- From: Lorrie Cranor <lorrie@cs.cmu.edu>
- Date: Mon, 5 Apr 2004 20:09:32 -0400
- To: public-p3p-spec <public-p3p-spec@w3.org>
Following up on the discussion last seen on Feb 19 at http://lists.w3.org/Archives/Public/public-p3p-spec/2004Feb/0049.html I believe the consensus is to add the following subsection to the user agent guidelines section of the spec. Timing of Notices to Users As a best practice, users should receive notice about a site's privacy practices prior to their user agent transmitting any personal data. Personal data means anything which might reasonably be linked to the user (see section ****) and as such can even include IP addresses and locale data transmitted in http headers before a page has even loaded. In order to present such notice, a user agent would need to fetch a P3P policy prior to loading a page following the guidelines specified in section 2.4.3 **"The Safe Zone." However, implementers will need to consider the performance, usability, and privacy tradeoffs associated with displaying privacy information prior to loading a page. One way that privacy and usability might be simultaneously maximized is to treat all requests made prior to display of policy information as "safe zone" requests. At sites that include form fields, user agents SHOULD provide notice about the corresponding privacy practices prior to form submittal. Besides being best practice, this may be needed in order to comply with regulations in some jurisdictions (such as the European Union) that require a notice about the purpose of data collection to be presented to the user before any personal information is captured. User interface designs should recognize that the privacy policy for the form's action URI may be different than the privacy policy for the HTML page in which the form is embedded. In order to allow users to view privacy policy information associated with action URIs prior to form submittal, user agents might include a privacy tab that loads policy information for action URIs as a page loads, a button or menu item that causes policy information for action URIs to be displayed, or a pop-up that appears when a user begins entering information into a form field.
Received on Monday, 5 April 2004 20:09:50 UTC