Re: Change proposal for ISSUE-5 ­ Definition of Tracking

Thanks for the precise and documented change proposal!

Whether or not this issue gets addressed in the definition of tracking, I think it has to get addressed in the definition of party either way.  That is, because *tracking* is not an operational term in the document, a company's cross-site activities might not be considered tracking under your definition, but they still might be prohibited by the standard because of a narrow definition of parties and a prohibition on third-party collection absent an operational permitted use or UGE.  So I think you should adapt your language below to a proposal on ISSUE-10 (as well or in lieu of this) --- if you can provide specific language for the call tomorrow great; otherwise we can discuss the concept and expect a proposal by October 9.

Also, if you could provide some examples for how this might work in practice under a common branding/contract regime, I think that would be useful for the group to consider.  One example I brought up on the call last week was DAA/IAB membership --- would multiples companies (including publishers, ad networks, and others) publicly ascribing to those codes render them one party under your definition?  Or would the branding have to be more robust than that?  I just want to tease out what this means! 

Both ISSUE-5 and ISSU-10 will be discussed tomorrow, and I think we can fold your new issue into those discussions.

On Oct 1, 2013, at 1:47 PM, Alan Chapell <achapell@chapellassociates.com> wrote:

> I propose the following change proposal for ISSUE-5 – Definition of Tracking
>  
> This builds on a definition that was previously submitted by Roy.
>  
> “Tracking is the act of following a particular user's browsing activity across multiple distinct contexts, via the collection or retention of data that can associate a given request to a particular user, user agent, or device, and the retention, use, or sharing of data derived from that activity outside the context in which it occurred. For the purposes of this definition, a context is a set of resources that EITHER: a) share the same owner, data controller and a common branding, such that a user would expect that data supplied to one of the resources is available to all of the others within the same context, OR b) enter into contract with other parties regarding the collection, retention, and use of data, share a common branding that is easily discoverable by a user, and describe their tracking practices clearly and conspicuously in a place that is easily discoverable by the user." 
>  
> Rationale: I believe that we have WG consensus that common ownership, control and branding provides sufficient transparency and privacy controls. Building on some of David Wainberg’s recent posts, I believe that branding and contractual provisions provide an equivalent level of transparency and control.
>  
> I’m not sure if this concept should reside in the definition of of tracking, or if it should sit elsewhere. I’m open to the input of the group.
>  
> Alternatively, we can insert this concept into the definition of First Party or attempt to address data collection by context rather than by party. The rationale behind the latter is that it reduces likely confusion about who is a party under each specific use case, and aligns better with user understanding and expectations about how data will be processed.
>  
> As this is an important issue that could be placed in a number of sections of our specification, I’m opening up a separate issue to help ensure it doesn’t fall through the cracks.
> 
> Alan 

Received on Tuesday, 1 October 2013 18:14:20 UTC