4 Issues with W3C’s Privacy Principles

Consumer privacy is vital to the functioning of the World Wide Web and is important to protect as a human right.[1] Only consumers understand their interests. As such, only consumers can make decisions about who they share their identity-linked personal data with.

Consumers make decisions based on factors including brand recognition, their understanding of the agreement, laws and rules, and the risk of harm. The W3C proposes restricting consumer sovereignty, interfere in trust choices between service providers and consumers, and fuels misinformation for the benefit of well recognised brands.

It would be a matter of concern for policy makers if consumer sovereignty were undermined or usurped by corporate interests.

The W3C Privacy Principles need to assist consumers, not perpetuate the goals of highly recognisable brands.

1. Consumer Sovereignty

Consumer sovereignty underpins consumer protection, and antitrust laws worldwide.

Consumer sovereignty is a principle that puts consumers in the driving seat in open market economies. Consumers making choices in their own interest informs producers to know what to make, shaping markets to deliver what consumers want. It is the “invisible hand” in liberal markets. However:

  • Information is needed to enable consumers to make effective choices;
  • Informed choice requires independent and impartial evidence; and
  • Consumers not being well informed, or a belief that they lack the cognitive ability to make a choice, does not justify taking their choice away.

Consumers can be confused, misled and misinformed. Consumer protection laws and advertising laws seek to prevent misinformation and facilitate free choice. Laws exist to impose liability for misrepresentation and misleading statements. Deceptive promotion and advertising tactics that prey on risk aversion and other human frailty are illegal in many countries.

While we would agree with Section 4 of the W3C Privacy Principles which seeks to articulate user control and autonomy in a way that is consistent with consumer sovereignty, the W3C Privacy Principles then undermine consumer sovereignty[2] and privacy protections, replacing them with “appropriate data processing”. This leap removes the decision concerning “appropriateness” from the consumer, fails to explain how the user can be informed, and imposes restrictions on the supply chains of service providers in convention of guidance from policy makers.[3]

2. First Party/Third party

The internet domain associated with the data controller[4] that controls a cookie is either first or third party depending on where it is accessed from (see Google statement[5]). There is therefore no difference between the first or the third-party cookie from a privacy perspective: it is the same cookie.

Privacy is concerned with the taking of personal data without meaningful consent (or appropriate privacy-by-design protections aimed at reducing risks to consumers). There is no relationship between ‘first’ and ‘third parties’ and privacy.[6] Both first and third parties can each harm consumers in exactly the same way. The CMA also called out Google’s attempt, in the First Party sets proposal, to include corporate groups into the definition of ‘first party’ as a form of discrimination if Google blocks third parties.[7] The W3C Privacy Principles ignore this and seek to reintroduce the debate about first party being ‘good’ and the set of websites controlled by a first party being in some way entitled to take personal data.[8]

We should focus privacy-preserving principles towards the likelihood and severity of harm to each single living individual and towards determining what the appropriate notice and choice presented to people is, prior to engaging in specific online activity. All references to ‘first’ and ‘third’ party exemptions must be removed entirely and replaced with the language of ‘data controller’ and ‘processor’. MOW, 51Degrees, Google, and the CMA have accepted this position; Google, when they entered into the February 2022 commitments with the CMA. Should Google’s involvement and contribution to the Principles breach its commitments, it must withdraw from any further participation on the document.

In the UK, it is for the ICO to disseminate the correct definitions of these terms and encourage their proper use. This public function should not be delegated to the W3C, and instead the guidance provided by the ICO in 2021 onwards[9] should be respected above collaborative documents at the W3C.

MOW explain how the myth associated with first party data benefits the largest brands in this three-minute animation.[10]

3. Trust and Transparency  

Trust is central to human relationships and is a founding principle of the World Wide Web.[11] Trust is based on confidence that promises will be made and kept. W3C Members contract with each other to maintain the Open Web for the good of all, not the few.

The World Wide Web is designed as a decentralised system to connect and build trust between those that have not yet met.[12] The Open Web is about open connection, communication, and engagement, allowing new insights to be supplied to consumers in new ways from a variety of different sources.[13]

Lack of transparency undermines trust. Higher levels of privacy protection are created when transparency incentivises service providers to respect people’s trust choices, and people know that transparency will expose wrongdoing. Transparency across an ecosystem also enables good actors to prove they are indeed good actors, and for the community to weed out bad actors. For consumers to benefit from these higher protections, all suppliers should be free to meet different consumers’ preferences.

Since privacy is a non-price factor of competition,[14] rules limiting the variety of offerings that may be made by suppliers should be avoided.

When stating that “privacy is essential to trust”, the W3C Privacy Principles misstate what privacy is and conflate trust with keeping information between consumers and a business secret.[15] They condition the environment of standards setting to place limitations on the development of the web that will impose a level of “protection” that is agreed among a small number of big companies in the interests of those big companies. Merely substituting a gatekeeper’s own business-to-business processing of personal data to make up for impairing rivals identical processing does nothing to improve consumer privacy.

Internet gatekeepers seek to use their consumer-facing brand to entrench their position in adjacent business-to-business markets. Since the definitions allow multiple entities operating under shared common ownership, they risk masking competition on the merits of products from less well-known rivals. They are able to do this by creating their own standards that given their power to exclude rivals from access, stifles innovation and choice for both businesses and consumers. Although these standards are not legally binding, they become a ‘de facto’ standard, given the dominance of the web-enabled consumer operating system or browser puts pressure on digital businesses to abide by the unilaterally dictated policies. Standards created by these branding giants must be analysed carefully to ensure collusive activity is kept at bay.[16]

4. Competition

The European Commission is currently in the process of revising its Guidelines on cooperation between rivals,[17] the draft for which recognizes that the implementation of a ‘hub-and-spoke’ model to facilitate anticompetitive cooperation between rivals in the context of indirect information and data exchange.[18] Applied to Google and Apple, which have preliminarily been found to enjoy substantial market power in their respective mobile ecosystems by the CMA,[19] both companies could form the spokes, and could theoretically implement independent privacy standards, which would serve as a hub between the two. This could potentially facilitate both horizontal and vertical anticompetitive effects.

Next Steps

The W3C must now abandon the W3C Privacy Principles as drafted for at least the reasons explained. If W3C wish to establish privacy principles in standards setting and ensure they do not breach the W3C Member Agreement by consciously splintering the web they must align behind the position agreed between Google and the CMA where GDPR is both the floor and the ceiling. As a prospective Delaware 501c legal entity,[20] W3C are not free to lobby for regulatory change,[21] or immune from competition law.

[1] As recognized by the European Convention on Human Rights, Article 8. The Consolidated Treaty on the European Union, Article 2 recognizes respect for human rights, and therefore privacy, in the EU.

[2] E.g. where the Principles discuss ‘Context and Privacy’ (at 2.4) being determined by someone (other than the consumer), and when determining “appropriate” and hence “inappropriate” use. The Principles discuss a norm being violated as determined by someone other than the consumer: “A norm violation can be for instance the exfiltration of personal data from a context or the lack of respect for transmission principles. When norms are respected in a given context, we can say that contextual integrity is maintained; otherwise that it is violated.”

Also, statements about the ‘Vegas Rule’ (i.e., what happens with a first party stays with the first party) (see 2.2) prevents consumers from choosing otherwise.

[3] See 2.4. “We define privacy as a right to appropriate data processing. A privacy violation is, correspondingly, inappropriate data processing [PRIVACY-IN-CONTEXT]. Note that a first party can be comprised of multiple contexts if it is large enough that people would interact with it for more than one purpose. Sharing personal data across contexts is, in the overwhelming majority of cases, inappropriate”.

[4] Article 4 GDPR defines ‘controller’ as those who ‘determine the purposes and means of the processing of personal data’.

[5] Google, “Developers: Get Ready for New SameSite=None; Secure Cookie Settings“, (23 October 2019): “If the domain associated with a cookie matches an external service and not the website in the user’s address bar, this is considered a cross-site (or “third party”) context. Less obvious cross-site use cases include situations where an entity that owns multiple websites uses a cookie across those properties. Although the same entity owns the cookie and the websites, this still counts as cross-site or “third party” context when the cookie’s domain does not match the site(s) from which the cookie is accessed.

[6] This has been confirmed by the CMA and ICO in their Joint Statement on Competition and data protection in digital markets, 19 May 2021, page 11: “A cookie is generally identified as being first-party if the domain of the cookie matches the domain of the page visited and as being third-party in instances where the domain of the cookie does not match the domain of the website. This is not a rigid distinction. Some functions typically delivered through third party cookies can be done via first party cookies, even if a third party’s code and associated service is still involved.”

[7] See CMA’s Notice of intention to accept commitments offered by Google in relation to its Privacy Sandbox Proposals, 11 June 2021, para 5.49 et ff. See also the CMA’s Decision to accept commitments from Google, 11 February 2022.

[8] The ICO explicitly rejected first party exemptions in its November Opinion: “As highlighted in the joint statement, a distinction is often drawn between the concepts of “first party” and “third party” when used both in web standards and industry definitions of data use 97. The Commissioner is aware of a view by market participants about how data protection law regards these concepts. For example, that first party has an inherently lower risk than third party. The Commissioner rejects this view.” (ICO, Opinion, November 2021).

[9] See the ICO call for views: Anonymisation, pseudonymisation and privacy enhancing technologies guidance

[10] Movement for an Open Web, Animation: An Open Web for Everyone, 13 October 2021.

[11] So much so that the Open Web Foundation believes that the “open web is built on technologies that are created as part of its vision”.

[12] The W3C recognises the importance of trust on the Web, and that “technology design can foster trust and confidence” as part of its Vision.

[13] The W3C acknowledges this in its own Mission Statement: “one of the W3C’s primary goals is to make [the social value of the Web] available to all people, whatever their hardware, software, network infrastructure …”.

[14] Tim Cowen, Claire Barraclough and Josh Koran, ‘”Privacy Fixing” after Texas et al v. Google and CMA v. Google (Privacy Sandbox): Approaches to Antitrust Considerations of Privacy’, Competition Policy International, January 26, 2021.

[15] Under the ‘Vegas Rule’. See 2.2.

[16] European Commission Guidelines on the applicability of Article 101 TFEU (Horizontal Guidelines). See paras 305-307: “Even though non-binding, those standard terms would become a de facto standard, the effects of which are very close to a binding standard and need to be analysed accordingly”.

[17] Draft Revised Horizontal Guidelines.

[18] Draft Revised Horizontal Guidelines, para 436: “Platforms may also be used to impose operational restrictions on the system preventing platform users from offering lower prices or other advantages to final customers … a common agency, such as a trade association, may also facilitate exchanges between its members”.

[19] CMA, Mobile ecosystems market study interim report, 14 December 2021. Updated 22 January 2022. 

[20] W3C: Transition to a Legal Entity, 9 December 2019.

[21] Internal Revenue Service, ‘Exemption Requirements – 501(c)(3) Orgnaizations’

Header image courtesy of Markus Spiske via Unsplash (Licensed for free use under the Unsplash License)