W3C home > Mailing lists > Public > public-p3p-spec@w3.org > April 2004

Re: Art 10 Issue 1: Purpose Specification

From: Lorrie Cranor <lorrie@cs.cmu.edu>
Date: Mon, 5 Apr 2004 20:09:32 -0400
Message-Id: <AE07AE08-875E-11D8-ADFB-000A95DA3F5A@cs.cmu.edu>
To: public-p3p-spec <public-p3p-spec@w3.org>

Following up on the discussion last seen on Feb 19 at
http://lists.w3.org/Archives/Public/public-p3p-spec/2004Feb/0049.html
I believe the consensus is to add the following subsection to the user 
agent
guidelines section of the spec.

Timing of Notices to Users

As a best practice, users should receive notice about a site's privacy
practices prior to their user agent transmitting any
personal data. Personal data means anything which might reasonably be
linked to the user (see section ****) and as such can even include IP
addresses and
locale data transmitted in http headers before a page has even loaded.
In order to present such notice, a user agent would need to fetch a P3P
policy prior to loading a page following the guidelines specified in 
section
2.4.3 **"The Safe Zone." However, implementers will need to consider the
performance, usability, and privacy tradeoffs associated with
displaying privacy information prior to loading a page. One way that
privacy and usability might be simultaneously maximized is
to treat all
requests made prior to display of policy information as "safe zone"
requests.

At sites that include form fields, user agents SHOULD provide notice
about the corresponding privacy practices prior to form submittal.
Besides being best practice, this may be needed in order to
comply with
regulations in some jurisdictions (such as the European Union) that
require a notice about the purpose of data collection to be
presented
to the user before any personal information is captured.
User interface
designs should recognize that the privacy policy for the
form's action
URI may be different than the privacy policy for the HTML
page in which
the form is embedded. In order to allow users to view privacy policy
information associated with action URIs prior to form
submittal, user
agents might include a privacy tab that loads policy information for
action URIs as a page loads, a button or menu item that
causes policy
information for action URIs to be displayed, or a pop-up
that appears
when a user begins entering information into a form field.
Received on Monday, 5 April 2004 20:09:50 EDT

This archive was generated by hypermail pre-2.1.9 : Monday, 5 April 2004 20:09:51 EDT