Re: ISSUE-154: Are First parties allowed to use data (either offline or online) from third parties

I don't think the offline and 1st party use is out of scope.  The FTC itself has raised a # of concerns about First parties as well as data brokers, as you know.  If a user sends DNT, than no data appends from third parties should occur without specific user consent.   The third party data landscape being used to target online within first parties should be covered by DNT.  Today, as we know, online marketing and data companies are working together to target users using a wide array of data sources [ recent example: http://www.mindshareworld.com/who-we-are/news/@Mindshare_Launches_Core].  

As my colleagues have also said, the issue of First parties is part of work towards a industry/privacy/consumer advocate agreement on the final spec.  I look forward to continuing the conversation.  But the final outcome has to truly balance user privacy seeking DNT and industry practices in the real-time data targeting era.

Jeff




On Jul 25, 2012, at 8:25 AM, Shane Wiley wrote:

> I believe the discussion of offline data and 1st party use is out-of-scope (the proposal we forwarded calls this out).  As offline data is collected from either public sources or through direct user consent (contests, sweepstakes, etc.), if this is matched directly to a 1st party to affect the user’s experience on a 1st party, I don’t see how this impacts our current discussion (1st party + user consent = out of scope for DNT).  If a 1st party were to attempt to leverage this data anywhere other than their own property, then I see this as 3rd party use and it would then have to honor the DNT signal (example 1 below).
>  
> - Shane
>  
> From: David Singer [mailto:singer@apple.com] 
> Sent: Tuesday, July 24, 2012 7:49 PM
> To: Jonathan Mayer
> Cc: Chris Pedigo; public-tracking@w3.org
> Subject: Re: ISSUE-154: Are First parties allowed to use data (either offline or online) from third parties
>  
>  
> On Jul 24, 2012, at 14:21 , Jonathan Mayer wrote:
> 
> 
> A couple concrete examples might clarify the problem.
>  
> Example 1: John Doe signs up on the Example News website.  Doe has Do Not Track enabled.  Example News makes offline contact with Example Data Aggregator to get a consumer profile on John Doe.  Example News then offers ad targeting based on that data in its private ad exchange.  Allowed?
>  
> (I think the answer is no, entailed by two other points of consensus.  First: a first party shouldn't be able to share with a third party any information that the third party could not collect itself.  Second: a third party cannot intentionally solicit and collect identifying information about a user.)
>  
> Example 2: John Doe is a long-time rewards club member at Example Supermarket.  Example Supermarket has relied on Doe's Example Data Aggregator profile for years to determine which coupons to print for him.  Doe, with DNT enabled, signs up on the Example Supermarket website for online shopping and home delivery.  Example Supermarket recommends products on its website based on Doe's Example Data Aggregator profile.  It also continues to print in-store coupons based on that profile.  Allowed?
>  
> (This example is trickier.  My inclination would be to say the supermarket should stop gathering new third-party profiles and, perhaps, stop using old third-party profiles.  I'm curious where others come down.)
>  
>  
> I think we might think about behavior that is unwise (but allowed) and behavior that is not allowable.  If the user perceives that the tracking is still going on, that might be unwise on the site's part, even if we decide it's formally allowed.
>  
> Previously we had the catch-phrase "treat me a someone about whom you know nothing and remember nothing" and under that, the answer to the question is "no", clearly.  But it's the accumulating of the database that is the real tracking here; the use of pre-existing data may be less egregious (though probably unwise, as I said).
> 
> 
>  
> On Tuesday, July 24, 2012 at 12:13 PM, Chris Pedigo wrote:
> I have significant concerns about this restriction on first parties.  There has been discussion about including such a restriction, but I do not recall the group reaching any kind of consensus.  In addition, I have asked for text on this restriction and never received it, which begs the question – what have we agreed to (if such agreement has ever been reached)?
>  
> That said, restricting first parties from appending data to records of DNT:1 users is problematic for several reasons:
>  
> First parties are already prohibited from sharing data about DNT:1 users with third parties and third parties cannot collect/use data about DNT:1 users.  Look at it this way, a DNT:1 user visits a website – the first party can collect data about that user but can’t share it with anyone, the third parties on that site can’t even collect/use it.  The loophole has already been closed.
> Since #1 is true, this means that the data we’re talking about restricting is data that has been collected offline or data that has been collected with consent or otherwise in the spirit of DNT. 
> The primary purpose of appending data to data about DNT:1 users is for first-party marketing, which the FTC recognized as an above-board purpose which generally should not require user consent.  The reason is simple – you can opt out of that marketing, it’s obvious and users expect it.
>  
> I am open to continuing this discussion on tomorrow’s call and/or via email.  But I do not believe this group should restrict the ability of first parties to conduct the long-standing practice of first party marketing.
>  
>  
> Chris Pedigo
> VP, Government Affairs
> Online Publishers Association
> (202) 744-2967
>  
>  
>  
> David Singer
> Multimedia and Software Standards, Apple Inc.
>  

Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009
www.democraticmedia.org
www.digitalads.org
202-986-2220