Privacy/TPWG/Change Proposal Party Definitions

From W3C Wiki
< Privacy‎ | TPWG

FINAL CANDIDATES FOR CONSIDERATION

Option A: Common Ownership; First and Third Party

A party is a natural person, a legal entity, or a set of legal entities that share common owner(s), common controller(s), and a group identity that is easily discoverable by a user. Common branding or providing a list of affiliates that is available via a link from a resource where a party describes DNT practices are examples of ways to provide this discoverability.

Within the context of a given user action, a first party is a party with which the user intends to interact, via one or more network interactions, as a result of making that action. Merely hovering over, muting, pausing, or closing a given piece of content does not constitute a user's intent to interact with another party.

In some cases, a resource on the Web will be jointly controlled by two or more distinct parties. Each of those parties is considered a first party if a user would reasonably expect to communicate with all of them when accessing that resource. For example, prominent co-branding on the resource might lead a user to expect that multiple parties are responsible for the content or functionality.

For any data collected as a result of one or more network interactions resulting from a user's action, a third party is any party other than that user, a first party for that user action, or a service provider acting on behalf of either that user or that first party.

Option B: Common Ownership or Contract

For unique corporate entities to qualify as a common party with respect to this document, those entities MUST be EITHER: commonly owned and commonly controlled OR enter into contract with other parties regarding the collection, retention, and use of data, share a common branding that is easily discoverable by a user, and describe their tracking practices clearly and conspicuously in a place that is easily discoverable by the user. Regardless, parties MUST provide transparency about what types of entities are considered part of the same party. Examples of ways to provide this transparency are through common branding or by providing a list of affiliates that is available via a link from a resource where a party describes DNT practices.

This option does not offer definitions of "first parties" or "third parties" because the proponents believe that the standard should apply contextually.

PRIOR PROPOSALS

(0) Editors' Draft Text

2.4 Party

A party is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person. For unique corporate entities to qualify as a common party with respect to this document, those entities MUST be commonly owned and commonly controlled and MUST provide easy discoverability of affiliate organizations. A list of affiliates MUST be available through a single user interaction from each page, for example, by following a single link, or through a single click.

2.6 First Party

In the context of a specific network interaction, the first party is the party with which the user intentionally interacts. In most cases on a traditional web browser, the first party will be the party that owns and operates the domain visible in the address bar.

The party that owns and operates or has control over a branded or labeled embedded widget, search box, or similar service with which a user intentionally interacts is also considered a first party. If a user merely mouses over, closes, or mutes such content, that is not sufficient interaction to render the party a first party.

In most network interactions, there will be only one first party with which the user intends to interact. However, in some cases, a resource on the Web will be jointly operated by two or more parties, and a user would reasonably expect to communicate with all of them by accessing that resource. User understanding that multiple parties operate a particular resource can, for example, be accomplished through inclusion of multiple parties' brands in a domain name, or prominent branding on the resource indicating that multiple parties are responsible for content or functionality on the resource with which a user reasonably would expect to interact by accessing the resource. Simple branding of a party, without more, will not be sufficient to make that party a first party in any particular network interaction.

2.7 Third Party

A third party is any party other than a first party, service provider, or the user.

Whether a party is a first or third party is determined within and limited to a specific network interaction.

Proposal (1): Infer with high probability, knowing and intentional communication

Proposal from Lee Tien: email; issue-10

This would replace the existing text in sections 2.4 Party, 2.6 First Party, and 2.7 Third Party.

New text

A party is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person.

A first party is any party, in a specific network interaction, that can infer with high probability that the user knowingly and intentionally communicated with it. Otherwise, a party is a third party.

A third party is any party, in a specific network interaction, that cannot infer with high probability that the user knowingly and intentionally communicated with it.

Proposal (2): Make affiliate list an example

Combined proposal (Proposal from Amy Colando. Proposal from Chris Pedigo.)

This is a replacement for last two sentences in section 2.4 Party

New text

For unique corporate entities to qualify as a common party with respect to this document, those entities MUST be commonly owned and commonly controlled. Parties MUST provide transparency about what affiliates are considered part of the same party. Examples of ways to provide this transparency are through common branding or by providing a list of affiliates that is available via a link from a resource where a party describes DNT practices.

Proposal (3): Remove qualifier on Party and reduce to definition

Proposal from Roy Fielding.

This is a replacement for section 2.4 Party

New text

A party is a natural person, a legal entity, or a set of legal entities that share common owner(s), common controller(s), and a group identity that is easily discoverable by a user.

Rationale

The type of organization is irrelevant unless we intend to exclude some types. This is a definition, so there is no need to qualify. There are no pages here. Pages are only relevant to a first party web site, which is only a subset of party and doesn't even encompass all first party resources. Requirements belong in later sections, where they can be associated with specific situations (like the website, where pages exist).

Proposal (4): Remove address bar on First Party and address more than one first party per user action

Proposal from Roy Fielding.

This is a replacement for section 2.6 First Party

New text

Within the context of a given user action, a first party is a party with which the user intends to interact, via one or more network interactions, as a result of making that action. Merely hovering over, muting, pausing, or closing a given piece of content does not constitute a user's intent to interact with another party.

In some cases, a resource on the Web will be jointly controlled by two or more distinct parties. Each of those parties is considered a first party if a user would reasonably expect to communicate with all of them when accessing that resource. For example, prominent co-branding on the resource might lead a user to expect that multiple parties are responsible for the content or functionality.

Rationale

The address bar isn't relevant until a page is rendered, which may be several requests after the initial request caused by a user action. The first party needs to be known to the user before they do their action; otherwise, they can't possibly have an intention to interact with them. Likewise, "owns and operates" assumes that the first party is operating its own service, which isn't true in general unless we include the first party's service providers inside the definition of first party. Since this spec does not do so, it cannot say that the first party is operating anything.

The paragraph on "mousing over" is largely redundant, aside from the single sentence exclusion.

A first party is *a* party that the user believes it will be interacting with as a result of making an action, and this often has more to do with the content that evoked the desire to make a given action rather than the end-result of that action. If the user is presented with a logo for Tennessee Fried Bunnies overlaid with a hypertext link, the user's intention when selecting that link will be to get more information about TFB. They might, as a result of that intention, be aware that the link is to search.example.com, which is presenting the link in a page of search results, and that selecting the link will make a first party request to search.example.com that results in a redirect pointing to a resource owned by TFB, to which the user agent will make another first party request to a domain unknown to the user that they will later find out (via the address bar) to be "http://www.tennessee-fried-bunnies.com/order/". In other words, there will often be multiple first parties for a single user action.

Proposal (5): Make Third Party definition be with respect to data collected rather than existential

Proposal from Roy Fielding.

This is a replacement for section 2.7 Third Party

New text

For any data collected as a result of one or more network interactions resulting from a user's action, a third party is any party other than that user, a first party for that user action, or a service provider acting on behalf of either that user or that first party.

Rationale

The existing text is stated as if these are existence classifications (person, cat, horse) rather than roles with regard to data collected as a result of a specific network interaction. That is a problem because a first party on one interaction may be a third party on other interactions, and data collected while acting as a first party has different requirements from data collected while acting as a third party, and being a service provider only matters when acting on behalf of that user or that first party.

Proposal (6): Ownership or Contract

Proposal from Alan Chapell.

This is a replacement for last few sentences in section 2.4 Party.

New text

For unique corporate entities to qualify as a common party with respect to this document, those entities MUST be EITHER: commonly owned and commonly controlled OR enter into contract with other parties regarding the collection, retention, and use of data, share a common branding that is easily discoverable by a user, and describe their tracking practices clearly and conspicuously in a place that is easily discoverable by the user. Regardless, parties MUST provide transparency about what types of entities are considered part of the same party. Examples of ways to provide this transparency are through common branding or by providing a list of affiliates that is available via a link from a resource where a party describes DNT practices.

Rationale

Strong contractual provisions and branding provide a level of privacy protections for consumers that is at least as good as Common ownership and branding.

Proposal (7): Affiliate list available through more than one action

Proposal from Jack Hobaugh.

Strike "single" from easy discoverability requirements.

Text change

For unique corporate entities to qualify as a common party with respect to this document, those entities MUST be commonly owned and commonly controlled and MUST provide easy discoverability of affiliate organizations. A list of affiliates MUST be available through a single user interaction from each page, for example, by following a single link, or through a single click.