Privacy/TPWG/Change Proposal First Party Compliance

From W3C Wiki
< Privacy‎ | TPWG
Jump to: navigation, search

Existing text in Editors' Draft

4. First Party Compliance

If a first party receives a DNT:1 signal the first party MAY engage in its normal collection and use of data. This includes the ability to customize the content, services, and advertising in the context of the first party experience.

The first party MUST NOT share data about this network interaction with third parties who could not collect the data themselves under this recommendation. Data about the transaction MAY be shared with service providers acting on behalf of the first party.

A first party MAY elect to follow the rules defined here for third parties.

Proposals regarding Data Append

Proposal (1): Prohibit Append and Use in Third Party Context

Proposal from John Simpson: email; issue-170

See also issue-219 and Privacy/TPWG/Change Proposal Limitations on use in Third Party Context.

This text would be in addition to existing First Party Compliance requirements in the editors' draft.

New text

When DNT:1 is received:

  • A 1st Party MUST NOT combine or otherwise use identifiable data received from another party with data it has collected while a 1st Party.
  • A 1st Party MUST NOT share identifiable data with another party unless the data was provided voluntarily by the user and is necessary to complete a business transaction with the user.
  • A Party MUST NOT use data gathered while a 1st Party when operating as a 3rd Party.

Proposal (2): Slight tweaks to above proposal

Proposal from Rob Sherman: email; issue-170

This text would be in addition to existing First Party Compliance requirements in the editors' draft.

New text

When DNT:1 is received:

  • A first party MUST NOT combine or otherwise use identifiable data received from another party with data it has collected while a first party.
  • A first party MUST NOT share identifiable data with a third party, other than a service provider acting on behalf of that first party, unless the data was provided voluntarily by the user and is necessary to complete a business transaction with the user.
  • A party MUST NOT use data gathered while a first party when operating as a third party.

Proposals regarding electing to collect less data

Proposal (3): Strike first party electing third party compliance

Proposal from Susan Israel and Chris Pedigo

Remove the following paragraph in current ED:

A first party MAY elect to follow the rules defined here for third parties.

Proposal (4): Elect more restrictive

Proposal from Rigo Wenning

This text would replace "A first party MAY elect to follow the rules defined here for third parties."

New Text

First parties MAY elect to be more restrictive in their data collection practices than proscribed in this Specification. If first parties only collect data as permitted for third parties when receiving a DNT:1 header, they can indicate this according to the tracking status message as set forth in the Tracking Preference Expression Specification. This also allows them to use DNT:0 as a permission mechanism for regulated environments.

Proposals to rephrase first paragraph

Proposal (5): Avoid "normal" collection and use

Proposal from Vinay Goel. (Vinay also proposes striking the elect to follow paragraph; see above.)

This text would replace the first paragraph "If a first party receives a DNT:1 signal ..."

New text

If a first party receives a DNT:1 signal, the first party MAY collect, retain, and use data to both analyze usage and customize the content, services, and advertising within the context of a first party experience. A first party MAY share data about this network interaction with its service providers, but it MUST NOT share data about this network interaction with third parties.