Re: tracking-ISSUE-190: Sites with multiple first parties [Tracking Preference Expression (DNT)]


Let me suggest a common example that illustrates the complexity you are
looking for.  Imagine a service provider,, who provides
services for both publishers and advertisers and runs an exchange.  All
these services could happen from a single call; all using the same cookie
and same backend but resulting in independent controllers of data.  The
advantages to this should be obvious.  By removing redirects all parties
concerned with financials: the publisher selling the inventory, the
exchange intermediating the sale and the advertiser buying the inventory
all deal off of the same numbers.  No redirects means no counting
differentials. If the publisher sees 12,461,211 sold to the Exchange the
exchange sees 12,461,211 purchased and the sum seen by the advertisers
will add up to the same.  Same cookie means agreement on R&F and other
cookie based measurement.  Here however data from the same HTTP
transaction may be (or may not be) controlled/owned by multiple parties.
Depending on the exact nature of the contracts as between
clickclick<->publisher, publisher<->advertiser(s),
advertisers<->exchange(clickclick), etc.  There are many possible
permutations as to just how independent a collectors rights may be.



Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the
Wunderman Network
(Tel) 678 580 2683 | (Mob) 678 492 1662 |

This email ­ including attachments ­ may contain confidential information.
If you are not the intended recipient,
 do not copy, distribute or act on it. Instead, notify the sender
immediately and delete the message.

On 1/8/13 8:06 PM, "David Singer" <> wrote:

>On Jan 8, 2013, at 16:59 , "Roy T. Fielding" <> wrote:
>> The issue is joint data controllers.  It is impossible to
>> express that in the protocol currently, and it cannot be
>> discovered otherwise.
>> Š.Roy
>OK, I am looking at definitions on the web, for example
>o-says/".  In what circumstances can this arise for us?  I am not seeing
>If the user 'intends to visit', and has a service
>provider under a service agreement, then the SP identifies
>either as part of, or as an SP to (we covered
>this already). is not a joint DC under these terms because
>they have no independent rights to the data; they are a data processor,
>not joint DC.
>The guidance says "Where the service provider is either given
>considerable flexibility or independence in determining how to satisfy
>the clientıs broad instructions or is providing the service in accordance
>with externally-imposed professional or ethical standards, he will be
>acting as a joint data controller, rather than a data processor, in
>relation to the service data,"
>Now, how can this occur in our context?  Does have
>independent rights to collect data, or not?  If so, they are an
>independent first or third party; if not, they are a data processor, no?
>> On Jan 8, 2013, at 4:20 PM, David Singer wrote:
>>> I am somewhat puzzled by what the issue is.
>>> If there are sites that build in content from multiple parties, and
>>>the user expected them to be first parties -- or they are anyway --
>>>they say so in their response header and/or well-known resource.
>>> If there are sites that build content from multiple servers that are
>>>all the same party, they can say that in the well-known resource
>>> What doesn't work, or isn't clear, already?
>>> On Jan 8, 2013, at 7:53 , Tracking Protection Working Group Issue
>>>Tracker <> wrote:
>>>> tracking-ISSUE-190: Sites with multiple first parties  [Tracking
>>>>Preference Expression (DNT)]
>>>> Raised by: Matthias Schunter
>>>> On product: Tracking Preference Expression (DNT)
>>>> Address how multiple first parties can be expressed in tracking
>>>>status representation
>>> David Singer
>>> Multimedia and Software Standards, Apple Inc.
>David Singer
>Multimedia and Software Standards, Apple Inc.

Received on Wednesday, 9 January 2013 14:53:17 UTC