Re: Data Collection Outsourcer from Lorrie Cranor on 2002-10-02 (www-p3p-policy@w3.org from October 2002)

From: Lorrie Cranor <lorrie@research.att.com>
Date: Wed, 2 Oct 2002 15:16:57 -0400
To: "Andrew Gaudin" <agaudin@sbcglobal.net>, <www-p3p-policy@w3.org>
Message-ID: <017f01c26a48$52ba8420$9816cf87@barbaloot>

So it sounds like in this case your client may not actually
know why the data is being collected. If that is true, then
they can't provide any useful information to users about
the use of the data, and thus you are stuck with using
other-purpose and/or disclosing all the possible purposes.
On the other hand, I have heard of some companies in
this sort of situation that have contracts with their customers
that restrict them to certain uses of the data. In this
case you could disclose a P3P policy that reflects the
actual data usage by the customer.

The non-identifiable element would only be used if
explicit steps are taken to anonymize the data (for
example, scrubbing information from the server logs). If
your client cannot identify individuals from the data,
but your client's customers can, then it would be
inappropriate to use the non-identifiable element.

Lorrie

--
Lorrie Faith Cranor - http://lorrie.cranor.org/
P3P Specification Working Group Chair - http://www.w3.org/p3p/
New book: Web Privacy with P3P - http://p3pbook.com/



----- Original Message -----
From: "Andrew Gaudin" <agaudin@sbcglobal.net>
To: <www-p3p-policy@w3.org>
Sent: Wednesday, October 02, 2002 1:12 PM
Subject: Data Collection Outsourcer


>
> Greetings:
>
> My client provides (using an ASP model) data collection and warehousing
> services for its customers.  My client utilizes a third-party cookie
(i.e.,
> one that is served from the client's domain) in connection with providing
> these services.  My client does not use the data it collects for any
purpose
> other than to provide its services to its customer and will not disclose
the
> data to anyone other than its customer (except pursuant to subpoena, court
> order, etc.).  In this way, my client acts as an agent for its customer
with
> respect to data collection.
>
> We do not believe that the current specifications address our situation.
> While the predefined purposes (section 3.3.4) do in fact describe what the
> client's customer may do with the data, there does not appear to be a
> predefined "Purposes" element  that describes the purpose for which my
> client collects the data ("to provide services to its web site customer").
> If my client lists "Other Purpose", its cookies will not be accepted in a
> setting above Medium-High (it employs an "opt-out" mechanizm), which my
> client does not find acceptable.
>
> If my client was to include the "non-identifiable" element, this issue
might
> be resolved, but it does not seem that the section was really designed for
> this situation either.
>
> Thoughts?
>
> Thank you.
> Andy

Received on Wednesday, 2 October 2002 15:29:19 UTC