The Statement Grouping task force will consider the creation of a mechanism
that will allow for Web sites to indicate a set of practices that can be grouped
together based on how the user interacts with the Web site (e.g. a registered
member, a seller on an auction Web site, etc) and how opt-in or opt-out choices may be applied to these
groups. This document describes a draft proposal how to group consent choices.
The basic idea we propose is to add a
<STATEMENT-GROUP id = "somename" /> extension to the
<STATEMENT> where all statements with the same
can only be displayed and opted in or out of together. There will also be the
addition of a
short-description="somename's description" consent = "opt-in" />
extension to the
will define the group description to be displayed in the user agent's P3P viewer and
the consent type for this practice. The numbering of the sections is the
corresponding numbering of the P3P 1.0 Specification.
This is an editors' draft with no standing.
[We propose that our extensions be included in a new section 3.7]
This section describes P3P policy syntax added after P3P 1.0 became a Recommendation. In order to preserve backward compatibility with P3P 1.0, this syntax has been added using the extension mechanism.
[The GROUP-INFO extension should be documented here, as per bugzilla 171]
STATEMENT-GROUP-DEF extension is used to define
an identifier and optionally properties that can be applied to a group
STATEMENT elements using
P3P user agents that understand these two extensions MAY take this
information into account when displaying P3P policy information for
users. For example, statements that belong to the same group might
be displayed together under a single heading.
STATEMENTelement that defines an identifier and optionally properties that can be applied to a group of
opt-inindicates that a user can simultaneously opt-in. A value of
opt-outindicates that a user can simultaneously opt-out. A value of
alwaysindicates that no opt-in or opt-out options are available. A value of
mixedindicates that opt-in or opt-out may be available for some or all of the data uses and recipients individually, but users are not able to simultaneously consent to or withdraw consent from all of them. If this attribute is omitted, the default value is
"<EXTENSION optional="yes"> *[sg-def] </EXTENSION>"
<STATEMENT-GROUP-DEF id=" [quotedstring] " [consent = " ("opt-in" | "opt-out" | "always" | "mixed")] short-description = "[quotedstring]" xmlns = "http://www.w3.org/2004/01/P3Pv1_1"/>"
(Note that the
optional attribute does not need to be
explicitly included because its default value
[NEED TO CHECK BNF SYNTAX AND DECIDE ON NAMESPACE ABOVE AND BELOW!]
A statement can be associated with a statement group. Each
statement can have at most one
STATEMENTelement that identifies the statement group to which that statement belongs
"<EXTENSION optional="yes"> <STATEMENT-GROUP id=" [quotedstring] " xmlns = "http://www.w3.org/2004/01/P3Pv1_1"> </EXTENSION>"
Because P3P 1.0 user agents are unaware of this extension (and thus
will ignore it), all
statements that belong to statement groups that
consent attributes with values
opt-out, MUST use the corresponding
required attribute on
RECIPIENTS elements. If
required attribute MUST be omitted as its default value is
always. Any user agent that relies on this extension MUST check to make sure this requirement has been followed. If a user agent finds an inconsistency between a
consent attribute and
required attribute it MUST either ignore the
extension altogether or treat the statement group as if
consent value was
Note that the purpose
current and the
ours do not take
required attribute and thus cannot be used in
statement groups with
consent values other than
Statement groups serve two main purpose:
consentattribute of the statement group enables a site to define usages that can only be opted in- or out together. E.g., an opt-in to a frequent-flyer club implies collection of email and phone for contact as well as clickstream data for individual analysis.
Statement groups are intended primarily as hints to user agents on how to display P3P policy information to users. As currently specified, they are not intended for use in automated decision-making. For example, user agents cannot make judgments automatically about which statement groups apply to the activities of their users.
<POLICY> ... <EXTENSION optional="yes"> <STATEMENT-GROUP-DEF id="browsing" consent = "always" short-description="Browsing the site" xmlns = "http://www.w3.org/2004/01/P3Pv1_1"/> </EXTENSION> ... <STATEMENT> <EXTENSION optional="yes"> <STATEMENT-GROUP id="browsing" xmlns = "http://www.w3.org/2004/01/P3Pv1_1"/> </EXTENSION> ... </STATEMENT> ... </POLICY>