The Platform for Privacy Preferences 1.1 (P3P1.1):
Specification of Statement Grouping (WG.SG)

W3C Working Draft 29 August 2002

This version:: TBD
$Revision: 1.1 $ on $Date: 2003/05/22 09:45:31 $ GMT by $Author: rigo $
Latest version:: TBD
Previous version:: NA
Editor: Matthias Schunter, IBM
Authors: Jerry Epling, Microsoft; Lorrie Cranor, AT&T; Matthias Schunter, IBM

Abstract

The Statement Grouping task force will consider the creation of a mechanism that will allow for Web sites to indicate a set of practices that can be grouped together based on how the user interacts with the Web site (e.g. a register member, a seller on an auction Web site, etc) and how opt-in or opt-out choices may be applied to these groups. This document describes a draft proposal how to group consent choices. The basic idea we propose is to add a <STATEMENT-GROUP id = "somename" /> extension to the <STATEMENT> where all statements with the same statement-group id can only be displayed and opted in or out of together. The will also be the addition of a <STATEMENT-GROUP-DEF id="somename" short-description="somename's description" consent = "opt-in" /> extension to the <POLICY> that will define the group description to be displayed in the agents P3P viewer and the consent type for this practice. The numbering of the sections is the corresponding numbering of the P3P 1.0 Specification.

Status of This Document

This is an editors' draft with no standing.

Introduction
Statement
1. Statement that belongs to a Consent Group (P3P 1.1)

1. Introduction

This document describes statement and policy extensions that aim at grouping statements for readability and consent. This is the output of the P3P 1.1 Working Group on Statement Grouping (SG). The changes we propose are to add an extension sub-element to statement that specifies the id for a group of statements and to add an extension sub-element to policy that specifies the textual description of this grouping and its consent mechanism.

2 Policies

[here go the other sub-chapters of the P3P 1.0 spec]

2.8 Definition of a Statement Group (P3P 1.1)

All statements-group-def extensions have an id that matches the statement-group extensions together. This means that these statements will all be grouped together in the P3P viewer and all elements with required="opt-in" or with required="opt-out" can only be opted together. A user may not be allowed by the recipient to opt for a subset of these elements. When parsing the agent will look for a consent attribute in the statement-group-def extension and use that as the consent type even if the required attribute is set on another element in the statement.

<STATEMENT-GROUP-DEF>: an element inside the <EXTENSION> sub-element of a <POLICY>. This element that identifies a statement group and consent method. A policy can have multiple Statement-group-def extentions.
id: This attribute contains a string that identifies a statement group. It is required to be unique within a policy.
short-description: The text describing this group.

[xx]	sg-extension	=	"<EXTENSION> *[sg-def] </EXTENSION>"
	sg-def	=	<STATEMENT-GROUP-DEF id=" [quotedstring] " consent = " ("opt-in"\|"opt-out"\|"required") short-description = " [quotedstring] "/>"

Groups serve two main purpose:

A group of statements allows policy authors to describe what sections of their P3P policy apply to different user interaction with their site/service. E.g., an e-commerce site to define one group that describes data collection for web-browsing and another group that describes the additional data that is collected when items are bought. This enables a person who just browses the site to be aware that only a small portion of the policy is relevant to him/her.
A statement group can be declared required, opt-in, or or opt-out. This enables a site to define usages that can only be opted in- or out together. E.g., an opt-in to a frequest-flyer club implies collection of email and phone for contact as well as clickstream data for individual analysis.

<POLICY>
 <EXTENSION>
  <STATEMENT-GROUP-DEF id="browsing"
  consent = "required">
   <SHORT-DESCRIPTION lang="EN" text="Browsing the site"/>
  </STATEMENT-GROUP-DEF>
 </EXTENSION>
 <EXTENSION>
  <STATEMENT-GROUP-DEF id="fflyer"
  consent = "opt-in">
   <SHORT-DESCRIPTION lang="EN" text="Frequent Flyer Club Members"/>
  </STATEMENT-GROUP-DEF>
 </EXTENSION>
</POLICY>

3.3 Statements

[here go the other sub-chapters of the P3P 1.0 spec]

3.3.7 Association with a Statement Group (P3P 1.1)

A statement can be associated with a statement group. Each statement can have at most one extension <STATEMENT-GROUP>.

<STATEMENT-GROUP>: an element inside the <EXTENSION> sub-element of a <STATEMENT>. This element that identifies a single statement group.
id: This attribute contains a string that identifies a statement group that has been defined in an extension of the <POLICY> element.

[xx]

sg-extension

"<EXTENSION>
  <STATEMENT-GROUP id=" [quotedstring] ">
</EXTENSION>"

All statements that contain the same id in their statement-group extensions belong to the group with this id. For backward-compatibility, we make the following requirements on the statements that belong to a group:

A statement that belongs to a group where consent is "required" , "opt-in" , or "opt-out" must define all elements to be "required" , "opt-in" , or "opt-out", respectively.

Note that this implies that the purpose "current" and the recipient "ours" cannot be used in optional groups.

<STATEMENT>
  <EXTENSION>
    <STATEMENT-GROUP id = "fflyer" />
  </EXTENSION>
  . . .
</STATEMENT>

The Platform for Privacy Preferences 1.1 (P3P1.1): Specification of Statement Grouping (WG.SG)