W3C home > Mailing lists > Public > public-p3p-spec@w3.org > May 2003

Re: potential requirement/guidelines on acceptable Purpose / Cate g ory combinations

From: Rigo Wenning <rigo@w3.org>
Date: Tue, 20 May 2003 12:06:54 +0200
To: public-p3p-spec@w3.org
Message-ID: <20030520100654.GB1033@localhost>

On Mon, May 19, 2003 at 02:25:42PM -0400, Dobbs, Brooks wrote:
> What this all boils down to is, if the data collector declares a purpose
> that requires identity, then they obviously HAVE the identity.  If you claim
> that you are going to telemarket to me, you have my phone number.  I think
> that it is now generally understood that the actual phone number won't be
> stored as the clear text value within the cookie but rather referenced
> through a UNI value of the cookie.  To the data subject it doesn't matter if
> you reference using phone #, loyalty #, credit card # or a SSN so long as
> the intent or the data construct is to use the value to reference other data
> (though clearly for some these you may need to go past simply UNI even for
> the reference string itself).

http://www.w3.org/TR/P3P/#cookies

I think we specified that already by saying in 2.3.2.7 The
COOKIE-INCLUDE and COOKIE-EXCLUDE elements:

A cookie policy MUST cover any data (within the scope of P3P) that is
stored in that cookie or linked via that cookie. It MUST also reference
all purposes associated with data stored in that cookie or enabled by
that cookie. In addition, any data/purpose stored or linked via a cookie
MUST also be put in the cookie policy. In addition, if that linked data
is collected by HTTP, then the policy that covers that GET/POST/whatever
request must cover that data collection.

Best, 

Rigo
Received on Tuesday, 20 May 2003 06:07:01 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 17 March 2004 17:46:24 EST