W3C home > Mailing lists > Public > public-tracking@w3.org > October 2013

Re: Change Proposals: Issue 10

From: Alan Chapell <achapell@chapellassociates.com>
Date: Wed, 09 Oct 2013 11:06:20 -0400
To: John Simpson <john@consumerwatchdog.org>
CC: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <CE7ACA4D.3ADC3%achapell@chapellassociates.com>

Although I believe the NAI and DAA  like many trade associations  have
some form of agreement between them and their members, I don't see this as
an industry association initiative. The contract in my example isn't with
the associations. 

The main point is that ownership is not better than contract for ensuring
user privacy. One thing we can ensure with contract that is not necessarily
the case with ownership alone is a clear, conspicuous, and common set of
privacy rules that apply across the contractually affiliated sites.

Given that, the question becomes what it actually looks like to users. We
may not have a live example to point to today, but conceptually it might be
similar to the network created by the now defunct QuandrantOne
(http://www.quadrantone.com <http://www.quadrantone.com/> /).

Lets assume the QuadrantOne network of sites had contractual relationships
to work together to serve targeted advertising.
Lets assume that each site on QuadrantOne was wiling to have a link
somewhere easily discoverable that they belong to the QuadrantOne network of
sites. (I.e., branding)

And lets compare QuadrantOne to a potential ad network created by Amazon.com
and the WashingtonPost  both essentially owned by Jeff Bezos. Per our
current rule set, the common ownership need only be easily discoverable in
order for both entities to claim status as a common party. To be clear, I
have no knowledge of what Mr. Bezos plan is  but Amazon has managed to
carve out a nearly billon dollar per year advertising business thus far.

Utilizing the above examples, QuadrantOne provided a level of privacy
protections for consumers that were at least as good as Amazon /
WashingtonPost - organizations that share common ownership and branding. And
if we're treating them differently, I'd like to understand the policy
justification for doing so.

With that in mind, consider the head to head example I shared last week.

In my example, there are two groups of websites.
Group A is owned by Justin, and group B is managed by Matthias.  [think of
Matthias in this case as QuadrantOne]

Each website in group A has a different privacy policy and different privacy
Each website in group B has a different privacy policy and different privacy

Each website in group A has a link that clearly states "You are visiting a
Justin-owned website"
Each website in group B has a link that clearly states "You are visiting a
websites on the Matthias network"

Each website in group A is presumably subject to some form of contract for
serving ads across each of Justin's sites.
Each website in group B is definitely subject to a contract for serving ads
across each of Matthias' sites.

Under our current definitions and policy regime, Justin is allowed to track
across his sites, but Matthias is not.

The outcome doesn't make sense for privacy, does it?


From:  John Simpson <john@consumerwatchdog.org>
Date:  Tuesday, October 8, 2013 4:20 PM
To:  Alan Chapell <achapell@chapellassociates.com>
Cc:  "public-tracking@w3.org" <public-tracking@w3.org>
Subject:  Re: Change Proposals: Issue 10
Resent-From:  <public-tracking@w3.org>
Resent-Date:  Tue, 08 Oct 2013 20:20:31 +0000

> Does this mean that a party could sign a contract with DAA (or other trade
> association) describing its collection practices, use the common "brand" of
> the DAA icon, describe its practices in a privacy policy and then share with
> every other entity that does the same thing, i.e., all the other DAA members?
> On Oct 8, 2013, at 10:23 AM, Alan Chapell <achapell@chapellassociates.com>
> wrote:
>> Proposal: Party definition Make affiliate list an example; add ownership OR
>> contract as ways to reach "common party" status
>> This builds upon a previous Proposal from Amy Colando
>> <http://lists.w3.org/Archives/Public/public-tracking/2013Jun/0370.html>  and
>> Proposal from Chris Pedigo
>> <http://lists.w3.org/Archives/Public/public-tracking/2013Jun/0390.html>  and
>> is in response to a suggestion from Justin Brookman as we look for the best
>> home for this concept.
>> This is a replacement for last few sentences in section 2.4 Party
>> New text
>> For unique corporate entities to qualify as a common party with respect to
>> this document, those entities MUST be EITHER: commonly owned and commonly
>> controlled OR enter into contract with other parties regarding the
>> collection, retention, and use of data, share a common branding that is
>> easily discoverable by a user, and describe their tracking practices clearly
>> and conspicuously in a place that is easily discoverable by the user.
>> Regardless, parties MUST provide transparency about what types of entities
>> are considered part of the same party. Examples of ways to provide this
>> transparency are through common branding or by providing a list of affiliates
>> that is available via a link from a resource where a party describes DNT
>> practices.
>> Rationale
>> Strong contractual provisions and branding provide a level of privacy
>> protections for consumers that is at least as good as Common ownership and
>> branding.
>> Alan Chapell
Received on Wednesday, 9 October 2013 15:06:54 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:19 UTC