W3C home > Mailing lists > Public > www-p3p-public-comments@w3.org > July 2002

Response to BITS (19 June 2002) Letter re: legal status of P3P policy statements

From: Daniel Weitzner <djweitzner@w3.org>
Date: Tue, 9 Jul 2002 09:54:13 -0400
To: <cathy@fsround.org>
Cc: <jburke@foleyhoag.com>, <leigh.williams@fidelity.com>, <daniel.m.schutzer@citi.com>, <miller.eo@mellon.com>, <mary_n_jones@fleet.com>, <steve.durkee@citicorp.com>, <Marcel_E_Meth@fleet.com>, <www-p3p-public-comments@w3.org>
Message-ID: <IFECKKDKJFLMDHNGADCBEEOJCGAA.djweitzner@w3.org>

Dear Cathy,

Thanks for your ongoing commitment to assuring the P3P is implemented in a
manner that assures both consumers and service providers have clearer, more
transparent privacy relationships. Through the efforts of BITS and many of
your leading members, P3P implementation is already helping to bring greater
transparency and more informed privacy choices to Web users. In your letter
of 19 June 2002 (appended below), you have stated that "[I]t is our
understanding that the legally controlling policy is the human readable
policy," as opposed to the policy statements made through the use of the P3P
vocabulary." You have further asked us whether the W3C agrees that "it is
the human readable policy that is legally controlling."  The P3P
Coordination Group has discussed this matter and offers the following reply.

The function of P3P is to enable web sites to make statements about their
privacy policies in machine readable format so that user's software
(browsers, etc.) can help users to understand a sites privacy policy,
compare it to the users preferences, and ultimately decide whether or not to
continue in a relationship defined by that policy. As we said in response to
comments BITS made before the P3P Recommendation was finalized:

"Users, however, can be expected to make decisions based on the content of
P3P statements. Therefore, the proper functioning of P3P depends on
organizations implementing P3P to make sure that all policies are consistent
with both the practices of that organization and the human readable policy
found on that Web site. For example, if for some reason a site's P3P
statements contradicted the human readable privacy notice, users not be able
to know what the sites policy actually is and be unable to make an informed
choice about the privacy relationship into which they are entering." [1]

In order to fulfill the basic goals of P3P, it is necessary that the
representations made to users through the P3P statements, and those made
through the human readable policy are consistent with each other. Therefore,
the proposition that the human readable policy is the sole legally
controlling representation made to users to be inconsistent with the
functional goals of P3P. However, we do recognize that it is possible that
some nuances of sites privacy policies may be beyond the expressive capacity
of the current P3P standard. Based on comments BITS made on the draft
version of the P3P specification, the final P3P Recommendation includes the
provision:

"In cases where the P3P vocabulary is not precise enough to describe a Web
site's practices, sites should use the vocabulary terms that most closely
match their practices and provide further explanations (as stated in Section
3.2). However, policies MUST NOT make false or misleading statements." [2]

This statement in the P3P Recommendation document clarifies our
understanding of the technical relationship between a site's human readable
policy and the P3P policy. Beyond that, it bears noting that W3C is not a
legislative or regulatory body and therefore cannot rule on the legal
ramifications of statements made by sites to users. What we have done is to
state our expectations about how P3P will be used. And, relying on the
passage from the Recommendation cited above, we have indicated our
expectation about what will happen when all the details of the sites policy
cannot be expressed with the P3P vocabulary. As you know from our response
to your previous comments,[1] in developing the P3P specification we have
drawn on several years of implementation experience which has entailed
translating actual site's privacy policies into the P3P vocabulary. We are
not aware of any privacy policy which cannot be expressed in the final
version of the vocabulary, but certainly remain open to expanding the
vocabulary when specific deficiencies are identified.

I hope that this letter clarifies our views on this matter. Your letter
points to an area that is certain to challenge regulators around the world
as P3P gains wider use. W3C is committed to working with our Members and the
public policy community to help smooth P3P implementation not only from a
technical but also from a legal standpoint.

Thank you again for your careful attention to all aspects of P3P
implementation. I look forward to continued cooperation between W3C, BITS
and our respective members on these matters.

Sincerely,

Daniel J. Weitzner, W3C Technology & Society Domain Leader, P3P Coordination
Group Chair
Lorrie Faith Cranor, P3P Specification WG Chair



cc: P3P Public Comment Archive <www-p3p-public-comments@w3.org>

links:
[1]
http://lists.w3.org/Archives/Public/www-p3p-public-comments/2001Dec/0010.htm
l
[2] http://www.w3.org/TR/P3P/#P3PPolicies
----------------
LETTER FROM BITS
June 19, 2002


Danny Weitzner
Lorrie Cranor
W3C
(sent by email)

Dear Danny and Lorrie:

Congratulations on the advancement of the Platform for Privacy Preferences
P3P 1.0 from Specification to Recommendation.  We would like to reiterate
our interest in continuing communications with you and other representatives
of the W3C as P3P continues to evolve. We would also like to review our
understanding of one key point related to the implementation of P3P 1.0.

It is our understanding that P3P 1.0 is a technical recommendation.  It is
complementary to laws and regulations but is not in itself legally binding.
It is our understanding that when organizations implement P3P 1.0, they will
make every effort to make accurate statements that are consistent with the
human readable privacy policies.  At the same time, it is our understanding
that the legally controlling policy is the human readable policy, and that
W3C would not find statements to this effect to make an organization’s
policies less useful to consumers.

Given the importance of this understanding to both the regulators and the
companies in the financial services industry, we would appreciate your
responding to this letter to indicate that this is also the understanding of
the W3C—that is, that it is the human readable policy that is legally
controlling.

We appreciated the discussion that we had on March 8 and your responsiveness
to points we raised.  It is clear to us that the P3P 1.0 Recommendation does
reflect a conscious effort on your part to address concerns of the financial
services industry.  We appreciate the opportunity to continue to bring such
issues to your attention.

Sincerely,
Catherine A. Allen
CEO, BITS

C:  BITS Privacy Working Group
Received on Tuesday, 9 July 2002 09:53:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.1 : Tuesday, 21 September 2004 12:14:17 GMT