W3C

Results of Questionnaire [Call for Objections] Party definitions

The results of this questionnaire are available to anybody. In addition, answers are sent to the following email address: team-tracking-chairs@w3.org

This questionnaire was open from 2013-11-08 to 2013-11-20.

11 answers have been received.

Jump to results for question:

  1. Objections to Option A: common ownership, first and third party
  2. Objections to Option B: common ownership or contract
  3. Document location

1. Objections to Option A: common ownership, first and third party

Option A: Common Ownership; First and Third Party

A party is a natural person, a legal entity, or a set of legal entities that share common owner(s), common controller(s), and a group identity that is easily discoverable by a user. Common branding or providing a list of affiliates that is available via a link from a resource where a party describes DNT practices are examples of ways to provide this discoverability.

Within the context of a given user action, a first party is a party with which the user intends to interact, via one or more network interactions, as a result of making that action. Merely hovering over, muting, pausing, or closing a given piece of content does not constitute a user's intent to interact with another party.

In some cases, a resource on the Web will be jointly controlled by two or more distinct parties. Each of those parties is considered a first party if a user would reasonably expect to communicate with all of them when accessing that resource. For example, prominent co-branding on the resource might lead a user to expect that multiple parties are responsible for the content or functionality.

For any data collected as a result of one or more network interactions resulting from a user's action, a third party is any party other than that user, a first party for that user action, or a service provider acting on behalf of either that user or that first party.


If you have an objection to this option, please describe your objection, with clear and specific reasoning.

Details

Responder Objections to Option A: common ownership, first and third party
Jeffrey Chester Common Branding is insufficient without meaningful safeguards that reflect online industry practices for the processing of consumers through a site (multi-variate testing, eye tracking, etc). Companies such as Google that operate as multiple first parties require effective safeguards to ensure a consumer truly understands. In addition, how we define "intends" to interact must be conditioned by an analysis of the content used to bring the user to the site. Practices where users are sent to a site due to rich media driven and immersive ads or e-discount coupons require a different approach. Having two parties acknowledged as both First parties further weakens this spec. Few consumers would understand such joint arrangements and would likely have different motivations for visiting such a site. Jointly operated sites require a different approach, based on greater transparency and user control in order to qualify.
Amy Colando While this option appears to reflect a number of discussions of the TPWG over the last several months, there could be necessary clarifications added to this text. For example, the distinction between first and third party should rely on reasonable, objectively determined criteria, rather than subjective determination of a user’s intention.
Rob van Eijk I object because the TPE doesn't need a party defintion in order to stand on itself. Although at first sight, option A may look like (an attempt of) an analogy of the EU approach of data controller/processor, it is not. The devil is in the (compliance) details. In order to move the TPE to last call, it is best in my view not to overload the TPE with the many interlinked and unresolved compliance document discussions related to party.
Brooks Dobbs Object. I do not feel that this definition adequately precludes a single "party" from having various constituent parts under different control and with different policies.
David Singer Not an objection, but a comment for clarity: The bracketing of the first sentence could be clearer: is either (a) a natural person or (b) a legal entity or (c) a set of legal entities that share common owner(s), common controller(s), and a group identity that is easily discoverable by a user.
Mike O'Neill I Object to Option A

If there are different requirements on a receiving server depending on which role it assumes then the criteria to decide is far too vague. A user may not have intended to interact with any party, and even if they did a server could not know that. If there are less stringent requirements for first parties then the tendency will be to claim to be one.
John Simpson I have concerns about this definition. First, I have a problem with the concept of "easily discoverable by a user." I think it needs to be: "A party is a natural person, a legal entity, or a set of legal entities that share common owner(s), common controller(s), and a group identity that is *obvious* or *apparent* to a user." A user should not have to seek this information out; it should be immediately clear. Second, I am still trying to understand how a website would be controlled by distinct parties where all could claim to be first parties. It seems to me you have only one data controller and that would be the only first party.
Jack Hobaugh In general, I object to the porting of a TCS compliance definition into the TPE. I feel strongly that the TPE should remain a pure protocol and technical specification document. Some have contended that some TCS definitions are needed in the TPE in order for the user to understand the choice that the user is making regarding the DNT signal. This is simply not the case. A technical specification need only specify the requests and responses necessary for a DNT protocol to be implemented in a scalable and implementable solution across all browsers and the servers called. A technical specification should not inform the user regarding a policy or compliance choice but instead should inform the technical community on how to implement a technical solution. The compliance specification for the DNT signal should be left to the compliance regime, whether it is a national compliance regime, a W3C-based compliance regime or an industry-based compliance regime. Porting definitions from a particular compliance regime into the TPE only serves to provide an incomplete and confusing picture to those attempting to implement the technical protocol.

To bring a definition of “party,” “first party,” and “third party” into the TPE does nothing to help the user understand his or her DNT preference. Again, the user preference is fairly simple - to send or not send a DNT signal. Such a preference is easily supported by the TPE without importing definitions from the TCS.

Specifically, I object to this definition to the extent that it contains words and phrases that are yet to be fully explored and defined within the TPWG. I also object to the extent that these definitions suggest that privacy gains can only be obtained through common ownership. I incorporate by reference, the section “harm to competition” found at http://www.w3.org/2002/09/wbs/49311/datahygiene/results
Shane Wiley I strongly support this definition as this meets current expectations and understanding of these terms as used with self-regulatory standards and supports baseline concepts captured in most privacy laws around the globe.
David Wainberg First, I strongly object to the inclusion of party definitions in the TPE:

1. There is no reason party definitions are necessary for the transmission of a user's DNT preference to a server, or for the server to respond that it has received the signal and to point the user to information regarding how it is honoring the signal.

2. In any case, the nature of a party is irrelevant. What matters, ultimately, for compliance, is the context in which data is collected and used. Compliance rules should be defined around context.

However, if the chairs intend to define parties at this time, despite objections, the TPWG should not use this option. I object to this option because it needlessly, without a relevant privacy-related rationale, discriminates against small independent companies that are affiliated by means other than ownership, and that may have substantial privacy protections in place. Compare these two examples:

1. A network of typosquatting or search spam sites that commonly owned, along with a third party ad network, but without common privacy policies. In fact, they are without any user-visible privacy policy, and without any common branding except a list of affiliates linked from the footer. Under Option A, because the sites are commonly owned they can collect and use data across their entire network of sites, without regard to DNT.

2. A network of independent political blog publishers are affiliated by contract to use a third party to share data, and enable high value targeted ads across the network. The sites provide prominent notice of this to users that indicates data is being shared, and that makes a common set of strict privacy promises to users. Under this definition, the sites would be limited by DNT.

Obviously, the 2nd case would be a better experience for users. We should therefore create an opportunity and incentive for independent sites to adopt such models. Option A does not create such incentives.
Alan Chapell I respectfully object to option A. The bright-line distinction between first party and third-party is no longer meaningful – nor is the over reliance upon the distinction between ownership and contractual relationships that is embedded in Option A.

I’ve previously shared the following example with the working group:

In my example, there are two groups of websites.
Group A is owned by Justin, and group B is managed by Matthias.
Each website in group A has a different privacy policy and different privacy practices.
Each website in group B has a different privacy policy and different privacy practices.
Each website in group A has a link that clearly states "You are visiting a Justin-owned website"
Each website in group B has a link that clearly states "You are visiting a websites on the Matthias network"
Each website in group A is presumably subject to some form of contract for serving ads across each of Justin's sites.
Each website in group B is definitely subject to a contract for serving ads across each of Matthias' sites.

Under Option A, Justin is allowed to track across his sites, but Matthias is not.

There is simply no sound policy justification for this distinction – and it will result in some perverse outcomes. For example, The Washington Post and Amazon are both chiefly owned by Jeff Bezos. Under Option A, those sites will be treated as one entity under DNT so long as they disclose this fact in their website terms. Conversely, in a hypothetical relationship between Zappos.com and the New York Times ---- Zappos would not be able to share tracking data pursuant to an agreement with the NY Times, even if both companies provided clear branding and otherwise took a privacy by design approach.

An over reliance upon the fiction that ownership equates to sound privacy practices creates incentives for consolidation. Big companies will get even bigger – resulting in more data collection across a small number of Internet behemoths. I respectfully encourage my colleagues in the working group who are advocates and regulators to keep this in mind – as many of them have both privacy and competition as part of their core mission.

Given the significant risk that large first parties will be exempt from DNT, it is difficult for any reasonable observer to understand how this will serve consumer privacy interests. In short: a good deal of current business practices will continue regardless of DNT status. The only change will be the types of entities doing the tracking.

I recognize that a good deal of our digital privacy rules to date were built upon first party / third-party distinctions. However, it is worth noting that many of those rules (e.g., the Network Advertising Initiative Code) were created over a decade ago – long before first parties were in possession of the technical capability to collect digital usage data across multiple contexts. Subsequent rules were built upon the foundation of the NAI Code – despite the fact that the marketplace had changed significantly over that time. I urge this working group not to continue building upon this quicksand of a foundation that has been rendered outdated by the marketplace.

One of the key takeaways from the FTC's recent workshop on the Internet of Things is that that multiple factors should be considered (e.g., context and sensitivity of the types of data collected) when evaluating the efficacy of a privacy approach. I implore this working group not to use a 20th Century standard to solve the 21st Century challenge of DNT.

2. Objections to Option B: common ownership or contract

Option B: Common Ownership or Contract

For unique corporate entities to qualify as a common party with respect to this document, those entities MUST be EITHER: commonly owned and commonly controlled OR enter into contract with other parties regarding the collection, retention, and use of data, share a common branding that is easily discoverable by a user, and describe their tracking practices clearly and conspicuously in a place that is easily discoverable by the user. Regardless, parties MUST provide transparency about what types of entities are considered part of the same party. Examples of ways to provide this transparency are through common branding or by providing a list of affiliates that is available via a link from a resource where a party describes DNT practices.

This option does not offer definitions of "first parties" or "third parties" because the proponents believe that the standard should apply contextually.

If you have an objection to this option, please describe your objection, with clear and specific reasoning.

Details

Responder Objections to Option B: common ownership or contract
Jeffrey Chester This is absurd and raises serious questions on the motivations of this industry dominated process. Entering into a contract is a please collect my data 24/7, cross all platforms card. There should not be a contract exemption for DNT.
Amy Colando While this proposal does not appear to rely on the subjective assessment of user’s intent, there are several editorial modifications needed to clarify text. For example, the first sentence appears to require that data processors must share common branding with data controllers in order to be considered a common party/service provider. It is not clear how the text in italics would help implementers determine their obligations. Overall we believe that option 1 will require less editing to finalize.
Rob van Eijk I object against this, due to the connection with contextuality by the proponents. Under option B, the boundaries of context would qualify as common party (commonly owned and commonly controlled OR enter into contract). In my view context is user centric, nog corporate centric. For DNT to become a successful context negotiation mechanism it is essential not to pin down context without consulting the user first.
Brooks Dobbs
David Singer This definition is short, and that's nice, but it seems insufficiently precise. “describe tracking practices clearly and conspicuously in a place that is easily discoverable by the user” doesn’t seem well enough defined to be enforceable — what is “clearly and conspicuously” and “easily discoverable by the user”?
Mike O'Neill I object to Option B.
This is even vaguer than Option A. Entering into a contract or simply sharing a branding is far too loose a distinction to decide the context, and gives carte blanche for servers to arbitrarily decide it without regard for the user.
John Simpson I object to this definition in the strongest terms. As I understand this language ad networks could write contracts with sites, have the site display for example the DAA logo as a brand, include the DAA logo when it serves the ad, and everything would be considered the same site. Contracts and branding could make virtually *every* site the "same party." I strenuously object.
Jack Hobaugh
Shane Wiley I strongly object to this definition. This sets a horrible precedent for consumers by attempting to move 1st party relationships to contractual elements alone. The concepts of liability, accountability, and responsibility are lost in this approach and undermines already well understood and established definitions used today. Additionally, this definition creates immediate misalignment with existing self-regulatory standards that many, if not all, industry participants in this working group already comply with through well established programs.
David Wainberg
Alan Chapell

3. Document location

If you have an objection to including the party definition or definitions in the TPE document as well as the Compliance document, please describe your objection, with clear and specific reasoning.

Details

Responder Document location
Jeffrey Chester
Amy Colando
Rob van Eijk PREFERRED: the TPE doesn't need a party defintion in order to stand on itself. Both option A and B obstruct DNT's requirement of global interoperability and raise many unresolved issues of intertwined compliance document discussions.
Brooks Dobbs Technical definitions make sense in the TPE, and compliance definitions make sense in a compliance document(s). If we find that the TPE is reliant on non-technical definitions then we have essentially found that the documents can't be meaningfully separated, which would seem in conflict with the choices offered by the last poll.

I would offer that a "party" definition is better addressed in a compliance document unless an argument is made that its definition in the TPE will have no subtleties which are later addressed in a compliance document.
David Singer
Mike O'Neill The TPE does not need a definition of parties and any assumption of implied consent should be left to the TCS.
John Simpson It seems logical to me that all the definitions should in listed in the Compliance document. If the definitions are finally agreed, I don't have a particular problem listing some of them them in the TPE, but I don't see why it is at all necessary to do so. It would raise the question of why some would be listed and not others.
Jack Hobaugh In general, I object to the porting of a TCS compliance definition into the TPE. I feel strongly that the TPE should remain a pure protocol and technical specification document. Some have contended that some TCS definitions are needed in the TPE in order for the user to understand the choice that the user is making regarding the DNT signal. This is simply not the case. A technical specification need only specify the requests and responses necessary for a DNT protocol to be implemented in a scalable and implementable solution across all browsers and the servers called. A technical specification should not inform the user regarding a policy or compliance choice but instead should inform the technical community on how to implement a technical solution. The compliance specification for the DNT signal should be left to the compliance regime, whether it is a national compliance regime, a W3C-based compliance regime or an industry-based compliance regime. Porting definitions from a particular compliance regime into the TPE only serves to provide an incomplete and confusing picture to those attempting to implement the technical protocol.

To bring a definition of “party,” “first party,” and “third party” into the TPE does nothing to help the user understand his or her DNT preference. Again, the user preference is fairly simple - to send or not send a DNT signal. Such a preference is easily supported by the TPE without importing definitions from the TCS.
Shane Wiley
David Wainberg
Alan Chapell I object to porting compliance definitions into the TPE.

More details on responses

  • Jeffrey Chester: last responded on 20, November 2013 at 18:17 (UTC)
  • Amy Colando: last responded on 20, November 2013 at 22:10 (UTC)
  • Rob van Eijk: last responded on 20, November 2013 at 22:27 (UTC)
  • Brooks Dobbs: last responded on 20, November 2013 at 22:48 (UTC)
  • David Singer: last responded on 20, November 2013 at 23:35 (UTC)
  • Mike O'Neill: last responded on 21, November 2013 at 00:02 (UTC)
  • John Simpson: last responded on 21, November 2013 at 00:09 (UTC)
  • Jack Hobaugh: last responded on 21, November 2013 at 03:50 (UTC)
  • Shane Wiley: last responded on 21, November 2013 at 04:32 (UTC)
  • David Wainberg: last responded on 21, November 2013 at 04:51 (UTC)
  • Alan Chapell: last responded on 21, November 2013 at 05:59 (UTC)

Everybody has responded to this questionnaire.


Compact view of the results / list of email addresses of the responders

WBS home / Questionnaires / WG questionnaires / Answer this questionnaire