New Change Proposal: New text for First Party Compliance (Issue-170) from Vinay Goel on 2013-09-24 (public-tracking@w3.org from September 2013)

From: Vinay Goel <vigoel@adobe.com>
Date: Tue, 24 Sep 2013 07:55:23 -0700
To: "public-tracking@w3.org List" <public-tracking@w3.org>
Message-ID: <CE67201B.4AEC%vigoel@adobe.com>

Current text: "If a first party receives a DNT:1 signal the first party may engage in its normal collection and use of information. This includes the ability to customize the content, services, and advertising in the context of the first party experience.

The first party must not pass information about this network interaction to third parties who could not collect the data themselves under this standard. Information about the transaction may be passed on to service providers acting on behalf of the first party

First parties may elect to follow third party practices."

Proposed new text: "If a first party receives a DNT:1 signal, the first party MAY collect, retain, and use data to both analyze usage and customize the content, services, and advertising within the context of a first party experience. A first party MAY share data about this network interaction with its service providers, but it MAY NOT share data about this network interaction with third parties."

Rationale: First off, we use the term 'data' within the definitions of Collect, use, share, etc. but now switch to 'information'. We should be consistent within the document unless there is a reason for the switched term (though if there is a reason, its unclear). Second, what does 'normal collection and use' mean? What if that first party believes its normal use is to sell/share the information with a data broker? We need to set parameters on what normal collection and use mean. Because we need to set parameters, we should use the defined terms collect, retain and use. In addition, the current text introduces the term 'pass' which is undefined/unclear. Instead, why not use the defined term of share? Last, the last sentence 'First partys MAY elect…' is completely unnecessary. First Parties MAY also choose to elect SOME third party practices but not all. Do we need to state that as well? Instead, the first party should be able to define/describe whatever it follows within its Privacy Policy.

Draws upon: Issue-170

-Vinay

Received on Tuesday, 24 September 2013 14:56:32 UTC