ACTION-161: work on issue-49

Changed "A Third-Party MAY operate as a First Party if..." to "A Third-Party MAY operate under the rules for a first party if..." and added "third party acting on the behalf of another third party" language.

<Normative>

A Third-Party MAY operate under the rules for a first party if the following conditions are met:
- Data collected is separated for each First Party by technical means and organizational process, AND
- The Third Party has no independent rights to the collected information outside of Permitted Uses (see Section X.Y), AND
- A contractual relationship exists between the Third Party and the First Party that outlines and mandates these requirements.

A Third-Party acting on the behalf of a First Party is subject to all of the same restrictions of a First Party.

A Third-Party MAY operate as a Service Provider to another Third-Party if the following conditions are met:
- Data collected is separated for each supported Third Party by technical means and organizational process, AND
- The Third Party has no independent rights to the collected information outside of Permitted Uses (see Section X.Y), AND
- A contractual relationship exists between the Third Party and supported Third Party that outlines and mandates these requirements.

A Third-Party acting on the behalf of another Third-Party is subject to all of the same restrictions of a First Party.

[NOTE - I purposely approached the above language in a "template fashion" as I believe it's possible to consolidate this down to "any party operating on the behalf of another party" and keep the same language.]

<Non-Normative>

Third Parties that act purely as vendors for their customers (First Parties in this context) are not the intended target for the Tracking Preference Expression but it's important there are no unintended activities that are extended to a Third Party through this allowance. In all cases, its expected a Third Party acting on the part of a First Party follows all of the same restrictions placed on a First Party.

For the data separation requirement, Third Parties have technical options to achieve appropriate separation but in each the critical element is that data is never reconstituted for users that have shared a Tracking Preference. On possible approach would be to leverage a per partner hash against a common cookie identifier, ensuring the resulting identifier is consistent for a specific First Party but is unable to be linked with another First Party's identifier.

Contractual requirements that enforce data rights and responsibilities for separation are a critical element of establishing a Third Party as acting on a First Party's behalf. Contracts may occur directly through parties (for example, a Publisher in an Ad Network) or between intermediaries (for example, an Ad Network acting through an Ad Exchange). In either case, data separation and removal of independent rights are necessary elements that must survive intermediary contractual constructs.

Received on Wednesday, 12 September 2012 06:58:34 UTC