- From: Rigo Wenning <rigo@w3.org>
- Date: Tue, 20 May 2003 12:06:54 +0200
- To: public-p3p-spec@w3.org
On Mon, May 19, 2003 at 02:25:42PM -0400, Dobbs, Brooks wrote: > What this all boils down to is, if the data collector declares a purpose > that requires identity, then they obviously HAVE the identity. If you claim > that you are going to telemarket to me, you have my phone number. I think > that it is now generally understood that the actual phone number won't be > stored as the clear text value within the cookie but rather referenced > through a UNI value of the cookie. To the data subject it doesn't matter if > you reference using phone #, loyalty #, credit card # or a SSN so long as > the intent or the data construct is to use the value to reference other data > (though clearly for some these you may need to go past simply UNI even for > the reference string itself). http://www.w3.org/TR/P3P/#cookies I think we specified that already by saying in 2.3.2.7 The COOKIE-INCLUDE and COOKIE-EXCLUDE elements: A cookie policy MUST cover any data (within the scope of P3P) that is stored in that cookie or linked via that cookie. It MUST also reference all purposes associated with data stored in that cookie or enabled by that cookie. In addition, any data/purpose stored or linked via a cookie MUST also be put in the cookie policy. In addition, if that linked data is collected by HTTP, then the policy that covers that GET/POST/whatever request must cover that data collection. Best, Rigo
Received on Tuesday, 20 May 2003 06:07:01 UTC