- From: Chris Pedigo <CPedigo@online-publishers.org>
- Date: Tue, 18 Sep 2012 15:54:29 +0000
- To: Jonathan Mayer <jmayer@stanford.edu>
- CC: "public-tracking@w3.org" <public-tracking@w3.org>
- Message-ID: <CEED5B1AC4405240B53E0330753999D306A8B234@mbx023-e1-nj-8.exch023.domain.local>
In an effort to kick start this dormant conversation, I don’t think it makes sense to include a “data append” restriction in this standard. The practice of “data append” is used by a first party to enhance the user’s online experience (in line with consumer expectations) or for first party marketing (also in line with consumer expectations). If a consumer objects to the first party marketing, they can fairly easily opt out of such marketing especially if it’s via email. A data append restriction would not take into account the fact that any data acquired from a 3rd party may be publicly available data or that it may have been collected with consent. In a DNT world, third parties would not be able to build databases of information about DNT:1 users, so the only data left for first parties to acquire would be publicly available, collected with consent or collected in an off-line setting. I don’t think a DNT standard should try to restrict this kind of data – not only would that kind of restriction be out of scope, but it also would likely lead to a host of unintended consequences. I think the proponents of a “data append” restriction would argue that it is needed to close a loophole for data flow (is that correct?). I would argue that it is not needed, that the current standard sufficiently closes any potential loophole. For starters, the standard prohibits first parties from sharing data with a third party. In addition, in a DNT world, third parties will be prohibited from collecting data about DNT:1 users. So, online data about DNT:1 from third parties will not even be available. As noted above, the only data left for first parties to acquire about DNT:1 users would be publicly available, collected with consent or collected in an off-line setting – all of which should be out of scope for DNT. At the end of the day, under the current framework, the only entities that would have data on DNT:1 users will be parties that have gained consent or first parties that are prohibited from sharing the data. The loophole is closed and we should not include a “data append” restriction that would be out of scope and could lead to unintended consequences. I look forward to the discussion. From: Jonathan Mayer [mailto:jmayer@stanford.edu] Sent: Tuesday, September 04, 2012 5:23 PM To: Chris Pedigo Cc: public-tracking@w3.org<mailto:public-tracking@w3.org> Subject: Re: Action 229 - Data Append Definition Under the EFF/Mozilla/Stanford compromise proposal, all but one of these use cases might not require an additional (and potentially quite broad) data append exception. Example 1: Much like widgets are promoted to first party status once the user "meaningfully" interacts with them, Nike could become a first party once the user submits his or her shoe purchase information. Example 3: A company that provides a geocoding API might qualify as a service provider. Example 4: Same as Example 3, but with an IP geolocation API. Coarse first-party IP geolocation is explicitly allowed. Example 5: A user can always grant permission for a particular information practice, like the opt-in demographic sharing in this example. On Tuesday, September 4, 2012 at 10:21 PM, Chris Pedigo wrote: Hello all. In an effort to focus our conversation about whether “data append” practices should be allowed/disallowed in the standard, I was tasked with providing a crisp definition of “data append.” I’ve also included a few use cases which I hope will further help the discussion. Potential definition of Data Append: the act of adding new information acquired from a third party to information collected about a website visitor. Use Cases: Current business practices that would qualify as a “data append” vary greatly in scope, utility and function. For example: Firstparty.com<http://Firstparty.com> partners with Nike. When a customer buys a Nike shoe, they get 6 months free of a health-related service on the firstparty.com<http://firstparty.com>. The customer must visit firstparty.com<http://firstparty.com> and enter a code to receive the service. When the customer visits Firstparty.com<http://Firstparty.com>, they enter the code which firstparty.com<http://firstparty.com> matches up to the sale of the Nike shoe. The process of matching up a code with the offline sale would be considered a data append. With restrictions on data append, DNT:1 users would not be able to participate in promotional campaigns. Firstparty.com<http://Firstparty.com> has a large database of customers. Occasionally, they buy data from a third party to clean up the database (purge bad email addresses, correct address information, etc). This would be considered a data append. A user wants to create an account on Firstparty.com<http://Firstparty.com>. They type in their address and firstparty.com<http://firstparty.com> uses a third party data provider to automatically fill-in the zip code. That would be a data append. Firstparty.com<http://Firstparty.com> sells flowers via business relationships with florists around the country. When the user visits the site, firstparty.com<http://firstparty.com> might use a third party that matches the user’s IP address with the user’s likely location within a metropolitan area. The location information is then used to customize the inventory available to that customer. This practice would also be a data append. Firstparty.com<http://Firstparty.com> might acquire data from a third party about the demographics and behavior of firstparty.com<http://firstparty.com>’s users. The third party collected the data after users opted in. This would be considered a data append despite the fact that users opted in to the third party data collection. Chris Pedigo VP, Government Affairs Online Publishers Association (202) 744-2967
Received on Tuesday, 18 September 2012 15:55:07 UTC