- From: Ashkan Soltani <ashkan.soltani@gmail.com>
- Date: Sun, 30 Oct 2011 10:50:05 -0700
- To: Mike Zaneis <mike@iab.net>
- Cc: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
- Message-ID: <CAK6Xr4XH3_XYJHov7N=jGSY08ZtRkT96i4BGRPg+QB1GXA6WNg@mail.gmail.com>
FWIW In 2009, we looked into this issue somewhat in 2009 and found that many large web companies can have as many as 2000 'affiliates' based on the GLB definition <http://www.sec.gov/rules/final/34-42974.htm#P84_20157> (average was 297). Summary here <http://knowprivacy.org/affiliates.html> and full report <http://knowprivacy.org/full_report.html>. Additionally, the privacy policies of most of these sites stated that they shared data with affiliates<http://knowprivacy.org/images/policies_large.jpg> but they did not share data with 3rd parties. I think one issue here is that most consumers would not immediately comprehend this technical distinction and would potentially consider a company like Fox separate from say the social network, Myspace. Perhaps something to consider as we work through these definitions. -a On Sun, Oct 30, 2011 at 6:37 AM, Mike Zaneis <mike@iab.net> wrote: > Jonathan, this is a very helpful discussion, providing the scenarios and > possible real examples. My only comment is that I believe your second > possible definition - legal business relationships - is overly broad. The > corporate ownership factor is correct, but I don't think most/anyone would > argue that a contract with a non-related company would make that company a > first party (it could make them an agent of the first party if the data is > only used for the benefit of the first party, but that is a different > discussion). Most U.S. laws treat legal "affiliates", companies with some > common ownership, as first parties (i.e. ESPN and ABC are treated as first > party to the parent company Disney). I think that is the more useful straw > man to use for this discussion. > > Mike Zaneis > SVP & General Counsel, IAB > (202) 253-1466 > > On Oct 29, 2011, at 1:11 AM, "Jonathan Mayer" <jmayer@stanford.edu> wrote: > > > (ACTION-25) > > > > As I understand it, there are four camps on how to distinguish between > first parties and third parties. > > > > 1) Domain names (e.g. public suffix + 1). > > > > 2) Legal business relationships (e.g. corporate ownership + affiliates). > > > > 3) Branding. > > > > 4) User expectations. > > > > Here are some examples that show the boundaries of these definitions. > > > > Example: The user visits Example Website at example.com. Example > Website embeds content from examplestatic.com, a domain controlled by > Example Website and used to host static content. > > > > Discussion: Content from the examplestatic.com domain is first-party > under every test save the first. > > > > Example: Example Website (example.com) strikes a deal with Example > Affiliate (affiliate.com), an otherwise unrelated company, to share user > data. The user visits Example Website, and it embeds content from Example > Affiliate. > > > > Discussion: Content from Example Affiliate is third-party under every > test save the second. > > > > Example: Example Website embeds a widget from Example Social Aggregator. > The widget includes a prominent logo for Example Social Aggregator, though > a user is unlikely to recognize it. > > > > Discussion: Content from Example Social Aggregator is third-party under > every test save the third. > > > > > >
Received on Sunday, 30 October 2011 17:51:39 UTC