RE: ACTION-267 - Propose first/third party definitions from existing DAA documents

Hi Jeff - It actually wasn't me to whom you directed this question during the briefing that DMA recently hosted for you and other consumer groups (in conjunction with the NTIA multistakeholder process).  You were in conversation with my colleague, Sarah Hudgins from IAB, who was presenting an update regarding the DAA program.  We're both brunettes, and you're not the first to confuse us.  :)  Regardless, I would like to correct the record regarding testing of the DAA program...

The DAA icon program implementation was consumer-tested prior to its launch - and with very positive results.  TRUSTe ran a pilot of the icon implementation (serving via a "widget" that launches from a clickable icon placed on adjacent to advertisements or in the header/footer of pages).  The pilot ran for approximately six months in market, and was executed with and  TRUSTe reported positive findings in November 2011, including:

*         Consumers engaged more with Ad Notice [the icon implementation] outside the Privacy Policy.  Over the 6 months 2.5 more people engaged with the ad notice than the privacy policy.

*         Consumer education, notice and choice were effective to build consumer trust with online behavioral advertising.  During the pilot, over 80% of visitors did not make any changes to their preferences; only 1% chose to opt-out of OBA.  Over 55% of feedback respondents found the Notice helpful.

Much more compelling, I would argue, is the fact that - since the DAA program's launch in 2010 - more than 16 million consumers have visited the DAA sites to learn about their advertising data choices, and, to date, more than 1 million consumers have taken action to exercise their choice about how advertisers will use their data.

Hard to argue that the design and usability of the DAA program is "inadequate" with 16 million consumers served to date.

Very best, as always,


From: Jeffrey Chester []
Sent: Wednesday, October 10, 2012 11:52 AM
To: Thomas Roessler; Aleecia McDonald; Matthias Schunter
Cc: Rachel Thomas; Craig Spiezle;; Kimon Zorbas
Subject: Re: ACTION-267 - Propose first/third party definitions from existing DAA documents

I have to say I am dismayed that colleagues from the US online marketing community are trying to replace the W3C multistakeholder process with a system devised exclusively by the online ad industry.  As I mentioned during last week's f2f, NGOs and other civil society groups across the Atlantic have criticized the DAA system as inadequate.  Leading computer science and other researchers have also repeatedly shown how lacking and ineffective it is.  Indeed, just two weeks ago in DC I asked Ms. Thomas if there had been any testing done for design and usability of the system--including by independent bodies.  The answer was basically there was no such usability and independent review.  As we all know, the user experience online is tested and  "optimized" to move them through a digital data collection funnel-- in order to achieve the required "conversion."  Until such independent testing of the DAA system to show that it can effectively inform and empower online users about their privacy choices-- in the face of a purposefully powerful and designed interactive experience--the W3C would be remiss adopting it in all or in part.

In addition, yesterday's announcement by the DAA that it would, in essence, condone a boycott of DNT requests from users relying on the IE browser (or other browsers adopting privacy by design frameworks), suggests there is a political motivation that should be addressed by the group and W3C (inc. Mr. Berners-Lee).  Instead of developing the best technical standard through expert and objective international standards work, we appear to now confront a political agenda designed to maintain the data collection and user targeting status quo.  The W3C needs to do better than be silent about these recent developments.

Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009<><>

On Oct 10, 2012, at 10:57 AM, Kimon Zorbas wrote:

Dear all,

to add some European flavour, here what we use in our OBA Framework, matching European law. We call First Parties "Web Site Operators". W3C can of course use this wording, we have the full rights to it.

Third Party
An entity is a Third Party to the extent that it engages in Online Behavioural Advertising on a web site or web sites other than a web site or web sites it or a an entity under Common Control owns or operates.

Web Site Operator
A Web Site Operator is the owner, controller or operator of the web site with which the web user interacts.

Control of an entity means that another entity (1) holds a majority of the voting rights in it, or (2) is a member of it and has the right to appoint or remove a majority of its board of directors, or (3) is a member of it and controls alone, pursuant to an agreement with other members, a majority of the voting rights in it, or (4) has placed obligations upon or otherwise controls the policies or activities of it by way of a legally binding contract, or (5) otherwise has the power to exercise a controlling influence over the management, policies or activities of it, and "Controlled" shall be construed accordingly.

Common Control
Entities or web sites under Common Control include ones which Control, for example parent companies, are Controlled by, such as subsidiaries, or are under common Control, such as group companies. They also include entities that are under a written agreement to process data for the controlling entity or entities, and do such processing only for and on behalf of that entity or entities and not for their own purposes or on their own behalf.

For other UA, we capture them through the following wording:
To the extent that Companies collect and use data via specific technologies or practices that are intended to harvest data from all or substantially all URLs traversed by a particular computer or device across multiple web domains and use such data for OBA, they should first obtain Explicit Consent.

Kind regards,

From: Rachel Thomas <<>>
Date: Wednesday 10 October 2012 16:48
To: Craig Spiezle <<>>, "<>" <<>>
Subject: RE: ACTION-267 - Propose first/third party definitions from existing DAA documents
Resent-From: <<>>
Resent-Date: Wednesday 10 October 2012 16:43

Hi Craig, great question - let me try to clarify with some additional info from the DAA principles.  Below is the definition of "affiliate" as well as some commentary on the definition from the DAA's Self-Regulatory Principles for Online Behavioral Advertising.  (Also, please note that while there is not an explicit definition of "affiliate" included in the DAA's Self-Regulatory Principles for Multi-Site Data, the same definition applies in that context as well).


Definition: An Affiliate is an entity that Controls, is Controlled by, or is under common Control with, another entity.

Commentary (relating to definitions of both "affiliate" and "control"): These terms set an objective test to separate related First Party entities from Third Parties and others. An Affiliate is defined as an entity that Controls, is Controlled by, or is under common Control with, another entity. The definition of Control sets out two alternative tests, which reflect a commonly understood definition of a single entity. The first alternative looks to whether one entity is under significant common ownership with the other entity. The second alternative looks to whether one entity has the power to exercise a controlling influence over the management or policies of the other. In addition, each entity must be subject to Online Behavioral Advertising policies that are not materially inconsistent with the other entity's Online Behavioral Advertising policies. The combination of Control and governance by similar Online Behavioral Advertising policies renders the two entities Affiliates of each other.

The tests for Control are unrelated to brand names. As a result, different brands, if they otherwise meet one of the tests for Control, would be treated as Affiliates rather than Third Parties.

The starting point for whether two or more affiliated consumer-facing Web sites constitute a First Party under the Principles is whether the Web sites are the same company. The use of the term Affiliate is intended to allow affiliated companies that are in the same corporate family to share information within that family as if they are the same company, thereby benefitting from their collective assets. The treatment of Affiliates is not intended to create a means for companies that are in reality unrelated in corporate structure (and, therefore, that consumers would never expect would be sharing information,) to avoid providing the choice required under these Principles. In many cases companies can readily be transparent either in branding on the Web sites or through clarity in the privacy notices of their particular Affiliates. Assuming an entity otherwise meets the standard set forth in the definition of Control, such practices would clearly satisfy and permit inclusion in the definition of Affiliate. However, such branding on a Web site or inclusion in a privacy notice is not required under the Principles as in some instances the complexity of corporate affiliates driven by corporate legal principles pose practical operational challenges.

And very best,

From: Craig Spiezle []
Sent: Tuesday, October 09, 2012 11:58 PM
To: Rachel Thomas;<>
Subject: RE: ACTION-267 - Propose first/third party definitions from existing DAA documents

This is helpful.

Just so we are all on the same page can you clarify affiliate vs. non-affiliate.   Is it correct to assume affiliate means a wholly owned entity?

So a Third Party who collects data from an affiliate is not a third party.  So this would or could mean a totally separate brand which the user has no knowledge of?


From: Rachel Thomas []<mailto:[]>
Sent: Tuesday, October 09, 2012 1:16 PM
Subject: ACTION-267 - Propose first/third party definitions from existing DAA documents

Folks - As promised, I am submitting the Digital Advertising Alliance (DAA) definitions of "first party" and "third party" for consideration / inclusion in section 3.5<> ("First and Third Parties") of the W3C TPWG "Tracking Compliance and Scope" document.  Below are both formal definitions and related commentary from the DAA Self-Regulatory Principles for Multi-Site Data<>.


Definition: A First Party is the entity that is the owner of the Web site or has Control over the Web site with which the consumer interacts and its Affiliates.

Commentary: The actions of agents and other entities that similarly perform business operations of First Parties are treated as if they stand in the shoes of First Parties under these Principles and thus such actions are not included in Multi-Site Data.


Definition: An entity is a Third Party to the extent that it collects Multi-Site Data on a non-Affiliate's Web site.

Commentary:  As described in the OBA Principles, in certain situations where it is clear that the consumer is interacting with a portion of a Web site that is being operated by a different entity than the owner of the Web site, the different entity would not be a Third Party for purposes of the Principles, because the consumer would reasonably understand the nature of the direct interaction with that entity. The situation where this occurs most frequently today is where an entity through a "widget" or "video player" enables content on a Web site and it is clear that such content and that portion of the Web sites is provided by the other entity and not the First Party Web site. The other entity (e.g. the "widget" or "video player") is directly interacting with the consumer and, from the consumer's perspective, acting as a First Party. Thus, it is unnecessary to apply to these activities the Principles governing data collection and use by Third Parties with which the consumer is not directly interacting.

Very best,

Rachel Nyswander Thomas
Vice President, Government Affairs
Direct Marketing Association
(202) 861-2443 office
(202) 560-2335 cell<>

Join us at DMA2012 Conference and Exhibition
The Global Event for Real-Time Marketers
October 13-18, 2012 | Las Vegas, NV
Register NOW & SAVE up to $200 |<>

Received on Wednesday, 10 October 2012 19:50:59 UTC