Re: ACTION-267 - Propose first/third party definitions from existing DAA documents


I really do enjoy revisiting the IE10/browser default/non-compliant DNT signal issue every couple of months because it gives me the opportunity to just recycle my old emails on the subject. Please see my previous email below on the matter, which references your previous agreement that we should not honor default "on" browser settings:


I hate to revisit an issue that has been closed at least twice before, the first time being way back in September, but you again raised the browser default setting issue and its place in the W3C standards process - <,0,5932169.story>,0,5932169.story.  The story is about the W3C TPE Working Group and how Microsoft has decided to ship IE10 with the DNT flag turned on.  I was extremely disappointed to see your quote that industry would face a “bloody virtual and real-world fight” if we did not honor such a default.  That flies in the face of your statement from last month (see below to refresh your memory).

I have to question whether you are negotiating at the W3C in good faith.  If the industry is to be attacked and engaged in a bloody fight even if we develop and adopt a W3C standard, then what is the incentive for us to remain at the table?  Can you please clarify your position on this vitally important issue.

Mike Zaneis
SVP & General Counsel
Interactive Advertising Bureau
(202) 253-1466<tel:(202)%20253-1466>

Follow me on Twitter @mikezaneis

From: Jeffrey Chester []
Sent: Sunday, June 03, 2012 5:41 PM
To: Shane Wiley
Cc: Roy T. Fielding; Justin Brookman; <><>
Subject: Re: ISSUE-4 and clarity regarding browser defaults

I support what the working group agreed to, with DNT not being shipped as on.  That is part of the set of compromises we have agreed to within the working group.  I was surprised as everyone else with Microsoft's announcement.  I was just responding the tone of some of the comments in the press where various industry players suggest that Microsoft is a digital Benedict Arnold.  That said, we need to conclude this work with agreement on definition for policy.  I still believe there is a win-win here that can be achieved.  If we can all agree on meaningful final policy, it will be the norm which everyone should abide.

So to be clear.  I am not trying to undo the agreement and urge us to stay in discussions.

But it sounds like there will be a lot of sleeplessness in Seattle!  Those Microsoft people better lock their doors!



Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave<x-apple-data-detectors://4>, NW, Suite 550
Washington, DC 20009<x-apple-data-detectors://5>

On Jun 3, 2012, at 4:44 PM, Shane Wiley wrote:


I thought we had solved this issue sometime ago at the beginning of the working group:  opt-in vs. opt-out.  By moving the UA to default to DNT:1 without an explicit user action, you’re creating an opt-in world.  I understand you like that end-point, but if you’re unwilling to move back to the originally agreed upon opt-out structure, I suspect industry participants may leave the working group.  A pure opt-in outcome will have devastating impact to the online ecosystem, will prompt many to develop overly inclusive opt-in approaches, and ultimately consumers lose after being barraged with a sea of opt-in requests.  I’m saddened by this sudden 180 on this very key perspective but hopefully saner minds will prevail.

In my opinion, we need to resolve this fundamentally core issue prior to moving forward on any other issues at the TPWG.  Please let me know if you agree.

Thank you,

Mike Zaneis
SVP & General Counsel, IAB
(202) 253-1466

On Oct 10, 2012, at 11:52 AM, "Jeffrey Chester" <<>> wrote:

I have to say I am dismayed that colleagues from the US online marketing community are trying to replace the W3C multistakeholder process with a system devised exclusively by the online ad industry.  As I mentioned during last week's f2f, NGOs and other civil society groups across the Atlantic have criticized the DAA system as inadequate.  Leading computer science and other researchers have also repeatedly shown how lacking and ineffective it is.  Indeed, just two weeks ago in DC I asked Ms. Thomas if there had been any testing done for design and usability of the system--including by independent bodies.  The answer was basically there was no such usability and independent review.  As we all know, the user experience online is tested and  "optimized" to move them through a digital data collection funnel-- in order to achieve the required "conversion."  Until such independent testing of the DAA system to show that it can effectively inform and empower online users about their privacy choices-- in the face of a purposefully powerful and designed interactive experience--the W3C would be remiss adopting it in all or in part.

In addition, yesterday's announcement by the DAA that it would, in essence, condone a boycott of DNT requests from users relying on the IE browser (or other browsers adopting privacy by design frameworks), suggests there is a political motivation that should be addressed by the group and W3C (inc. Mr. Berners-Lee).  Instead of developing the best technical standard through expert and objective international standards work, we appear to now confront a political agenda designed to maintain the data collection and user targeting status quo.  The W3C needs to do better than be silent about these recent developments.

Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009

On Oct 10, 2012, at 10:57 AM, Kimon Zorbas wrote:

Dear all,

to add some European flavour, here what we use in our OBA Framework, matching European law. We call First Parties "Web Site Operators". W3C can of course use this wording, we have the full rights to it.

Third Party
An entity is a Third Party to the extent that it engages in Online Behavioural Advertising on a web site or web sites other than a web site or web sites it or a an entity under Common Control owns or operates.

Web Site Operator
A Web Site Operator is the owner, controller or operator of the web site with which the web user interacts.

Control of an entity means that another entity (1) holds a majority of the voting rights in it, or (2) is a member of it and has the right to appoint or remove a majority of its board of directors, or (3) is a member of it and controls alone, pursuant to an agreement with other members, a majority of the voting rights in it, or (4) has placed obligations upon or otherwise controls the policies or activities of it by way of a legally binding contract, or (5) otherwise has the power to exercise a controlling influence over the management, policies or activities of it, and “Controlled” shall be construed accordingly.

Common Control
Entities or web sites under Common Control include ones which Control, for example parent companies, are Controlled by, such as subsidiaries, or are under common Control, such as group companies. They also include entities that are under a written agreement to process data for the controlling entity or entities, and do such processing only for and on behalf of that entity or entities and not for their own purposes or on their own behalf.

For other UA, we capture them through the following wording:
To the extent that Companies collect and use data via specific technologies or practices that are intended to harvest data from all or substantially all URLs traversed by a particular computer or device across multiple web domains and use such data for OBA, they should first obtain Explicit Consent.

Kind regards,

From: Rachel Thomas <<><>>
Date: Wednesday 10 October 2012 16:48
To: Craig Spiezle <<><>>, "<><>" <<><>>
Subject: RE: ACTION-267 - Propose first/third party definitions from existing DAA documents
Resent-From: <<><>>
Resent-Date: Wednesday 10 October 2012 16:43

Hi Craig, great question – let me try to clarify with some additional info from the DAA principles.  Below is the definition of “affiliate” as well as some commentary on the definition from the DAA’s Self-Regulatory Principles for Online Behavioral Advertising.  (Also, please note that while there is not an explicit definition of “affiliate” included in the DAA’s Self-Regulatory Principles for Multi-Site Data, the same definition applies in that context as well).


Definition: An Affiliate is an entity that Controls, is Controlled by, or is under common Control with, another entity.

Commentary (relating to definitions of both “affiliate” and “control”): These terms set an objective test to separate related First Party entities from Third Parties and others. An Affiliate is defined as an entity that Controls, is Controlled by, or is under common Control with, another entity. The definition of Control sets out two alternative tests, which reflect a commonly understood definition of a single entity. The first alternative looks to whether one entity is under significant common ownership with the other entity. The second alternative looks to whether one entity has the power to exercise a controlling influence over the management or policies of the other. In addition, each entity must be subject to Online Behavioral Advertising policies that are not materially inconsistent with the other entity’s Online Behavioral Advertising policies. The combination of Control and governance by similar Online Behavioral Advertising policies renders the two entities Affiliates of each other.

The tests for Control are unrelated to brand names. As a result, different brands, if they otherwise meet one of the tests for Control, would be treated as Affiliates rather than Third Parties.

The starting point for whether two or more affiliated consumer-facing Web sites constitute a First Party under the Principles is whether the Web sites are the same company. The use of the term Affiliate is intended to allow affiliated companies that are in the same corporate family to share information within that family as if they are the same company, thereby benefitting from their collective assets. The treatment of Affiliates is not intended to create a means for companies that are in reality unrelated in corporate structure (and, therefore, that consumers would never expect would be sharing information,) to avoid providing the choice required under these Principles. In many cases companies can readily be transparent either in branding on the Web sites or through clarity in the privacy notices of their particular Affiliates. Assuming an entity otherwise meets the standard set forth in the definition of Control, such practices would clearly satisfy and permit inclusion in the definition of Affiliate. However, such branding on a Web site or inclusion in a privacy notice is not required under the Principles as in some instances the complexity of corporate affiliates driven by corporate legal principles pose practical operational challenges.

And very best,

From: Craig Spiezle [<>]
Sent: Tuesday, October 09, 2012 11:58 PM
To: Rachel Thomas; <><>
Subject: RE: ACTION-267 - Propose first/third party definitions from existing DAA documents

This is helpful.

Just so we are all on the same page can you clarify affiliate vs. non-affiliate.   Is it correct to assume affiliate means a wholly owned entity?

So a Third Party who collects data from an affiliate is not a third party.  So this would or could mean a totally separate brand which the user has no knowledge of?


From: Rachel Thomas []<mailto:[]>
Sent: Tuesday, October 09, 2012 1:16 PM
To: <><>
Subject: ACTION-267 - Propose first/third party definitions from existing DAA documents

Folks – As promised, I am submitting the Digital Advertising Alliance (DAA) definitions of “first party” and “third party” for consideration / inclusion in section 3.5<> (“First and Third Parties”) of the W3C TPWG "Tracking Compliance and Scope” document.  Below are both formal definitions and related commentary from the DAA Self-Regulatory Principles for Multi-Site Data<>.


Definition: A First Party is the entity that is the owner of the Web site or has Control over the Web site with which the consumer interacts and its Affiliates.

Commentary: The actions of agents and other entities that similarly perform business operations of First Parties are treated as if they stand in the shoes of First Parties under these Principles and thus such actions are not included in Multi-Site Data.


Definition: An entity is a Third Party to the extent that it collects Multi-Site Data on a non-Affiliate’s Web site.

Commentary:  As described in the OBA Principles, in certain situations where it is clear that the consumer is interacting with a portion of a Web site that is being operated by a different entity than the owner of the Web site, the different entity would not be a Third Party for purposes of the Principles, because the consumer would reasonably understand the nature of the direct interaction with that entity. The situation where this occurs most frequently today is where an entity through a “widget” or “video player” enables content on a Web site and it is clear that such content and that portion of the Web sites is provided by the other entity and not the First Party Web site. The other entity (e.g. the “widget” or “video player”) is directly interacting with the consumer and, from the consumer’s perspective, acting as a First Party. Thus, it is unnecessary to apply to these activities the Principles governing data collection and use by Third Parties with which the consumer is not directly interacting.

Very best,

Rachel Nyswander Thomas
Vice President, Government Affairs
Direct Marketing Association
(202) 861-2443 office
(202) 560-2335 cell<>

Join us at DMA2012 Conference and Exhibition
The Global Event for Real-Time Marketers
October 13-18, 2012 | Las Vegas, NV
Register NOW & SAVE up to $200 |<>

Received on Wednesday, 10 October 2012 22:40:30 UTC