dnt-policy icon indicating copy to clipboard operation
dnt-policy copied to clipboard

Published 20 hours ago verified publisher icon EFForg

Evaluating common third party embeds/references

Open konklone opened this issue 9 years ago • 2 comments

The DNT policy says this about use of third parties:

3. OTHER DOMAINS: 

  a. If this domain transfers identifiable user data about DNT Users to
     contractors, affiliates or other parties, or embeds from or posts data to
     other domains, we will either:         

  b. ensure that the operators of those domains abide by this policy overall
     by posting it at /.well-known/dnt-policy.txt via HTTPS on the domains in
     question,

    OR

     ensure that the recipient's policies and practices require the recipient
     to respect the policy for our DNT Users' data.

    OR  

     obtain a contractual commitment from the recipient to respect this policy
     for our DNT Users' data.

    NOTE: if an “Other Domain” does not receive identifiable user information
    from the domain because such information has been removed, because the
    Other Domain does not log that information, or for some other reason, these
    requirements do not apply.

I'm considering how a site like 18f.gsa.gov, which uses one third party on every page (Google Analytics), and some third parties on individual blog posts (YouTube, Twitter, Storify, etc.), should view this part of the policy.

It's not totally clear to me how to evaluate the impact of embedding a tweet. By exposing our users' user agents and IP addresses to Twitter.com and Storify.com, do we need to verify that they are compliant with this DNT policy (or strike up a contract?) in order for our website to be considered compliant?

konklone avatar Jul 16 '15 20:07 konklone

This is definitely going to be important post-launch work. We should also evaluate hosting platforms and CDNs to ensure that they are DNT compatible, and whether they are DNT compatible by default.

pde avatar Jul 31 '15 05:07 pde

Heya, @konklone and @pde... this is definitely one of the first questions we asked ourselves here at CDT looking at the 1.0 policy: is their a rubric or list of common embeds as to their compliance? I think we have essentially the same set of small embeds that @konklone lists: GA on each page (with IP "anonymization") and then twitter and youtube embeds on some tiny fraction of pages served (embedded by perhaps non-technical/non-legal staff).

josephlhall avatar Aug 03 '15 16:08 josephlhall