This draft begins to take up issues that could benefit from additional nuance for specific locales. This entire document is non-normative. We might consider publishing it as a stand-alone W3C note, rather than as part of a specification.

Note well: this document does not reflect any consensus in the Tracking Protection Working Group. For the moment it is best thought of as a collection of notes for areas we need to address.


Can we do this per topic, or must we look per region or per country?


EU needs consent anyway by law (very explicit in Directive 2002/58EC).

Geolocation API requires consent; could use a pointer.


In the US: Rule 405 promulgated by the SEC under the Securities Act of 1933 codifies the common contractual understanding of an "affiliate" as follows:

Affiliate. An affiliate of, or person affiliated with, a specified person, is a person that directly, or indirectly through one or more intermediaries, controls or is controlled by, or is under common control with, the person specified.

From the same Rule, the definition of "control" is as follows:

Control. The term control (including the terms controlling, controlled by and under common control with) means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of voting securities, by contract, or otherwise.

In the EU: data controllers are responsible for the actions of data processors. In the US: no such legal responsibility. Would be good to add a pointer on the EU side.

Specific Consent

(Taken from an email thread Roy wrote; this seems to capture some important points we should spell out more to those who are new to the topic. Quite what we need to say depends on what the specs turn out to be. But let us remember to add pointers for context and consent.)

The EU regulations, individual state regulations, and proposed US policies all require that the consent be contextual/informed (the user knows why it is being requested and how the data will be used) and that any use or sharing outside of the established consent/context requires an additional consent. [...] A lot of people (including Rigo) assume that DNT is specific to advertising. That simply isn't the case. It is not true of our documents, it is not true of the regulations, and it is not true for the composition of our WG.

Data Controller and Processor

In essence there are three categories of entities, as discussed in European privacy parlance, that map onto the parties in the DNT debate:

  1. The party who determines the purposes, conditions and means of the data processing will be the data controller
  2. The party who processes data on behalf of the controller and a separate
  3. legal entity than the controller is the data processor. The data processor acts on behalf of the data controller. The relationship between both parties is bound by a legal contract.
  4. Any other party who have no specific legitimacy or authorization in processing personal data is a third party as in the residual category of actors.

Multi-parties: there can be use-cases where a controller determines the purposes, conditions and means of the data processing jointly with others, the joint controllers must determine the respective responsibilities for compliance.

There is overlap with the technical terms used in our discussions. The outcome is:

  1. 1st Party (Data Controller)
  2. Service Provider (Data Processor), because of contractual relation to the Data Controller
  3. 3rd Party (3rd Party)

For the EU, the outsourcing scenario is clearly regulated. In the current EU Directive 95/46/EC, but also in the suggested regulation reforming the data protection regime, an entity using or processing data is subject to data protection law. A First Party (EU: data controller) is an entity or multiple entities (EU: joint data controller) who determines the purposes, conditions and means of the data processing will be the data controller. A service provider (EU: data processor) is an entity with a legal contractual relation to the Data Controller. The Service Provider does determine the purposes, conditions and means of the data processing, but processes data on behalf of the controller. The data processor acts on behalf of the data controller and is a separate legal entity. An entity acting as a first party and contracting services of another party is responsible for the overall processing. A third party is an entity with no contractual relation to the Data Controller and no specific legitimacy or authorization in processing personal data. If the third party has own rights and privileges concerning the processing of the data collected by the first party, it isn't a data processor anymore and thus not covered by permitted uses. This third party is then considered as a second data controller with all duties attached to that status. As the pretensions of users are based on law, they apply to first and third party alike unless the third party acts as a mere data processor.