RE: June Draft Proposal: Unknowing Collection

Thank you Thomas - here is a pass at finding more balance in the proposed text.

A party MUST make reasonable efforts to understand its information practices with respect to data collection and use in online contexts - specifically understanding their party position (1st and/or 3rd) across user interactions.  If a party learns that it is collecting information in an unexpected context in violation of this standard, it MUST take meaningful steps to appropriately apply this standard to data in this context at the earliest practical opportunity.  If a party learns that it has retained information from this unexpected context, it MUST de-identify (and possibly de-link if the data is not necessary for a Permitted Use) at the earliest practical opportunity.

[Note - I removed the use/share elements as once the data has been de-identified, and possibly de-linked, further alignment with the standard should occur naturally.  The goal of these changes is to not punish those that discover someone has pushed their content into an unexpected context - and rather give them a clear path forward to remedy the situation on a go-forward basis.  Anyone "knowingly" collecting information in violation of the standard is simply in violation.  In non-normative text I would recommend we focus on 1st party serving situations that unexpectedly become 3rd party as this appears to be the most expected use case for this provision.]

From: Thomas Roessler [mailto:tlr@w3.org]
Sent: Wednesday, June 26, 2013 12:39 PM
To: Shane Wiley
Cc: Jonathan Mayer; public-tracking@w3.org Group WG
Subject: Re: June Draft Proposal: Unknowing Collection

Shane,

is there a way to scope the "unknowing collection" language more closely to he specific case you're suggesting (i.e., somebody showing up as a third party when they think they're a first party)?

The current language appears to include unknowing collection by a third party that simply doesn't have its data practice under control.  Strikes me like that's a very different scenario.

Thomas Roessler, W3C <tlr@w3.org<mailto:tlr@w3.org>> (@roessler)



On 2013-06-26, at 19:10 +0200, Shane Wiley <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>> wrote:


Jonathan,

I believe language of this strength will drive no one to implement DNT due to the high burden if party unknown to them places their content in a context they did not expect.  If a party did not intend and did not itself make the error of tracking in the incorrect context, then they should not have an obligation for retrospective application of DNT.  I agree if they themselves made this error then they should have the obligation for repair retrospectively.

As I don't see this arising to the level of a security breach, I don't see the value in forcing public disclosure, as again, this will drive many to not want to implement DNT due to the high burdens it comes with outside the already high-cost of implementation.

- Shane

From: Jonathan Mayer [mailto:jmayer@stanford.edu<http://stanford.edu>]
Sent: Wednesday, June 26, 2013 8:15 AM
To: public-tracking@w3.org<mailto:public-tracking@w3.org> Group WG
Subject: June Draft Proposal: Unknowing Collection

I would propose clarifying and increasing the rigor of this section.
A party MUST make reasonable efforts to understand its information practices.  If a party learns that it collects information in violation of this standard, it MUST end that collection at the earliest practical opportunity.  If a party learns that it retains information in violation of this standard, it MUST delete that information at the earliest practical opportunity.  If a party learns that it uses information in violation of this standard, it MUST end that use at the earliest practical opportunity.  If a party learns that it shares information in violation of this standard, it MUST end that sharing at the earliest practical opportunity.

I would also consider a reporting requirement.
If a party discovers it has been in violation of this standard, knowingly or unknowingly, it must make a public disclosure of the violation.  A disclosure may be made in any reasonable manner, such as a prominent notice on a party's main website.