RE: Action 368 - Definition of Service Provider/Data Processor from Chris Pedigo on 2013-02-27 (public-tracking@w3.org from February 2013)

From: Chris Pedigo <CPedigo@online-publishers.org>
Date: Wed, 27 Feb 2013 16:50:34 +0000
To: Jeffrey Chester <jeff@democraticmedia.org>
CC: Vinay Goel <vigoel@adobe.com>, Tracking Protection Working Group <public-tracking@w3.org>, Peter Swire <peter@peterswire.net>
Message-ID: <CEED5B1AC4405240B53E0330753999D320506CA7@mbx023-e1-nj-8.exch023.domain.local>
Jeff, I think there is some confusion here and my apologies for contributing to it.

The proposal here simply states that a service provider has no independent right to use data collected on behalf of another party.  So, a SP can collect and process the data on behalf of 1st party but only as the 1st party directs them and only for the benefit of the 1st party.  That means that a DSP or SSP could not use 1st party data for the benefit of the SSP or DSP or for another client.  They could append data to the 1st party data, but only for the benefit of the 1st party.  But, in this case, there is no difference between the 1st party doing the data append or the service provider doing the data append since it can only be done for the benefit of the 1st party.  For example, they could not append data to a 1st parties data for the purposes of building profiles of users, which is later used for or shared with other clients.  Their ability to append data for their own benefit is really pointless since they have no independent right to use the 1st party data.  What would they append the data to?!

The issue of Data Append is separate, although linked for some people.  I believe a first party should be able to acquire data from a third party that has obtained that data legitimately and add that data to data it has collected.  In a DNT world, third parties will not be able to build profiles about DNT:1 users, so the only data available for 1st parties to acquire would be data collected with consent, off-line data, publicly-available data or old, pre-DNT data.  All of these data sets are out of scope for DNT.

Does that clarify the proposal?

From: Jeffrey Chester [mailto:jeff@democraticmedia.org]
Sent: Wednesday, February 27, 2013 11:19 AM
To: Chris Pedigo
Cc: Vinay Goel; Tracking Protection Working Group; Peter Swire
Subject: Re: Action 368 - Definition of Service Provider/Data Processor

I just read the memo Peter sent, which lays out many of these issues (I should have read first but it slipped from my reading today).

Chris:  Is the proposal that once DNT:1 is sent, no first party can integrate in any way outside CRM and second/third party data from service providers?  If so, that certainly responds to a key concern I have.  Thanks.

Jeff


Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009
www.democraticmedia.org<http://www.democraticmedia.org>
www.digitalads.org<http://www.digitalads.org>
202-986-2220

On Feb 27, 2013, at 11:10 AM, Chris Pedigo wrote:


Jeff, I don't think anyone envisions that DSPs and SSPs would get a pass.  If they agree to the conditions below - no independent right to use the data, separate it from other data and have a contract in place that stipulates all of that - only then could they qualify as a service provider.  Under this scenario, I suppose they could acquire data from an outside source, but they couldn't combine that data with the first party's data nor could they use the data for their own purposes.  Does that address your concern?



From: Jeffrey Chester [mailto:jeff@democraticmedia.org]
Sent: Wednesday, February 27, 2013 10:59 AM
To: Vinay Goel
Cc: Chris Pedigo; Tracking Protection Working Group; Peter Swire
Subject: Re: Action 368 - Definition of Service Provider/Data Processor

This is very helpful.  Thanks and I look forward to discussion.  But lots of "red" flags for me when such data enriched targeting companies may get a pass.  This will clearly need to be the subject of an intensive review on the current dimensions of the data platform ecosystem.


Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009
www.democraticmedia.org<http://www.democraticmedia.org>
www.digitalads.org<http://www.digitalads.org>
202-986-2220

On Feb 27, 2013, at 10:52 AM, Vinay Goel wrote:



Hi Jeff,

I think two issues may be conflated together in your questions -- the topic of a Service Provider and the topic of data appends.  The language below doesn't speak to data appends.  I believe that topic is on the agenda for today's call where Peter asks whether we need text around appends.  Depending on how the DSPs and SSPs operate, they could qualify as a Service Provider if they meet the conditions outlined below.  The question of whether/how the DSP/SSP could enhance their customer's data should be handled when dealing with data appends.

-Vinay

On Feb 27, 2013, at 8:45 AM, Jeffrey Chester <jeff@democraticmedia.org<mailto:jeff@democraticmedia.org>> wrote:



Chris:  Thanks for this.  Could you give the list some examples of service providers/data processors?  For instance, do you consider DSPs, SSPs to be such a provider?  Would they have any limits at all in how much third party data they could provide their client?  Use cases would be useful, so we can understand the dimensions possible in relationship to a meaningful DNT standard.

I missed the Boston meeting, so if this was covered I would appreciate the reference to review.

Thanks,

Jeff




Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009
www.democraticmedia.org<http://www.democraticmedia.org/>
www.digitalads.org<http://www.digitalads.org/>
202-986-2220

On Feb 27, 2013, at 10:35 AM, Chris Pedigo wrote:



Hello all, I worked with Vinay Goel to come up with a definition of Service Provider/Data Processor.  We also solicited feedback from Justin Brookman and Rigo Wenning.  Below is the normative text that we ultimately decided upon.  One of the discussions centered around whether service providers or data processors should be allowed to utilize the Permitted Uses.  We decided not to include that language, because it would not fly in the EU and because it does not appear to be common practice among service providers in the US.  Finally, I am still gathering feedback from my member companies.  So, while expect this language will work for publishers, I am reserving the right to come back with tweaks.  Looking forward to today's call and the ensuing discussion.

Action 368 - Definition of Service Provider/Data Processor

A Data Processor is any party, in a specific network interaction, that both operates on behalf of another party and meets the following conditions:
- Data that is collected and/or retained is separated by both technical means and organizational process, AND
- Uses and shares data only as directed by that other party, AND
- Enters into a contract with the other party that outlines and mandates these requirements.

A Data Processor is subject to the same restrictions as the other party.  If a Data Processor were to violate any of these conditions, it will then be a third party.


Chris Pedigo
VP, Government Affairs
Online Publishers Association
(202) 744-2967
Received on Wednesday, 27 February 2013 16:51:05 UTC