As we’ve continued to follow (and update you) on the ongoing W3C process, which seeks to create a standard for a universal Do Not Track Tool, the issue of figuring out who is a first party and who is a third party keeps popping up, again and again, as a key sticking point between stakeholders.
Why is it important to define who’s who? Because a Do Not Track standard would only minimally impact first parties, while imposing severe restrictions on third parties’ abilities to collect and use information about you on the Web.
Figuring out who is a first party and who is a third party is easy most of the time. If I’m browsing Amazon.com, looking to buy books or DVDs, then Amazon is clearly a first party. I have intentionally chosen to access its site and view its products. On the other hand, if I’m reading an article and in the background, without my knowledge, and ad network is collecting information about me to show me personalized ads, that ad network is a third party.
But what happens when one parent company owns two separate businesses, for example, a candy company and a car insurance company? If I order a box of chocolates from the candy company, should my information automatically be shared with the car insurance company, simply because both are owned by the same parent company?
During the 5th W3C meeting held last week in Washington, DC, Stanford researcher Jonathan Mayer, in conjunction with the Electronic Frontier Foundation (EFF) and the open source software project Mozilla, proposed a rule that would prevent separate businesses owned by the same company from both being considered “first parties” and thus being able to freely share information with each other.
Their proposal looks to user expectation as the primary determinant, not to company ownership. Would consumers expect that the two businesses are actually connected, and thus able to share information between them? One way to make it clear that two sites are connected is through co-branding by, for example, using prominent language like “Brand A, provided by Company B.”
Industry members tend to share the view that businesses owned by the same parent company should be able to share consumer data across company affiliates, even if a user has clicked the Do Not Track button, so as to avoid unnecessary costs and limitations. But consider the fact that some holding companies own a great number of unrelated businesses, all of which would become “first parties” for information sharing purposes if you gave your data to just one.
Our take: Reasonable consumer expectations should determine whether data can be shared or not. If there’s no way to tell that two companies are affiliated, then the average consumer would probably not expect that by giving his information to one, he is also sharing it with the other.