- From: John Simpson <john@consumerwatchdog.org>
- Date: Mon, 1 Apr 2013 15:49:38 -0700
- To: Shane Wiley <wileys@yahoo-inc.com>
- Cc: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
- Message-Id: <03D04263-B4C9-4B36-B517-1C1A81443B32@consumerwatchdog.org>
Shane, Thanks for responding. Questions in line below. On Mar 31, 2013, at 8:26 PM, Shane Wiley <wileys@yahoo-inc.com> wrote: > John and Alan, > > Thank you for taking the first pass at normative text for “data append” exercises from the 1st party perspective and how these interrelate to DNT. > > A few comments: > > -- A 1st Party MUST NOT combine or otherwise use identifiable data received from another party with data it has collected while a 1st Party. > > [I believe the DNT signal should be directed to the sender, not the recipient. In this case, I would expect the 3rd party to receive the signal and appropriate not convey information within the context of DNT. This sentence should either be dropped or rewritten to focus on the sender (3rd party in this context).] I'm sorry, I'm not sure I understand what you mean by sender and recipient. By sender do you mean the party that has data and "sends" it to the 1st party (the recipient)? I think you're saying that the 3rd party would receive the DNT signal and could not send data to the 1st Party. I believe that's true under the current draft of the TCS spec *IF* the sender is present on the website as a 3rd Party. What I am specifically calling out is the use case where the "sender" (I say "another party") has no presence on the site. If DNT:1 is enabled, the 1st Party could not go beyond the 1st Party experience and request data from another source. It's likely the case that this other party would not have received a DNT:1 message, so it is necessary for the 1st Party to honor the request. > > -- A 1st Party MUST NOT share identifiable data with another party unless the data was provided voluntarily by the user and is necessary to complete a business transaction with the user. > > [DNT is transactional. I could see this prohibition working if the data being passed occurred online in the context of the DNT signal being in the header but for purely offline data matches I hope we agree this could not work. I would also struggle to understand a business case where a user has “shared identifiable data involuntarily” – could you please give an example?] Why wouldn't this work with offline matches? I used "provided voluntarily" to get at the idea that consent had been given. > > [Of course all of these are trumped by user consent.] Agree, if it is informed consent. Finally, what's your reaction to the third element: A Party MUST NOT use data gathered while a 1st Party when operating as a 3rd Party. Are you comfortable with that? Regards, John > > - Shane > > From: John Simpson [mailto:john@consumerwatchdog.org] > Sent: Sunday, March 31, 2013 8:13 PM > To: public-tracking@w3.org (public-tracking@w3.org) > Subject: Data append? > Importance: High > > Colleagues, > > Alan Chapell and I have agreed on text that should cover the situation regarding "data append" when DNT is received. I look forward to discussing. > > The text is below. > > Regards, > John > ---- > > Normative: > When DNT:1 is received: > > -- A 1st Party MUST NOT combine or otherwise use identifiable data received from another party with data it has collected while a 1st Party. > -- A 1st Party MUST NOT share identifiable data with another party unless the data was provided voluntarily by the user and is necessary to complete a business transaction with the user. > -- A Party MUST NOT use data gathered while a 1st Party when operating as a 3rd Party. > > Non-Normative: > When DNT:1 is received, a 1st Party retains the ability to customize content, services, and advertising only within the context of the first party experience. A 1st party takes the user interaction outside of the 1st party experience if it receives identifiable data from another party and uses that data for customization of content, services, or advertising. > > When DNT:1 is received the 1st Party may continue to utilize user provided data in order to complete or fulfill a user initiated business transaction such as fulfilling an order for goods or a subscription. > > When DNT:1 is received and a Party has become a 3rd Party it is interacting with the user outside of the 1st Party experience. Using data gathered while a 1st party is incompatible with interaction as a third party. > > >
Received on Monday, 1 April 2013 22:50:06 UTC