stampley's proposals for disputes and remedies from Lorrie Cranor on 2003-08-27 (public-p3p-spec@w3.org from August 2003)

From: Lorrie Cranor <lorrie@research.att.com>
Date: Wed, 27 Aug 2003 09:50:48 -0400
To: public-p3p-spec@w3.org
Message-Id: <76E014BA-D895-11D7-A705-000393DC889A@research.att.com>
Dave is on vacation with limited Internet access right now but he sent 
the following proposals for changes to the spec definitions of disputes 
and remedies elements and subelements for me to pass on to everyone. We 
can discuss some today if there is time but will plan on having a 
longer discussion next week.


DISPUTES

PROPOSAL:  The service-provider offers or acknowledges the following 
ways for a user to resolve disputes about the service-provider's 
privacy practices or alleged protocol violations.

COMMENT 1:  I stil have trouble understanding what "protocol 
violations" is supposed mean to users.

COMMENT 2:  I agree with the position that, as a general matter, users 
and websites can elect a dispute resolution procedure by contract.  But 
I don't think the DISPUTES element & subelements should purport to 
create such a contract.

REASONS:  It seems to me that P3Pstatements constitute unilateral 
assertionsby a website on how the site agrees to be bound.  P3P 
statements are not well suited to serve as assertions by a website on 
how its visitors will be bound.  A website's statements about rules 
that it asserts will bind its visitors usually appear in a Terms & 
Conditions section (e.g., "By using this site you agree that any 
disputes will be submitted tobinding arbitrations...; any legal actions 
will be subject to the exclusive jurisdiction of the state andfederal 
courts in the State of California..." etc.).

I propose that the DISPUTES & REMEDIES subelements:   (a) Allow a site 
to express its unilateral commitment to honor the indicated dispute 
resolution & redress mechanisms.  Saying that the site "agrees to" a 
given resolution method is clearer than the current wording that the 
user "may" avail herself of a given procedure.  or (b) Allow a site to 
express its opinion of what it is required to do to fulfill a given 
legal obligation.

Both of these concepts avoid putting the site in the position of 
presuming to express exclusive options or to offer legal advice-- both 
of which are perilous for the site.



"service"

PROPOSAL:  The service-provider's customer service reprseentativei s 
available to help resolve users' disputes regarding the use of 
collected data.  The description MUST include information about how to 
contact customer service.

QUESTION:  Is there a different bewteen "web site," "service," 
"service-provider," and "company" in the vocabulary?



"independent"

PROPOSAL:  The service-provider is willing to be bound by the authority 
of an independent organization for resolution of disputes regarding the 
use of collected data.  Thedescription MUST include information about 
how to contact the third-party organization.



"court"

PROPOSAL:  [Strike this subelement]

COMMENT:  As noted above, I believe the spec should enable sites to 
disclose what they bring to the table as opposed to encouraging them to 
interpret for users the rights that other authorities grant to the 
users.  I propose that this subelement be stricken.



"law"

PROPOSAL:  The service-provider acknowledges or expresses its opinion 
that the indicated laws may affect users' rights or options for 
resolving disputes about the collected data.  Indicated laws MUST be 
referenced in the description.

COMMENT:  In the original wording, from a corporate counselor persepct, 
I would advise a client to avoid usingthe DISPUTES element.  From an 
AAG perspective, if I saw that a company had listed a value for a 
DISPUTES subelement and omitted a material consumer alternative, I 
would have to question whether the company had committed consumer fraud 
by misleading consumers, even if unintentionally.
The proposed language permits an expression thatI would be willing to 
endorse if I were representinga web-facing company.

Under current laws, for example, it is not a stretch to say that 
universities, banks, loan companies, mortgage lenders, loan brokers, 
some travel agents, sellers and manufacturers of vehicles, boats, RVs, 
etc. should anticipate including the following laws in "DISPUTES:law":  
Gramm-Leach-Bliley Financial Services Modernization Act (and the 
related Federal Trade Commission or other federal agency Privacy & 
Safeguards Rules); HIPAA; Fair Credit Reporting Act; Personal 
Information Protection and Electronic Documents Act (Canada, eff. 
1/1/04); USA Patriot Act secs. 326, 352; Office of Foreign Asset 
Control transaction reporting regulations; Cailfornia SB 1386 (consumer 
notification of unauthorized access); federal and state Drivers Privacy 
Protection Acts; federal and state telemarketing laws; federal and 
state Unfair and Deceptive Acts & Practices laws; European Union Data 
Protection Directive; US Department of Commerce Safe Harbor; and the 
Telephone Consumer Protection Act.


REMEDIES

PROPOSAL:  The service-provider offers or acknowledges that the 
following remedies may apply in case of the service-provider's breach 
of its privacy policy or in case of a protocol violation; users may 
also be legally entitled to pursue remedies not listed here.

COMMENT:  I agree that a company's commitment to redress (provided it 
is not presented as an exclusive remedy) can add value to a privacy 
policy.  But I respectfully disagree with the position that, without an 
expression of redress, a P3P policy is not meaningful.  Redress exists 
whether or not it is acknowledged in a privacy policy.  The fact that 
privacy policies have served as the chief exhibits in enforcement 
efforts to date demonstrates that privacy policies have meaning without 
specifying redress.

 From an enforcement point of view, I wouldn't blame a company for 
avoiding the REMEDIES element if the spec's wording increased the 
likelihood that the company could unwittingly perpetrate a material 
omission, as I noted in comments on the DISPUTES element.

 From a corporate counsel point of view, I think most corporate 
counselors would consider themselves duty-bound to advise their clients 
against specifying REMEDIES, since prospectively binding the company to 
redress without some other legal mandate or business incentive might 
constitute a disservice to shareholders.



"correct"

PROPOSAL:  The service-provider will attempt to rectify errors or 
consequences arising from a breach of the privacy policy.

QUESTION:  Has any company indicated that it would actually be willing 
to make the broad, prospective commitment expressed in the current spec 
language?



"money"

PROPOSAL 1:  [Change the subelement name to "compensate."]
PROPOSAL 2:  If the service-provider violates its privacy policy, it 
will compensate the individual according to the terms specified in the 
human-readable privacy policy.




"law"

PROPOSAL:  [For reasons cited above for "DISPUTES:court", and because 
"REMEDIES:law" would duplicate the values assigned to "DISPUTES:law," I 
propose that the "law" subelement be stricken.  If retained, I propose 
use of language similar to that proposed for "DISPUTES:law".]
Received on Wednesday, 27 August 2003 09:47:34 UTC