RE: first-party third-party

Nick, that’s fine by me. 

 

On another note FYI, the just agreed GDPR refers to online tracking in
recital 21. Recitals 23, 24, 25 at least are also relevant to our work.

 

http://statewatch.org/news/2015/dec/eu-council-dp-reg-draft-final-compromise
-15039-15.pdf

 

Mike

 

From: Nick Doty [mailto:npdoty@w3.org] 
Sent: 16 December 2015 07:51
To: Mike O'Neill <michael.oneill@baycloud.com>
Cc: Rob Sherman <robsherman@fb.com>; public-tracking@w3.org
Subject: Re: first-party third-party

 

I think we're agreed on not wanting to change the normative text. To Mike's
latest suggestion, I think the simple proposal would be to add a
non-normative note to the end of 2.5 Party saying:

 

When data pertaining to a user’s actions is collected as a result of one or
more network interactions, a party acts in one of roles defined below, i.e.
as a first party or as a third party to a given user action. These terms are
not meant to denote the business practices of entities as a whole, but
rather to describe a party’s role in a particular network interaction.

 

(Don't need to separately mention service provider as a separate role as the
point of the service provider is that if it follows those requirements, then
it acts like a first party or a third party to the given user action.)

 

I think that would be an accurate explanation. I'm not sure if adding such a
note will clarify for readers or not.

—Nick

 

 

On Dec 10, 2015, at 6:29 AM, Mike O'Neill <michael.oneill@baycloud.com
<mailto:michael.oneill@baycloud.com> > wrote:

 

Thanks Rob, I agree the idea is to clarify the distinction rather than
reopen the issue. 

 

One problem is the definition of Party refers to entities while First Party
and Third Party refer to roles. ( A Service Provider is acting in the role
of its contractee in the particular network interaction). 

 

How about the following (I have taken your suggested wording and formatted
it to be added as non-normative text to the Party definition, and renumbered
the paragraphs describing dependant definitions):

 

2.5 Party

 

A party is a natural person, a legal entity, or a set of legal entities that
share common owner(s), common controller(s), and a group identity that is
easily discoverable by a user. Common branding or providing a list of
affiliates that is available via a link from a resource where a party
describes DNT practices are examples of ways to provide this
discoverability.[no change]

 

When data pertaining to a user’s actions is collected as a result of one or
more network interactions a Party acts in one of three roles defined below,
i.e. as a Service Provider, as a First Party or as a Third Party. These
terms are not meant to denote the business practices of entities as a whole,
but rather to describe a party’s role in a particular network interaction.
In each interaction an origin server (controlled by a Party)  determines in
which of these roles it is operating and follows the relevant procedures
described under [Server Compliance]

 

2.5.1 Service Provider

 

[same Definition as existing 2.6]

 

2.5.2 First Party

 

[same Definition as existing 2.7]

 

2.5.3 Third Party

 

[same Definition as existing 2.8]

 

From: Rob Sherman [mailto:robsherman@fb.com] 
Sent: 10 December 2015 05:09
To: Mike O'Neill <michael.oneill@btinternet.com
<mailto:michael.oneill@btinternet.com> >; public-tracking@w3.org
<mailto:public-tracking@w3.org> 
Cc: 'Nick Doty' <npdoty@w3.org <mailto:npdoty@w3.org> >
Subject: Re: first-party third-party

 

Mike,

 

I’m not sure that this text helps clarify, and it seems in some ways
inconsistent with other provisions of the text that have been agreed upon by
the Working Group.  For example, your proposal specifies that there can only
be a single first party in a particular network interaction, whereas Section
2.7 envisions that in some cases there may be multiple first parties to a
given network interaction.  Likewise, the standard you specify below (“the
entity that a user deliberately intended, in any particular action, to
interact with”) is different from the language that’s specified in the
agreed-upon text.  I don’t think it’s necessary or appropriate to redefine
these terms, especially after so much detailed discussion of these issues
over the years within the Working Group — and I worry that doing so in this
way could introduce multiple definitions, which could increase confusion
rather than solve it.

 

If I’m understanding correctly, the main misunderstanding is that some
people who haven’t been actively involved in our discussions may believe
that the terms “first party” and “third party” are intended to characterize
the business practices of particular entities as a whole, rather than to
describe their roles in a particular network interaction.  Would making just
that clarification in non-normative text help address the concern without
reopening the substantive issue?

 

Rob

 

 

Rob Sherman

Facebook | Deputy Chief Privacy Officer

1299 Pennsylvania Avenue, NW | Suite 800 | Washington, DC 20004 |
202.370.5147 

 

From: Mike O'Neill <michael.oneill@btinternet.com
<mailto:michael.oneill@btinternet.com> >
Date: Thursday, November 26, 2015 at 9:50 AM
To: "public-tracking@w3.org <mailto:public-tracking@w3.org> "
<public-tracking@w3.org <mailto:public-tracking@w3.org> >
Cc: Nicholas Doty <npdoty@w3.org <mailto:npdoty@w3.org> >
Subject: first-party third-party
Resent-From: <public-tracking@w3.org <mailto:public-tracking@w3.org> >
Resent-Date: Thursday, November 26, 2015 at 9:51 AM

 

Here is some text aiming to clear up the evident misunderstandings about
parties. It could go in the introduction of the TCS or in the Compliance
paragraph 

 

For the sake of clarity, a first party, as defined in the Definitions
section of this document, is the entity that a user deliberately intended,
in any particular action, to interact with. Other entities, whether or not
they manage servers receiving DNT signals as part of that interaction, are
third parties to that user action. The terms “first party” and “third party”
is not meant to indicate a particular type of entity but only to
differentiate between those that a user intended to interact with, and those
they did not.