- From: Justin Brookman <jbrookman@cdt.org>
- Date: Tue, 8 Oct 2013 17:21:18 -0400
- To: David Wainberg <dwainberg@appnexus.com>
- Cc: "public-tracking@w3.org" <public-tracking@w3.org>
- Message-Id: <DF0EC194-D61C-4428-8CC4-F1E3F1C96AD0@cdt.org>
Hi David, I'm still struggling to understand what your proposal means, or even how it differs in principle from the current editors' draft. Under the current compliance standard, the rules for collection and use are already *heavily dependent upon context*: If you're a third party, you can only collect and use data pursuant to operational permitted uses or user-granted exception. This remains true even when the third party later engages with the user in a first party context. For first parties, they can do whatever they want in the first party context except evade the standard (details on how that works still being worked out). There is an open issue over what first parties who collect data can do in a later third-party context. So the standard is already heavily context-dependent --- your matrix is currently addressed in the standard. I read your proposal to just ask for the deletion of first and third party from the compliance spec, which would remove (some of) the contextual language from the current standard without offering replacement text. Simply deleting the definitions of first and third party without more doesn't make logical sense within the current document; you would need to change the subsequent operational language as well. And I'm afraid I don't understand how what you're envisioning differs from what the document currently accomplishes. On Oct 8, 2013, at 5:02 PM, David Wainberg <dwainberg@appnexus.com> wrote: > Hi All, > > Proposal: eliminate the definitions for first and third party and instead define the contexts of data collection and use, per ISSUE-221. > > Rationale: Defining contexts of collection and use, rather than parties, is more precise and clear, and so will avoid confusion and misinterpretation of the spec. Speaking in terms of context goes right to the point. Parties are not inherently one or the other. Company X is a party. Is it a first party or a third party? We don't know until we see the context in which it is collecting or using data at any given moment. So let's just talk about the context, then. > > Or, to put it slightly differently, parties can morph between 1st and 3rd. They can hold data that was collected in either context and they can use data in either context. But what matters is that context in which the data is collected or used. And the DNT signal carries over with the data, even as the party switches contexts. Therefore 1st or 3rd-ness is really a property of the data, not of the party. And, it follows that it's clearer to talk about applying rules to the data rather than to parties. > > Thanks for considering this change. > > -David
Received on Tuesday, 8 October 2013 21:21:52 UTC