Re: Consensus Industry Amendments to the DAA proposal from Thomas Roessler on 2013-07-09 (public-tracking@w3.org from July 2013)

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 9 Jul 2013 17:58:16 +0200
To: Jack Hobaugh <jack@networkadvertising.org>
Cc: public-tracking@w3.org, Nicholas Doty <npdoty@w3.org>
Message-Id: <DB3FF54F-81CA-4EEA-B5B7-E4DD36806E13@w3.org>

Jack,

were you planning to address my clarification questions from this note?
	http://lists.w3.org/Archives/Public/public-tracking/2013Jul/0005.html

In particular, I'd like to understand why, for the principles in section 5, you're talking about de-identified data, but for the retention limit, you're talking about de-identified and delinked.  That seems odd -- I'd expect those two points to be in synch...

Thanks,

Thomas Roessler, W3C <tlr@w3.org> (@roessler)




On 2013-07-09, at 17:51 +0200, Jack Hobaugh <jack@networkadvertising.org> wrote:

> Dear Colleagues,
> 
> The following consensus industry amendments to the DAA June 26 submission are proposed to provide further clarification to the June 26 submission.
> 
> We look forward to discussing the June 26 submission and these amendments.
> 
> Amendment # 1:
> Data is deidentified when a party:
> 
> 1.  has taken reasonable steps to ensure that the URL data across websites or Unique ID cannot reasonably be re-associated or connected to a specific user, computer, or device;
> 
> 2.  has taken reasonable steps to protect the non-identifiable nature of data if it is distributed to non-affiliates and obtain satisfactory written assurance that such entities will not attempt to reconstruct the data in a way such that an individual may be re-identified and will use or disclose the de-identified data only for uses as specified by the entity.
> 
> 3.  has taken reasonable steps to ensure that any non-affiliate that receives de-identified data will itself ensure that any further non-affiliate entities to which such data is disclosed agree to the same restrictions and conditions.
> 
> 4.  will commit to not purposely sharing this data publicly.
> 
> Data is delinked when a party:
> 
> 1. has achieved a reasonable level of justified confidence that data has been de-identified and cannot be internally linked to a specific user, computer, or other device within a reasonable timeframe;
> 
> 2. has taken reasonable steps to ensure that data cannot be reverse engineered back to identifiable data without the need for operational or administrative controls.
> 
> Amendment # 2:
> 
> Tracking is the collection and retention,  or use of a user’s browsing activity – the domains or URLs visited across non-affiliated websites -- linked to a specific user,  computer,  or device.
> 
> Amendment # 3:
> 
> The first party MUST NOT pass information without consent about this network interaction to third parties who could not collect or use the data themselves when DNT:1 is received. Information about the transaction MAY be passed on to service providers acting on behalf of the first party
> 
> Best regards,
> 
> Jack
> 
> Jack L. Hobaugh Jr
> Network Advertising Initiative | Counsel & Senior Director of Technology 
> 1634 Eye St. NW, Suite 750 Washington, DC 20006
> P: 202-347-5341 | jack@networkadvertising.org
> 
> 
> 
> 
>

Received on Tuesday, 9 July 2013 15:58:20 UTC