- From: Amy Guy <notifications@github.com>
- Date: Tue, 16 Nov 2021 02:14:44 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/342/970120925@github.com>
The other abuse angle to this is data sharing between domains that are legitimately owned by the same organisation (in a legal sense of eg. an ultimate parent company controlling the orgs that have registered the domains) but where doing so would subvert end user expectations about how their data might be used. One example might be state-owned enterprises, where a government could have a controlling interest in organisations across a variety of different sectors, and may put them all into a valid FPS and thus be able to track users between them. Common branding in this case might also be expected by the user but identity tracking or other data sharing remains undesirable. Another might be an individual has a controlling interest in a variety of organisations in different sectors, and because of the way company ownership is defined in the relevant jurisdiction can legitimately (in a legal sense) put them in an FPS, which would pass vetting by the enforcement entity, but still result in a tracking network that is harmful to users. Other alternate company structures I'm thinking about are things like co-operatives which might be owned equally by members. Domains registered by the co-op can be in the same FPS but be used for a variety of purposes and result in harmful tracking. I'm sure I saw or heard mention of a maximum set size at some point, but can't find that now. What is your current thinking on a reasonable maximum set size? I would be inclined to suggest it needs be small enough that it isn't burdensome for an end user to grasp the scale of by reading the list if necessary (ie. *not* like the giant list of a hundred companies you've never heard of that come up when you click "Learn more..." on an EU accept/reject cookie prompt..) What you touched on during our call today about the "user journey" between participating sites may be key to establishing "legitimate interest" in placing domains in a FPS, but agree that this is going to be very challenging to enforce, or even verify. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/342#issuecomment-970120925
Received on Tuesday, 16 November 2021 10:14:59 UTC