W3C home > Mailing lists > Public > public-p3p-spec@w3.org > May 2003

RE: potenial requirement/guidelines on acceptable Purpose / Categ ory combinations

From: Humphrey, Jack <JHumphrey@coremetrics.com>
Date: Mon, 19 May 2003 12:22:04 -0500
Message-ID: <85063BBE668FD411944400D0B744267A025184AA@ausmail.core.coremetrics.com>
To: "'Dobbs, Brooks'" <bdobbs@doubleclick.net>, public-p3p-spec@w3.org

Brooks,

FWIW, I can think of counter-examples for IVA/IVD. On a retail site, you
might enter a customer loyalty ID from a card given to you at a physical
store, which would then be stored in or linked to a cookie. I don't think
that ID belongs to any of the categories you listed, but it could be used on
the back-end for IVA/IVD purposes.

I wasn't on the UA call, so I'm curious -- what's the purpose of this
analysis?

Jack Humphrey
Development Manager, Coremetrics

-----Original Message-----
From: Dobbs, Brooks [mailto:bdobbs@doubleclick.net]
Sent: Friday, May 16, 2003 12:52 PM
To: public-p3p-spec@w3.org
Subject: UA: potenial requirement/guidelines on acceptable Purpose /
Categ ory combinations



For once I am actually did something sooner rather than later.

I am attaching a useful quote from the spec and then some thoughts on
categories that should IMHO be required given certain declared purposes.
The thought being, to achieve X purpose, at least Y data is required.

P3P Spec 1.0 2.3.2.7 The COOKIE-INCLUDE and COOKIE-EXCLUDE elements
A cookie policy MUST cover any data (within the scope of P3P) that is stored
in that cookie or linked via that cookie. It MUST also reference all
purposes associated with data stored in that cookie or enabled by that
cookie. In addition, any data/purpose stored or linked via a cookie MUST
also be put in the cookie policy.

It therefore follows that if you declare any of the following purposes that
deal in identified individuals you would need to have (either directly or
linked via that cookie) one of the listed categories:

Individual-Analysis, IVA:  Information may be used to determine the habits,
interests, or other characteristics of individuals and combine it with
identified data for the purpose of research, analysis and reporting. For
example, an online Web site for a physical store may wish to analyze how
online shoppers make offline purchases.
	*	Physical
	*	Online
	*	Financial
	*	Purchase
	*	Government
	RATIONAL: This purpose requires "identified data".  While it is
possible to have other categories associated with an identified subject, the
actual identification is impossible without a data element associated with
one or more of the above categories.

Individual-Decision, IVD: Information may be used to determine the habits,
interests, or other characteristics of individuals and combine it with
identified data to make a decision that directly affects that individual.
For example, an online store suggests items a visitor may wish to purchase
based on items he has purchased during previous visits to the Web site.
	*	Physical
	*	Online
	*	Financial
	*	Purchase
	*	Government
	RATIONAL: This purpose requires "identified data".  While it is
possible to have other categories associated with an identified subject, the
actual identification is impossible without a data element associated with
one or more of the above categories.

Contact, CON: Contacting Visitors for Marketing of Services or Products:
Information may be used to contact the individual, through a communications
channel other than voice telephone, for the promotion of a product or
service. This includes notifying visitors about updates to the Web site.
This does not include a direct reply to a question or comment or customer
service for a single transaction -- in those cases, would be used. In
addition, this does not include marketing via customized Web content or
banner advertisements embedded in sites the user is visiting -- these cases
would be covered by the , and , or and purposes.
	*	Physical
	*	Online
	RATIONAL:  Logic dictates that to contact an individual the
initiator of the contact would possess a data element identifying the
individual in a place where he or she would be contacted - either the online
or offline worlds.  This would presuppose elements contained by one of the
above categories. 

Telemarketing, TEL: Contacting Visitors for Marketing of Services or
Products Via Telephone: Information may be used to contact the individual
via a voice telephone call for promotion of a product or service. This does
not include a direct reply to a question or comment or customer service for
a single transaction -- in those cases, would be used.
	*	Physical
RATIONAL:   Again logic dictates that if you are going to contact someone
via telephone, you at least have a data element that contains phone numbers.
These data elements should all be within the Physical category

Thoughts?



Brooks Dobbs
Director of Privacy Technology
DoubleClick, Inc.

office: 404.836.0525
fax: 404.836.0521
email: bdobbs@doubleclick.net
Received on Monday, 19 May 2003 13:22:24 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 17 March 2004 17:46:24 EST