Privacy/TPWG/Change Proposal First Party Compliance

From W3C Wiki
< Privacy‎ | TPWG

Existing text in Editors' Draft

issue-170

4. First Party Compliance

If a first party receives a DNT:1 signal the first party MAY engage in its normal collection and use of data. This includes the ability to customize the content, services, and advertising in the context of the first party experience.

The first party MUST NOT share data about this network interaction with third parties who could not collect the data themselves under this recommendation. Data about the transaction MAY be shared with service providers acting on behalf of the first party.

A first party MAY elect to follow the rules defined here for third parties.

Proposals regarding Data Append

Proposal (1): Rephrase to avoid "normal" collection and use

Proposal from Vinay Goel. (Vinay also proposes striking the elect to follow paragraph; see above.)

This text would replace the first paragraph "If a first party receives a DNT:1 signal ..."

New text

If a first party receives a DNT:1 signal, the first party MAY collect, retain, and use data to both analyze usage and customize the content, services, and advertising within the context of a first party experience. A first party MAY share data about this network interaction with its service providers, but it MUST NOT share data about this network interaction with third parties.

Proposal (2): Prohibit Append and Use in Third Party Context

Proposal from John Simpson: email; issue-170

Updated with friendly amendments from Mike O'Neill and John Simpson on June 11 via email

See also issue-219 and Privacy/TPWG/Change Proposal Limitations on use in Third Party Context.

This text would be in addition to existing First Party Compliance requirements in the editors' draft.

New text

When DNT:1 is received:

  • A 1st Party MUST NOT combine or otherwise use identifiable data received from another party with data it has collected while a 1st Party.
  • A 1st Party MUST NOT share identifiable data with another party unless the data was provided voluntarily by, or necessary to supply a service explicitly requested by, the user.
  • A Party MUST NOT use data gathered while a 1st Party when operating as a 3rd Party.
  • A 1st Party MAY elect further restrictions on the collection or use of such data.

Old proposals no longer being considered under this issue

Proposal (x): Prohibit sharing outside the context

Proposal by Mike O'Neill (email and amendment)

If a 1st Party receives a request with DNT:1 set then data regarding or identifying the user initiating the request MUST NOT be shared between Parties outside the context of the request, other than between the 1st Party and its service providers or for permitted uses as defined within this recommendation. A 1st Party MAY elect further restrictions on the collection or use of such data.

Proposal (x): Strike first party electing third party compliance

Proposal from Susan Israel and Chris Pedigo

Remove the following paragraph in current ED:

A first party MAY elect to follow the rules defined here for third parties.

Proposal (x): Elect more restrictive

Proposal from Rigo Wenning

This text would replace "A first party MAY elect to follow the rules defined here for third parties."

New Text

First parties MAY elect to be more restrictive in their data collection practices than proscribed in this Specification. If first parties only collect data as permitted for third parties when receiving a DNT:1 header, they can indicate this according to the tracking status message as set forth in the Tracking Preference Expression Specification. This also allows them to use DNT:0 as a permission mechanism for regulated environments.