Re: [ISSUE-206] Service Provider (and related ISSUE-219 question)

On Jun 5, 2014, at 11:59 AM, Justin Brookman wrote:

> Thank you, Roy.  No one has objected to this revision the past two weeks it has been discussed on the calls.  Unless anyone objects to the public list, we'll close this issue out and adopt this definition.
> 
> One question:  If we allow first-party data to be used in other contexts (ISSUE-219), would this service provider exception allow ad intermediaries to serve retargeted ads (based on first-party client data) for a wide range of clients/publishers?  That is Ad X could collect and store data on behalf of Sites 1-300, and then serve targeted ads based on any one of those 300 silos when a user visits Sites 301?  As long as the contracts allow this and prohibit use of blended data across silos?
> 
> Just trying to understand how this would play out in practice.  I understand there are other proposals before the group that would allow for retargeting anyway.

I don't think of this as a service provider exception.  It just clarifies
who has control over the data, and thus who is responsible for adhering
to whatever role they have with regard to that data.

Most importantly, this definition is specific to each received blob
of data:

>> For the data received in a given network interaction, a service provider is considered to be the same party as its contractee if the service provider:
>> 
>> (1) processes the data on behalf of the contractee;
>> 
>> (2) ensures that the data is only retained, accessed, and used as directed by the contractee;
>> 
>> (3) has no independent right to use the data other than in a de-identified form (e.g., for monitoring service integrity, load balancing, capacity planning, or billing); and,
>> 
>> (4) has a contract in place with the contractee which is consistent with the above limitations.

So, your question of

> would this service provider exception allow ad intermediaries to serve retargeted ads (based on first-party client data) for a wide range of clients/publishers?

implies first that the ad intermediary is a service provider to the
first party, meaning that it has access to the first party's data
and uses it as directed by that first party.  The service provider
can then use that data to the same extent that the first party could,
but only as directed by the first party.  For example, a large walled
garden like Facebook could contract with a service provider to provide
friend images based on CDN locality.  The same thing can be done with ads
if the ads are selected based on that first party's data.

However, the service provider cannot use the same data for other contractees
unless this first party directed them to do so.  In other words, the
first party would have to direct them to share the data with third parties.
Note that "first" and "third" are determined by the nature of the interaction
at the time the data was received.  Providing "first party" data to any
entity that is not a service provider to the first party is sharing
with a third party.

Likewise, the contract with the first party is going to include the
constraints of (1), (2), and (3), which means an ad intermediary acting
as a service provider is forced to silo its ad serving data by first party.

> That is Ad X could collect and store data on behalf of Sites 1-300, and then serve targeted ads based on any one of those 300 silos when a user visits Sites 301?  As long as the contracts allow this and prohibit use of blended data across silos?

I don't understand how "serve targeted ads based on" some other site would
be allowed unless both sites are owned by the same first party.
Otherwise, that is tracking: "use of data derived from that activity outside
the context in which it occurred".  Note that the definition of tracking
doesn't care whether the tracker is a service provider; it only cares
about the context in which that data was collected.

....Roy

Received on Friday, 6 June 2014 18:42:25 UTC