
> Sent: Tuesday, March 13, 2012 9:46 PM
> To: Sean Harvey
> Cc: Tracking Protection Working Group WG
> Subject: Re: Parties and First Party vs. Third Party (ISSUE-10)
>  
> Sean,
>  
> I don't doubt that many industry participants would greatly prefer a corporate affiliation standard, just as many civil society participants would greatly prefer a user expectations standard.  But we're now operating in the zone of compromise, where the relevant question is what stakeholders will accept.  And many participants, from both industry and civil society, have indicated they would accept branding.
>  
> Jonathan
>  
> On Mar 13, 2012, at 9:32 PM, Sean Harvey wrote:
> 
> 
> 
> 
> 
> 
> 
> 
> Thanks Jonathan. I have been far from alone in espousing a corporate affiliation plus discoverability approach. As Shane from Yahoo and others have indicated on this list and in direct meetings, it is not the job of this standards committee to break up the multi-brand approach of many companies on the web. This is not an issue of my and Heather's objection, there is a broad disagreement with you on this topic that we can discuss further in a weekly meeting. 
>  
>  
> 
> On Wed, Mar 14, 2012 at 12:30 AM, Jonathan Mayer <jmayer@stanford.edu> wrote:
> Sean,
>  
> I've heard both you and Heather express hesitation to adopt a branding approach.
>  
> To situate the discussion, we've had (for some time) four options for delineating parties and first parties vs. third parties: domain names, corporate affiliation, branding, and user expectations.  See http://lists.w3.org/Archives/Public/public-tracking/2011Oct/0343.html.
>  
> Domain names have been, I think it's very fair to say, thoroughly rejected as over- and underinclusive.  Corporate affiliation is a deal breaker for many privacy advocates given how it has been abused in other privacy regulatory regimes.  Many industry participants view a user expectations approach as unworkable.  (I disagree, and despite persistent grousing I *still* have not seen a concrete example of how the approach is unworkable.)  Branding is the only option that remains, and the discussion surrounding ACTION-123 and ACTION-124 both on- and off-list was very positive.
>  
> Given that context, could you please explain your concern and propose a better option?
>  
> Jonathan
>  
> On Mar 13, 2012, at 9:13 PM, Sean Harvey wrote:
> 
> 
> 
> 
> 
> 
> 
> 
> Just to be very clear we absolutely do not have consensus on 2 or 3, nor are we near consensus on those points. Easy discoverability was the main issue to my knowledge. 
>  
> 
> On Wed, Mar 14, 2012 at 12:10 AM, Jonathan Mayer <jmayer@stanford.edu> wrote:
> We agreed in Brussels that:
> 
> 1) If two entities are not related by corporate affiliation, they are not part of the same party.
> 
> >From discussion on the mailing list, I think we are very close to consensus on three other points:
> 
> 2) Branding should determine party boundaries.
> 
> 3) Branding should determine first parties and third parties.
> 
> 4) An entity must make "discoverable" the other entities that it considers part of the same party.
> 
> We do not have consensus on a final issue:
> 
> 5) If two entities are related by corporate affiliation, are they part of the same party?
> 
> I've taken a stab at text that captures these five points.  It is based on the current TCS document, the DAA principles, my proposal with Tom, and the CDT proposal.
> 
> --------------------------------------------------
> 
> I. Definitions
> 
> A. Network Interaction
> A "network interaction" is an HTTP request and response, or any other sequence of logically related network traffic.
> 
> B. Entity
> An "entity" is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person.
> 
> C. Affiliation
> If an entity holds significant ownership in or exercises significant operational control over another entity, they are "affiliated."
> 
> D. Party
> A "party" is any group of entities that:
> a) consistently presents common branding throughout each entity, and
> b) is related by affiliation.
> [there is debate over whether to flip the "and" to an "or"]
> 
> E. First Parties and Third Parties
> A "first party" is any party, in a specific network interaction, that brands content that occupies the full window.
> A "third party" is any party, in a specific network interaction, that does not brand content that occupies the full window.
> 
> II. Transparency Requirement
> 
> A. Operative Text
> A party must make reasonable efforts to ensure users can discover which entities it encompasses.
> 
> B. Non-Normative Discussion
> A list of entities in a privacy policy would ordinarily satisfy this requirement.
> 
> 
> 
> 
> 
> 
> 
> 
> 
>  
> -- 
> Sean Harvey
> Business Product Manager
> Google, Inc. 
> 212-381-5330
> sharvey@google.com
>  
> 
> 
>  
> -- 
> Sean Harvey
> Business Product Manager
> Google, Inc. 
> 212-381-5330
> sharvey@google.com
>  
>  
>  
> ----------
> John M. Simpson
> Consumer Advocate
> Consumer Watchdog
> 1750 Ocean Park Blvd. ,Suite 200
> Santa Monica, CA,90405
> Tel: 310-392-7041
> Cell: 310-292-1902
> www.ConsumerWatchdog.org
> john@consumerwatchdog.org
>  
>  
> ----------
> John M. Simpson
> Consumer Advocate
> Consumer Watchdog
> 1750 Ocean Park Blvd. ,Suite 200
> Santa Monica, CA,90405
> Tel: 310-392-7041
> Cell: 310-292-1902
> www.ConsumerWatchdog.org
> john@consumerwatchdog.org
>  
>  
>  
> 
> ----------
> John M. Simpson
> Consumer Advocate
> Consumer Watchdog
> 1750 Ocean Park Blvd. ,Suite 200
> Santa Monica, CA,90405
> Tel: 310-392-7041
> Cell: 310-292-1902
> www.ConsumerWatchdog.org
> john@consumerwatchdog.org
> 
>  
> Lauren Gelman
> BlurryEdge Strategies
> 415-627-8512
> gelman@blurryedge.com
> http://blurryedge.com
>  

Received on Thursday, 22 March 2012 21:51:44 UTC