See also: IRC log
<ifette> ScribeNick: ifette
Aleecia: Fortunate to have people joining us who will give us summaries of things relevant to our work
... starting off, Chris Olsen from FTC
... you may know him from work on recent privacy report
... will focus on substance and areas relevant to our DNT work
... will give about a 20m summary
... with questions at end, from IRC
Chris: Thanks Aleecia
... appreciate opportunity to talk about privacy report, will focus on issues most peritnent to DNT but happy to answer other questions
... report differs from prelim staff report in terms of level of issuance
... this is a commission report
... first was a staff report
... this has some significance, even though the commission reported on the staff report in 2010, it was not a commission report
... difference is that at this point, people can't point to the report and say "well, it's just a staff report w/o commission backing"
... want to talk about DNT, a few different sections. DNT in report appears around pp52-55
... as well as first party issues being bandied about in WG
... as for DNT
... commission affirmed approach in preliminary staff report
... commission wanted to see a DNT system that met five different criteria / key principles
... first, should be implemented universally to cover all parties that track consumers
... choice mechanism easy to find/understand/use
... choices should be persistent
... should be comprehensive, effective and enforcable
<npdoty> the FTC Final Privacy Report is here: http://www.ftc.gov/opa/2012/03/privacyframework.shtm
Chris: and should go beyond simply opting consumers out of ads, should address collection of data for purposes other than those consistent with the context of the intertaction
... have identified exceptions re click fraud, analytics
... remarked on the efforts individual browser vendors made in response to call for DNT
... talked about what MSFT, MOZ, AAPL have done
... as well as what DAA has done with icon based approach
... noted that DAA has pulled togehter a number of different member companies to participate in an improved transparency effort and improved opt-out mechanism
... and have achieved impressive coverage in terms of delivery of behavioural advertising
... noted more important steps made recently by DAA regarding some concerns flagged by FTC
... including the fact that DAA system hisotrically focused on giving consumers control over receipt of targeted ads
... more recently, have announced multi-site collection principles
... implementing later this year, scheduled to conclude this year
... Stu will tlak about that
... thought that was important step forward
... to address concerns we had, that DNT needs to focus on collection as well as recept of ads
... multi-site collection principles talk about prohibition of collection if collection is for e.g. employment, insurance, healthcare elligibility
... noted another recent DAA development which was discussed at White House event which was its agreement to abide by a DNT header
... targeted for implementation later this year
... implementation of a DNT header is something FTC needs to pay attention to, how will it happen, what does implementation mean, are there isuses still to be resolved around multi-site collection
... really glad Stu is available to talk
... spent time talking about W3C and its WG
... to pull together diverse group of stakeholders to work on a standard for what DNT means, how one would comply
... noted W3C has made progress in short time it's been up and running (the WG), and that FTC looks forward to W3C making further progress
... as it moves to a DNT standard that hopefully has broad consensus
... to all key stakeholder groups
... that's the crux of the FTC DNT discussion
... can answer questions later
... also wanted to flag first party marketing issues the report addressed
... regarding status of affiliates
... appears in pp47-48 of the final report
... noted various commenters raising questions about whether affiliates considered first parties for marketing purposes
... to put in context, appears in the "choice" section of the report
... report has 3 fundamental principles/ best practices to consider
... 1, simplified or improved choice
... other 2, privacy by design and increased transparency
... this appears in the choice section
... set up by saying certain things are so accepted by the nature of consumer interactions iwht businesses that giving them a choice was not necessary
... talked about first party marketing
... what we had in mind was if you go to a retailer, you have a basic understanding that the retailer will use your info to market additional products back to you
... noted certain exceptions to blanket rule
... dealing with how you define a first party
... affiliates and third party relationships
... actually, its pp41-44
... of the report
... noted dispute in comments about whether data sharing among affiliate organizations should be considered all within the first party relationship with the consumer
... we noted different arguments re corporate ownership, obvious relationship to consumers
... took the position, which was not intended to reflect a change from 2009 staff report, but noted that in commission's view, affiliates are third parties and a consumer choice mechanism is necessary to share info across affiliates unless the relationship is clear to consumers
... common branding is one way to make the relationship clear to consumer
... if relationship not clear, choice has to be offered
... similar to what was said in 2009 OBA report
... two things I wanted to highlight, happy to discuss other aspects of reports if there are questions
... but those were the main things to hit
... perhaps its better to leave more time for questions
Aleecia: Have not seen questions yet on IRC, please type questions in IRC
... will kick things off that way
<Zakim> bryan, you wanted to ask what is "clear" to users
Bryan: What's clear to users? If it's clear perhaps don't need mechanism, but would be nice for guidance on what's "clear"
... affiliate relationship
<aleecia> any other questions for Chris?
Chris: Will depend. We identified branding as a way to make that relationship clear
<jmayer> Q: What does "collection" mean? Is it receiving information? Retaining information? Does the meaning differ for actively collected data (e.g. cookies) and passively collected data (e.g. IP address)?
Chris: may be other ways to make relationship clear to users
<aleecia> noted Jonathan
<aleecia> Jeff, please type in your question; Lia too
Chris: If you're being asked to log in to webistes with a common ID that makes it clear that when you're logging in to a particular site, it's affiliated with the company whose login credentials you are using
<aleecia> I'll summarize and I believe Chris has IRC available too
Chris: you can argue the affiliate relationship is clear
... wanted to get away from notion that you could explain the relationship but not in a way that was clear or obvious to consumers, e.g. buried in depths of a privacy policy
<jchester2> sorry. I forgot. Chris: How would the FTC respond when there are different data collection practices conducted by affiliates?
Chris: would not be clear under the language of this report
Jonathan: What does "collection" mean? Is it receiving information? Retaining information? Does the meaning differ for actively collected data (e.g. cookies) and passively collected data (e.g. IP address)?
Chris: Text of the report did not define collection
<npdoty> s/Jonthan/Jonathan/
Chris: may be different things on the continuum that present different levels of concern
... if data retained by a company for some period of time, not many arguments that doesn't represent collection
... if data hits a server and is immediately stripped / disposed of, could hear arguments that data does not constitute collection
<aleecia> Jeff, your question is next; Lia please type yours in (the q+ suggestion is great)
Chris: where the commission comes down on that spectrum has not been decided w.r.t. this report
<johnsimpson> Question: Would it be possible for two sites owned by the same company, but requiring different logins, to be considered affiliates?
Chris: report addresses ways to take certain data and ship it outside the scope of the framework
... pp18-22
... reasonably linkable standard
... discusses steps company can take to make sure the data they collect is not reasonably linkable to a consumer computer or device
<Lia> Nevermind Chris is answering my question now
<aleecia> noted, thanks
Chris: if certain data hits a server, and certain steps the company takes w.r.t. that data to take it outside the scope of the framework
... commission may view that data differently
... than just receiving that data on the servers and keeping it without taking any action to de-link / de-identify the data
Jeff: How would the FTC respond if there are different data collection practices conducted by different affiliates?
Chris: Not entirely sure i undertand the question
<jchester2> in terms of user expctations, across affiliates
Chris: start from the premise a company, presumably a first party
... and if talking about commonly branded affiliates
... if you engage in a variety of different practices with consumer / collected data
<mike> Q: What is the FTC's definition of a "Data Broker"?
<aleecia> John Simpson next, then Mike's Q
Chris: under our framework, company obligated to provide clear disclosure to consumers about what the collection practices are
... choice discussion doesn't really afect that analysis
... companies required, if they have 3 diff practices, need to explain those to consumers
<Zakim> johnsimpson, you wanted to Would it be possible for two sites owned by the same company, but requiring different logins, to be considered affiliates?
JohnSimpson: Would it be possible for two sites owned by same company but diff logins to be considered same company
Chris: Depends on UI and what the login prompt / box looks like
... if its clear through the login process the two are commonly owned and essentially the same party
... then strong argument that they are first party
... but hard to answer in isolation
... offered up the common login
<rigo> I wonder about the relation of affiliates to the concept of data processors
Chris: but important to note that it depends on what the UI looks like re; whether that relationship is apparent to consumers
Aleecia: How would the FTC decide what is/ is not apparent to consumers? is there a process?
Chris: Hard to answer. Process in law enforcement context, but i dont think that's what you're asking
... think the process would be, we see this a number of times
... companies come to us and say this is how we want to proceed
... they do that so they can get our reaction
... and feedback
... have done that with a number of companies in the past, expect we'll do that going forward
... that feedback or guidacne can't be binding
... but companies find it useful to get that reaction
... if they come up with a UI and say this is how we would like to tell consumers we are apparently / obviously affiliated, we could at least provide informal feedback
<Zakim> mike, you wanted to What is the FTC's definition of a "Data Broker"?
Mike: What is FTC's definition of a data broker
Chris: report doesn't concretely define data / information broker
<aleecia> Rigo: is that something you'd like me to ask about?
Chris: contemplating companies that do not typically interface with consumers
... they engage generally in b2b transactions, providing marketing data to other companies
<aleecia> Any other questions?
Chris: not the companies who have consumer facing products generally, but rather those who don't
<rigo> please, I'm on mobile
<johnsimpson> Question: How would the FTC define consent?
Chris: similar definition that reflects similar contexts in legislation that passed the House a few years ago referenced in privacy report
Rigo: Relationship between affiliates and data processors? EU vs US definitions
Chris: More specificity?
... do you mean are affiliates considered DPs?
Aleecia: will come back
JohnSimpson: How would the FTC define consent?
Chris: Question not specifically spelled out in the report
... will depend on particular UI
... (whether consent has been obtained)
<aleecia> Rigo do you have something more specific?
<aleecia> Other last questions?
Chris: and analysis of whether those UIs lead consumers to make informed choices
<aleecia> We end in 3 minutes
Chris: some case law in form of consent decrees re what affirmative consent would look like
... Sear's consent decree has some language in that regard
<aleecia> Sears is fascinating
Chris: in past, commission has said we have to be careful re issuing blanket statements on cosnent, e.g. opt-in or opt-out
... can be bad, innefectual models for consnet
... e.g. 15 pages of text with box at the bottom that's the only option for proceeding
... not the greatest model for opt-in consent
... can have a really bad opt-in and a really good opt-out
... depends on UI
Aleecia: on opt-in/out, FTC does not take an opinion on whether opt-in/out is required, correct?
Chris: In the past, have said in testimony
... will confine to DNT
<aleecia> last call - Rigo or anyone else?
<rigo> a data processor is not really a third party as under control of the data controller. would the processor still be considered third party? That would get beyond EU
Chris: we think an opt-out scheme would address the choice option
... looking for a
... doesn't really hit it
... was looking for langauge in a footnote
<aleecia> I'm not following, Rigo
Chris: don't know we've said specifically that opt out is what we're looking for in DNT
<rigo> was my question Aleecia
Chris: but we do have sections on affirmative expressed consent elsewhere in the report, e.g. for sensitive info and material retroactive change
<aleecia> That I got :-)
Chris: and we don't talk about that in DNT section
<aleecia> Not following the "beyond EU"
Chris: commission didn't contemplate having DNT be purely opt-in approach
Rigo: a data processor is not really a third party as under control of the data controller. would the processor still be considered third party? That would get beyond EU
<bryan> Does "opt-out scheme" mean opting out of tracking? i.e. by default tracking is on and the user has to explicitly opt-out?
Aleecia: Not sure i understood nuance
Chris: If Rigo is talking about service providers operating under control of a first party, then we would historically hold the first party to the obligations that the first party is under
<rigo> yes
Chris: first part has an obligation to make sure service provider complies with obligations to make sure first partyy doesn't stray
Aleecia: at 9:31PDT
... if Stu is on the call?
... Chris, thanks for your time
... feel free to stay on as long as you'd like
... if we have additional questions as a group, can email them to you
... has been extremely useful, thanks
<npdoty> +1, thanks to Chris
aleecia: Stu will give us a DAA principles summary for 20m
... with questions at end
Stu: Hi, nice to be with ya'll
... hope to give you a background and detailed perspective of what DAA is doing
... many people have been involved with DAA directly, some of founding trade associations, IAB / NAI, partiicpating
... in w3c process
... asked if i could explain DAA Standard
... in particular focus on announcement at white house in conjunction with FTC / Commerce
... relating to DNT
... try and keep history brief
... some bg though
... in response to FTC's call for self regulation re behavioural adveritisng
... and even before that
... a number of leading trade associations representing parts of internet data ecosystem, esp behavioural advertising but expanded over time
... came together, 40 companies
... developed 60 page document of standards setting uniform choice for conumsers
<ifette_> at aboutads.info
<ifette_> or youradchoices.com
Stu: self regulatory standard
... allowing users to exercise choise w.r.t OBA
... That standard adopted in 7/2009
... became effective a year later after figuring out technicalities
... built off of NAI Choice Mechanism work, went broader though, all third parties
... entities collecting data across sites over time
... a consumer could go to one place, press one button, get a uniform choice w.r.t limiting collection and use of data for OBA
... FTC report a year later
... final one last week
... called on business community to expand to a broader set of practices, not just limited to OBA
... broader set of practices
... prior to that, 100 third parties in our system
... believe that covers 90-95% of people collecting and using data for OBA
... over 400 entities honoring choice mechanism
... can comply in one of two ways
... tied to that program, adopted ad choices icon
... winds up being in/around an ad that takes consumer to choices w.r.t OBA
... getting over 1 trillion ads serving with this icon monthly
<rigo> thank s Ian
Stu: worked hard to get that icon out there
... launched second major educational campagin
... commissioned by McCann Erickson
... will educate people about icon and choice mechanism set up
... When FTC issued report, called on business community to do more beyond OBA
... following that, in back and forth with FTC and other entities, Commerce and others
... last fall, in October-ish
... DAA released guidelines for collection and use of multi-site data
... purposes including and beyond OBA
... that standard lays out a more detailed standard re all collection and uses for various purposes
... permitted purposes and also prohibitions
... for certain crtiera, a document with input from trade associations, 40+ companies and back-and-forth input from otehr stakeholders
... that's 20 pages
<bryan> link to that document?
Stu: about 80 pages of detailed standards negotiated so far
<npdoty> http://www.aboutads.info/resource/download/Multi-Site-Data-Principles.pdf
Stu: guidelines were approved through each associationa nd their boards
... representing thousands to tens of thousands of companies
... input from more than just a couple organizations
... put out that standard, challenges faced w.r.t. our standards is persistency
... system has been based on cookies
<npdoty> "including a couple of different non-profit organizations that work out of DC"
Stu: if consumers delete cookies, they delete their choices, which is not particularly useful for businesses or consumers
... over the past few years, trying to address that
... just a few weeks ago, finalized persistency for Chrome/Mozilla/IE browsers
... up and working today
... should mention also, in conjunction with building these systems, built self-regulatory enforcement regimes
... many success over the years through national ads review counsel, KROO, (missed it)
... recognized as successful by multiple parties incl. government in enhancing compliance
... had those, DMA program expanded and enhanced
<eberkower> CARU
Stu: and a new program created under BBB and National Ad REview counsel
<eberkower> Children's Advertising Review Unit
Stu: full time enforcement staff hired
<aleecia> "broader than a law could be"
Stu: last 6 months to a year, push towards compliance
<ifette_> sorry, this is hard :-) - ifette
Stu: Believe we will have increased success given resources put forward
... even though we've improved persistency, back and forth about building choice mechanism or fitting our standard into browser based header mechanism
... we announced in February that the DAA would be honoring browser based header mechanisms
... put specificity into what we would recognize as compliant with DAA principles, laid our parameters and started process to do that
<aleecia> DAA Would be honoring browser-based mechanisms, specificity of what we would be complying with in DAA. Have agreement to honor the header mech, but need to coordinate with browser cos
Stu: have agreement we will honor header mechanism, but to figure out exactly how it will work and make sure we are coordinated with browsers will need to be sorted out
... expect expansion tied to this browser mechniam as well as multi-site principles to happen by end of this year
... specifics tied to browser-based choice mechanism
... announcement with WH + FTC chairman
... choice will be exercised by consumer
... rather than set by a default or by a different entity
... and second, that prior to exercising the choice, there be a description to the consumer of the impact of the choice and how that will work
... believe that will be a positive addition
... to the existing DAA 80+ pages of specs
... we believe that will really provide a nice, new tool, and a simpler tool, to consumers, in addition to existing tool that will be continued w.r.t. cookie based mechanism and icon
<aleecia> Tom: I'll favor DNT-based questions to the one you asked (though I share it)
Stu: should be clear, cookie based mechanism and icon will not go away
<npdoty> I believe this is the relevant link from DAA on responding to browser mechanism: http://www.aboutads.info/resource/download/DAA_Commitment.pdf
Stu: strenght of the program, gives great transparency
... will be two different types of choices
... many choices have been exerciised and want to be sure they are honored
... and the persistent mechanisms work well
... will likely be years before this technology is deployed widely in browsers natively
... cookies can also work through other platforms
... this is a nice enhancement, not a substitute
... consumers are exercising choice
<aleecia> we'll find a new scribe at break
Stu: more are not exercising than choice than are
<aleecia> no worries, you're awesome
Stu: but prohibitions are something that gives lots of comfort that data won't be used to e.g. impact healthcare, employment
... three working documents
<aleecia> Jeff: noted
Stu: 60 page behavioural ad document, 20 page multi site document, 2 page white house announcement
... and working on another page to provide specificity around white house document
... will ultimately roll into a single document
... lots of input from thousands of entities over 4+y ears
... can improve as we go
... have twice redesigned the website
... improving the technlologies as problems are highlighted
... have made great progresss
... happy to report that to you
... that's my presentation, happy to take questions
Aleecia: About 12m for questions
<jmayer> Q: I'm trying to understand how the multi-site principles apply to social networks. To make things concrete: if Facebook were to join the DAA, would the multi-site principles require it to provide an opt out from Like button personalization?
<Zakim> jchester2, you wanted to Please explain what information would be conveyed to the user, prior to exercising their choice, regarding the "impact" of their choice.
Aleecia: first, from Jeff, please explain what info will be conveyed to user prior to exercising their choice and re impact
<tl> Aleecia: I'm also in the queue.
Stu: Hoping to get standard language
... happy to get input
<aleecia> I know. Going to favor DNT-based questions, much as I share your question.
<aleecia> If queue stays empty I'll hit yours
Stu: will describe the limitations of the data, and that certain data may be collected and used (security and other permitted exceptions under DAA standards)
... and that certain entities will contunie to collect and use data outside these principles
<aleecia> jmayer next
Stu: be clear what the effect of the choice in terms of what it iwll limit and that there will still be data collected under limited purposes
<tl> aleecia: No problem: please prioritize questions! Just making sure it was deliberate, not accidental.
Stu: won't be a 10 page privacy notice
... 2-3 sentences to simply convey to users
<npdoty> "not a 10-page privacy notice, we're looking at 2 to three sentences to simply convey that to users"
<Zakim> jmayer, you wanted to if Facebook were to join the DAA, would the multi-site principles require it to provide an opt out from Like button personalization?