First-party sets, as proposed, states that a desired outcome is “to provide the user’s desired functionality on the site they are interacting with.” However, first-party sets implicitly gives large organizations cross-domain capabilities to track and target users across their owned domains. Additionally, the proposal puts forth that first-party sets should be set by “organizations” and that “otherwise unrelated sites forming a consortium … would be considered abuse”. We can all agree that this proposal should not bias towards large organizations at the expense of small ones.

An “organization” such as a company, government entity, or otherwise is a relatively arbitrary and opaque construct. Users rarely have any concept of what an organization is, how it is managed, and who the members are. A UI element is a way to address this, but it does not address the underlying bias caused by using “organization” as the only construct that first-party sets can be managed by.

As a theoretical example, Berkshire Hathaway, a major conglomerate, owns many companies including GEICO (insurance), Duracell (batteries) and Dairy Queen (ice cream). It could create a first-party set that allows them to track users across geico.com, duracell.com, and dairyqueen.com. There are many other examples of companies that own highly disparate brands (domains) that users would not understand are sharing data. It is also not necessarily the case that all subdivisions of an organization would have the same privacy practices with how data is accessed/stored/shared.

The proposal states that “a collection of completely unrelated sites” would be “clearly unacceptable.” However, upon closer analysis, many “valid” first-party sets (such as Berkshire Hathaway) would appear to be completely unrelated to the user. So the relationship of sites, or potential user intuition of what sites are related, is not a valid consideration for what constitutes an acceptable first-party set. It follows that if any construct similar to first-party sets is to be adopted, users are unlikely to be able to intuitively understand what domains are grouped together except via UX elements.

I believe that the First-Party Sets proposal should be modified to:

1. Not be based on “organizations” as the controllers and arbiters of those sets
2. Solely rely on UX signals and unbiased third-party validation as the arbiters of the sets