Re: ISSUE-184

Hi Walter,

Thanks for explaining your scenario in more detail, I think it helps us all better understand.

On May 22, 2013, at 12:41 PM, Walter van Holst <> wrote:

> On 225//13 9:19 PM, JC Cannon wrote:
>> Under DNT, third parties are not allowed to collect data for
>> targeting purposes or share data with third parties so any
>> third-party data used by the first party would have only been
>> collected when DNT was disabled or absent.
> Dear J.C.,
> My understanding of the spec (which may be flawed, so bear with me) is
> that it allows for third-parties to ignore any DNT signal provided that
> they do not claim to be DNT-compliant. While the current spec allows a
> first-party to collect data while claiming DNT-compliance, even when
> appending it with data collected in a third-party quality (with which I
> disagree, but that is not the issue at hand).
> So to be slightly more specific about the scenario mentioned in ISSUE-184:
> Imagine:
> - News site A claiming to be DNT-compliant, and actually does not
> collect data at all itself, it also does not directly demand any
> personal data whatsoever. But...
> - through some Javascript-Fu, it (possibly inadvertedly) makes its
> content only available if the UA renders a third-party single-pixel
> tracker.

This makes implementation seem very challenging -- if a first party includes third-party content (which itself includes third-party content) and one day that third-party iframe decides to limit the news items or other content it shows based on requiring DNT:0 consent, it sounds like you would suggest that the first party has become non-compliant without realizing it. 

> Or alternatively, it only makes it content available if the third-party
> receives a DNT:unset or DNT:0 signal.
> So all parties involved can claim DNT-compliance, even the third-party.
> It does not provide its content under a DNT:1 signal (what the spec
> allows for).
> To me any DNT:0 signal such third-party receives is not freely given
> consent.
> To cut a very long story short: if you make your content dependent on
> third-party content that either is not DNT-compliant or requires a DNT:0
> or DNT:unset signal, you cannot in good faith claim to be DNT-compliant
> unless you use the SAME-PARTY feature. Because from a user-perspective
> you are acting as the same party.

Part of the confusion may be that we have used the same-party element as a way for a site to indicate that multiple domains are actually from the same organization; a first-party can indicate this in order to prevent confusion in a user who sees first-party compliance claims from different domain names. To do as you would propose would create a situation where same-party encompassed different organizations with different data handling practices. I'm also not sure what a user agent would do with that information -- if same-party indicated the third-parties that are important to displaying content on this page, how would it help DNT users to have that information in a machine-readable way?

I agree with Jonathan, Rob, Roy and Chris (and perhaps you too!) that we have generally agreed that sites can condition access to content based on DNT consent, the same way that today many condition access based on payment (pay-walls). Does it make a difference that it might be a third-party widget that is conditioning access to the info it displays within its widget on DNT:0 opt-in?


Received on Monday, 3 June 2013 00:42:09 UTC