ACTION-273; ACTION-368; ISSUE-10; Definitions related to first party, multiple first party, service provider/data processor

To prepare for the March 6 call, this email sets forth text and sources relevant to these related topics: (1) definition of first party; (2) definition of multiple first parties; and (3) definition of service provider/data processor.  After listing proposed text on the three items, this email provides background citations on “joint marketing” under the U.S. financial privacy law, GLBA.

-- -

Definition of first party.   The following text is in the editor’s straw man text posted at http://www.w3.org/2011/tracking-protection/drafts/EditorsStrawmanComp.html#first-party.  Justin Brookman took the lead on this language, and circulated an email this morning about his views on multiple first parties. Notably, based on discussion last week, it contains languagethat “the user intentionally interacts.”

3.5 First Party
In a specific network interaction, a party with which the user intentionally interacts is a first party. In most cases on a traditional web browser, the first party will be the party that owns and operates the domain visible in the address bar. The party that owns and operates or has control over a branded/labelled embedded widget, search box, or similar service with which a user intentionally interacts is also considered a First Party. If a user merely mouses over, closes, or mutes such content, that is not sufficient interaction to render the party a first party.

3.6 Third Party
In a specific network interaction, any entity that is not the user, user agent, or a first party is considered a third party.

-- -

Definition of multiple first parties. Rob Sherman has previously posted this proposed definition of multiple first parties, at http://lists.w3.org/Archives/Public/public-tracking/2012Nov/0075.html.  Below in this document, you will see some text used under the Gramm-Leach-Bliley for the somewhat similar issue of “joint marketing” under that law.

3.5.1.2.2 Multiple First Parties

For many websites, there will be only one party that the average user would expect to communicate with: the provider of the website the user has visited. But, for other websites, users may expect to communicate with more than one party.  In these instances, a party will be deemed a first party on a particular website if it concludes that a user would reasonably expect to communicate with it using the website.

URIs, branding, the presence of privacy policies or other disclosures that specifically identify a party, and the extent to which a party provides meaningful content or functionality on the website, may contribute to, but are not necessarily determinative of, user perceptions about whether a website is provided by more than one party.

Example: Example Sports, a well-known sports league, collaborates with Example Streaming, a well-known streaming video website, to provide content on a sports-themed video streaming website. The website is prominently advertised and branded as being provided by both Example Sports and ExampleStreaming. An ordinary user who visits the website may recognize that it isoperated by both Example Sports and Example Streaming.  Both Example Sports and Example Streaming are first parties.

Example: Example Sports has a dedicated page on a Example Social, a social networking website. The page is branded with both Example Sports’ name and logo and Example Social’s name and logo.  Both Example Sports’ name and Example Social’s names appear in the URI for the page.  When a user visits this dedicated page, both Example Sports and Example Social are first parties.

Example:  Example Fan Club operates a sports fan website that posts articles about sports teams.  Example Streaming provides an embeddable widget that allows the display of a video from a sports game.  Example Fan Club embeds this widget at the bottom of one of its articles.  The website does not identify Example Streaming in the URI, includes no ExampleStreaming branding, and does not refer to the Example Streaming privacy policy.  The only functionality that Example Streaming provides on the website is the display of the video through its widget.  Consistent with the standard described in section 3.5.1.2.1, Example Fan Club is a first party and Example Streaming is a third party.

-- -

Justin’s proposed alternative text today on multiple first parties:

In most network interactions, there will be only first party with which the user intends tointeract.  However, in some cases, a network resource will be jointly operated by two or more parties, and a user would reasonably expect to communicate with all of them by accessing that resource.  User understanding that multiple parties operate a particular resource could be accomplished through inclusion of multiple parties' brands in a URI, or prominent branding on the resource indicating that multiple parties are responsible for the primary content of the resource.  Branding of a party that only provides secondary or support functionality for a resource will not be sufficient to make that party a first party in any particular network interaction.

-- -

Definition of service provider/data processor.  Chris Pedigo, based on the discussion on last week’s call, has proposed a revised definition, with new text in italics:

Action 368 – Definition of Service Provider/Data Processor

Normative

A Data Processor is any party, in a specific network interaction, that both operates on behalf of the entity for which it is working (business associate) and meets the following conditions:
- Data that is collected and/or retained is separated by both technical means and organizational process, AND
- Uses and shares data only as directed by the business associate, AND
- Enters into a contract a business associate that outlines and mandates these requirements.

A Data Processor is subject to the same restrictions as the business associate.  If a Data Processor were to violate any of these conditions, it will then be a third party.  Data processors may merge and use data for the purposes of security or fraud prevention.

Non-Normative

Data processors may use data collected for the proper management and administration of the business associate.  Similar allowances are made for data processors under European Union law, the U.S Health Insurance Portability and Accountability Act (HIPAA) and the U.S. Gramm-Leach-Bliley Act.

-- -


Text on service providers and joint marketing in Gramm-Leach-Bliley.

Statutory Text of the Service Provider Exception and Joint Marketing Exception
“[GLBA] shall not prevent a financial institution from providing nonpublic personal information to a nonaffiliated third party to perform services for or functions on behalf of the financial institution, including marketing of the financial institution's own products or services, or financial products or services offered pursuant to joint agreements between two or more financial institutions that comply with the requirements imposed by the [regulations implementing GLBA], if the financial institution fully discloses the providing of such information and enters into a contractual agreement with the third party that requires the third party to maintain the confidentiality of such information.”  15 U.S.C. § 6802(b)(2).

FTC regulation implementing the statute:

“(a) General rule. (1) The opt out requirements in §§ 313.7 and 313.10 do not apply when you provide nonpublic personal information to a nonaffiliated third party to perform services for you or functions on your behalf, if you: (i) provide the initial notice in accordance with § 313.4; and (ii) enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information, including use under an exception in § 313.14 or 313.15 in the ordinary course of business to carry out those purposes.
(2) Example.  If you disclose nonpublic personal information under this section to a financial institution with which you perform joint marketing, your contractual agreement with that institution meets the requirements of paragraph (a)(1)(ii) of this section if it prohibits the institution from disclosing or using the nonpublic personal information except as necessary to carry out the joint marketing or under an exception in § 313.14 or 313.15 in the ordinary course of business to carry out that joint marketing.
(b) Service may include joint marketing.  The services a nonaffiliated third party performs for you under paragraph (a) of this section may include marketing of your own products or services or marketing of financial products or services offered pursuant to joint agreements between you and one or more financial institutions.
(c) Definition of joint agreement. For purposes of this section, joint agreement means a written contract pursuant to which you and one or more financial institutions jointly offer, endorse, or sponsor a financial product or service.”  16 C.F.R. § 313.13.

FTC Example of the Joint Marketing Exception
Frequently asked questions issued by the FTC in conjunction with promulgation of its GLBA regulation contain the following example of the applicability of the joint marketing exception:
“Question:  I disclose my consumer borrowers' names and addresses to a nonaffiliated insurance company.  The insurance company sends the borrowers a letter, on my letterhead, offering insurance.  I do not sell insurance.  Does this arrangement qualify for the § 313.13 joint marketing agreement exception?  Must the products described in the marketing materials be our products?
Answer:  The exception to the opt out requirement in § 313.13 applies to disclosures you make to nonaffiliated third parties pursuant to a joint written agreement between you and one or more financialinstitutions under which you and the other financial institution(s) jointlyoffer, endorse, or sponsor a financial product or service.  You may disclose your consumer borrowers' names and addresses to the insurance company under § 313.13 because (i) the insurance company is a financial institution, (ii) insurance is a financial product or service, and (iii) you and the insurance company market the insurance together.  The financial product you offer, sponsor, or endorse under a joint agreement with another financial institution need not be your product.
You and the insurance company must have a written agreement that restricts the insurance company from disclosing or using theborrowers' nonpublic personal information for any purpose other than selling insurance to the borrowers.  Furthermore, you must describe this type of arrangement in your privacy notice in accordance with § 313.6(a)(5).”  See FTC GLBA Privacy FAQs (Dec. 2001), available at http://www.ftc.gov/privacy/glbact/glb-faq.htm.




Professor Peter P. Swire
C. William O'Neill Professor of Law
    Ohio State University
240.994.4142
www.peterswire.net

Received on Wednesday, 6 March 2013 16:05:30 UTC