diff --git a/ua_policy_proposal.md b/ua_policy_proposal.md index 71bc21d..06e6abc 100644 --- a/ua_policy_proposal.md +++ b/ua_policy_proposal.md @@ -1,17 +1,16 @@ # UA Policy Proposal -First-Party Sets aims to define the notion of "first-party" as a technical construct that can be used by browsers in development of tracking protections in browsers. [The W3C Do Not Track (DNT) specification defines a ‘party'](https://www.w3.org/TR/tracking-compliance/#party) as having: +First-Party Sets aims to define the notion of "first-party" as a technical construct that can be used by browsers in development of tracking protections in browsers. The first party is defined as a common "controller" having a "group identity that is easily discoverable by a user." -1. Common owners and common controllers -2. "A group identity that is easily discoverable by a user" +"Controller" is defined as in the [General Data Protection Regulation](https://gdpr-info.eu/art-4-gdpr/), as the "natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data." -The DNT definition of ‘party' converge with the findings and recommendations of the 2012 Federal Trade Commission report titled "[Protecting Consumer Privacy in an Era of Rapid Change](https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf)". This report also recommends, for the sake of user transparency: +This definition of ‘party' aligns with the findings and recommendations of the 2012 Federal Trade Commission report titled "[Protecting Consumer Privacy in an Era of Rapid Change](https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf)". (pp. 40-41) This report also recommends, for the sake of user transparency: 3. "Privacy notices should be clearer, shorter, and more standardized to enable better comprehension and comparison of privacy practices." We propose that First-Party Sets will utilize these three principles as the cornerstones of its policy, to ensure sets are transparent and set defined limits of data access: -+ Domains must have a common owner, and common controller. ++ Domains must have a common controller. + Domains must share a common group identity that is easily discoverable by users. + Domains must share a common privacy policy that is surfaced to the user via UI treatment (e.g. on the website footer). @@ -32,11 +31,11 @@ We recommend that browsers supporting First-Party Sets work together to: # Responsibilities of the Site Author -+ Maintain accuracy in self declaration of common ownership and controllership of the domains listed in a First-Party Set formation request. - + This means that changes in ownership/controllership must be followed up with a request for changes in the site's First-Party Set within _XX [to be determined]_ days. ++ Maintain accuracy in self declaration of common controllership of user data collected as a result of user interactions with the domains listed in a First-Party Set formation request. + + This means that changes in controllership must be followed up with a request for changes in the site's First-Party Set within _XX [to be determined]_ days. + Make domain affiliations easily discoverable to the user. As a best practice, site authors should strive to make domain affiliations easily observable to the user, such as through common branding. + Use First-Party Sets as a mechanism to enable user journeys, and improved user experience across related domains. -+ Where relevant, site authors may choose to form multiple, disjoint First-Party Sets. In other words, it is not required that all domains owned and controlled by an organization must be part of a single First-Party Set. We recommend that site authors strive to create sets consistent with user understanding and expectations. ++ Where relevant, site authors may choose to form multiple, disjoint First-Party Sets. In other words, it is not required that all domains controlled by an organization must be part of a single First-Party Set. We recommend that site authors strive to create sets consistent with user understanding and expectations. # Responsibilities of Independent Enforcement Entity @@ -52,12 +51,12 @@ For each element of the First Party Set policy, we propose an enforcement method