Re: ISSUE-219 (context separation)

Certainly, any party can get an exception to the DNT request, and signal back to the user a TSV of "C" indicating "A tracking status value of C means that the origin server believes it has received prior consent for tracking this user, user agent, or device, perhaps via some mechanism not defined by this specification, and that prior consent overrides the tracking preference expressed by this protocol."

I suspect arguing implicit consent would be challenging (!), but a first party could require that users consent to give an DNT exception as a condition of service (if legally allowed in a particular jurisdiction), or otherwise ask users if it's OK for the company to track or customize content/ads on other websites.

On Jun 24, 2014, at 4:10 PM, Shane M Wiley <wileys@yahoo-inc.com> wrote:

> Wouldn’t many first parties be able to argue they have user consent (implied or explicit) to do this thus trumping this provision?  If yes, then perhaps this isn’t an issue as 1st parties will still be able to use data collected in the 1st party context in a 3rd party context (use only; all collection is still covered by DNT).
>  
> - Shane
>  
> From: Justin Brookman [mailto:jbrookman@cdt.org] 
> Sent: Tuesday, June 24, 2014 1:05 PM
> To: Alan Chapell
> Cc: public-tracking@w3.org
> Subject: Re: ISSUE-219 (context separation)
>  
> I think Walter's language is trying to accomplish what you want.  When he says "the third party must not use data gathered in another context," I think "another context" logically includes all first-party when that party was previously a first party.
>  
> Would you prefer to say:
>  
> "the third party must not use data gathered in another context, including when it was a first party . . ."?  Or something like that?
>  
> You had previously proposed: "Use of this data outside the first party context is tracking and subject to third party rules for tracking, as outlined in Section 5." but I can't tell from the wiki where that sentence was supposed to go.
>  
> Since I'm fairly sure you all are trying to accomplish the same thing, I really hope we can merge these options.
>  
> On Jun 24, 2014, at 3:52 PM, Alan Chapell <achapell@chapellassociates.com> wrote:
> 
> 
> Hi Walter -
> 
> This language doesn't seem to address a first party acting in a third
> party context. Was that by design?
> 
> I strongly support re-inserting the language around first parties not
> being able to use data outside the Context in which it was collected.
> 
> Alan
> 
> 
> 
> 
> 
> On 6/24/14 3:29 PM, "Walter van Holst" <walter.van.holst@xs4all.nl> wrote:
> 
> 
> On 24/06/2014 17:57, Ninja Marnau wrote:
> 
> Hi John, hi Mike,
> 
> we wil probably start a Call for objections on the topic of context
> separation this wee. Could you take a look at Walter's proposal to see
> whether it does reflect your text for data append and first parties: "A
> Party MUST NOT use data gathered while a 1st Party when operating as a
> 3rd Party.²
> 
> Here is the link to Walter's text:
> 
> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Limitations_on_use_i
> n_Third_Party_Context#Proposal_2:_Prohibit_use_of_data_collected_as_any_t
> ype_of_party
> 
> 
> Mike, John and I have had a fruitful discussion, which resulted in a
> more precise wording of what I wanted to achieve and I have updated the
> text accordingly to:
> 
> "... the third party MUST NOT use data gathered in another context about
> the user, other than with their explicit consent or for permitted uses
> as defined within this recommendation."
> 
> I feel this is a make-or-break issue for the compliance specification
> which on top of the privacy issue also has competition implications. A
> strong separation between 1st and 3rd party roles is a must for this
> compliance specification to be credible.
> 
> Regards,
> 
> Walter
> 
> 
> 
> 
> 
> 
>