is gov.uk a use case that should be part of first-party sets?

[npdoty]

gov.uk is sometimes described in this proposal as an example of a need for first-party sets, because .gov.uk is on the public suffix list, but consent management UI might be the same across different sub-domains and users shouldn't have to repeatedly confirm.

However, the www.gov.uk privacy notice indicates that different subdomains of gov.uk have different data controllers and different privacy policies and are operated by different entities. The cookie consent notices on different subdomains aren't asking the same question at all, but are specific to each agency or department or municipal government.

Can someone clarify what the use case is for domains on the public suffix list that have different registrable domains but where cookies would need to be shared by an embedded party across those separate registrable domains?

[michael-oneill]

Hi Nick,

One use case I have seen is where a single controller manages multiple country specific domains, which may share a common language e.g. ecample.de, example.at or example.lu, and use them in a unified web experience

It then may be a requirement to propagate a low-entropy consent status across the origins e.g. a banner has been seen and so does not need to appear on subsequent pages within the same “session”.

Mike

From: Nick Doty @.> Sent: 18 August 2022 01:31 To: WICG/first-party-sets @.> Cc: Subscribed @.***> Subject: [WICG/first-party-sets] is gov.uk a use case that should be part of first-party sets? (Issue #102)

gov.uk is sometimes described in this proposal as an example of a need for first-party sets, because .gov.uk is on the public suffix list, but consent management UI might be the same across different sub-domains and users shouldn't have to repeatedly confirm.

However, the www.gov.uk privacy notice https://www.gov.uk/help/privacy-notice indicates that different subdomains of gov.uk have different data controllers and different privacy policies and are operated by different entities. The cookie consent notices on different subdomains aren't asking the same question at all, but are specific to each agency or department or municipal government.

Can someone clarify what the use case is for domains on the public suffix list that have different registrable domains but where cookies would need to be shared by an embedded party across those separate registrable domains?

— Reply to this email directly, view it on GitHub https://github.com/WICG/first-party-sets/issues/102 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ABAEEIXQQYKF63MHMUNSDM3VZV733ANCNFSM563LP2XA . You are receiving this because you are subscribed to this thread. https://github.com/notifications/beacon/ABAEEIT7AA46FUHUSOCIFVLVZV733A5CNFSM563LP2XKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4UADSXEQ.gif Message ID: @. @.> >

[npdoty]

One use case I have seen is where a single controller manages multiple country specific domains, which may share a common language e.g. ecample.de, example.at or example.lu, and use them in a unified web experience

Yes, that's listed as a separate category in the use cases ("Country-specific domains to enable localization"), although I'm not sure how often that should apply either, as I think it would be common for privacy or other practices to also be localized (which is likely why there are using different domains in the first place). If the practices are not the same, I'm not sure why the user would benefit from sharing data between them or automatically applying a single saved choice to all the domains.

[michael-oneill]

Its common in Europe because EU laws covering privacy and other aspects online apply either directly as Regulations or indirectly as Directives via enabling local law, and large multi-national companies often manage local sites from a single location. The “shared data” in this use case may simply be low entropy state indicating that a banner has been rendered or a button clicked.

If third-party storage is inaccessible then state, communicated via posting javascript messages to embedded contexts, cannot be retained in the other origins. Communicating state in top-level cookies via redirected navigations is also being restricted, and likely more so in future.

From: Nick Doty @.> Sent: 18 August 2022 21:56 To: WICG/first-party-sets @.> Cc: michael-oneill @.>; Comment @.> Subject: Re: [WICG/first-party-sets] is gov.uk a use case that should be part of first-party sets? (Issue #102)

One use case I have seen is where a single controller manages multiple country specific domains, which may share a common language e.g. ecample.de, example.at or example.lu, and use them in a unified web experience

Yes, that's listed as a separate category in the use cases ("Country-specific domains to enable localization"), although I'm not sure how often that should apply either, as I think it would be common for privacy or other practices to also be localized (which is likely why there are using different domains in the first place). If the practices are not the same, I'm not sure why the user would benefit from sharing data between them or automatically applying a single saved choice to all the domains.

— Reply to this email directly, view it on GitHub https://github.com/WICG/first-party-sets/issues/102#issuecomment-1219953657 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ABAEEIVJWSKITNMRXPX6DCDVZ2PPFANCNFSM563LP2XA . You are receiving this because you commented. https://github.com/notifications/beacon/ABAEEIU2GYYP2BULDTCES63VZ2PPFA5CNFSM563LP2XKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOJC3QH6I.gif Message ID: @. @.> >