Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Brand is not the same as data controller - brand should not be referenced #50

Open
jwrosewell opened this issue Aug 13, 2021 · 1 comment
Open

Brand is not the same as data controller - brand should not be referenced #50

jwrosewell opened this issue Aug 13, 2021 · 1 comment

Comments

@jwrosewell
Copy link

During the virtual F2F of 12th August 2021 many commentators suggested that people trust brands. To the best of my knowledge brand is not a concept that is part of data privacy laws.

BBC

The BBC was used by several commentators as an example of a single brand that operates services from at least two domains; bbc.co.uk and bbc.com. Looking at the BBC privacy policy associated with bbc.co.uk (I can't access bbc.com as I'm in the UK) the policy references many different operating companies.

BBC World Service, BBC Studios, BBC Studioworks, BBC Global News, BBC Media Applications Technology, BBC World Service Trading and TV Licensing and BBC charities.

Someone might be prepared to accept a policy to gain access to news services, but not the same policy when it comes to their financial data for paying their TV License or their details to one of the charities operated under the BBC brand.

Papa John's

Another example of a brand that relates to multiple almost entirely unrelated companies is Papa John's. Here is a link the UK privacy policy operated by Papa John's (GB) Limited. Again I can't access the US version. However it is clear form an investigation into corporate ownership that the US and UK brands are operated by separate companies where the UK company is owned by but not otherwise related to the operations of the US company.

Issue

As brand is not the same as data controller as clearly demonstrated in these two examples the use of brand as a method of defining FPS should be avoided. The emphasis of the proposal should be controllers (joint and single) and processors. Brand is irrelevant.
@jwrosewell jwrosewell mentioned this issue Aug 13, 2021
Open
@dmarti
Copy link

dmarti commented Aug 16, 2021

These two privacy policies are completely different:

(For me, both can be viewed from California, USA.) Even if there is common branding here, the two domains would not be eligible to form a First-Party Set.

The obvious branding (is it clear to the user that they are interacting with the same company or organization) and common policies (will the user's data be protected in the same way on both sites) are what matters. Ownership is hard to check, possibly prohibitively hard in some jurisdictions, and does not make a difference to the user.

@martinthomson martinthomson mentioned this issue Aug 17, 2021
Open
@jwrosewell jwrosewell mentioned this issue Aug 25, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dmarti @jwrosewell