- From: Humphrey, Jack <JHumphrey@coremetrics.com>
- Date: Tue, 20 May 2003 07:35:18 -0500
- To: "'public-p3p-spec@w3.org '" <public-p3p-spec@w3.org>
I think I understand now. I always think about the cookie policy declaring what data is being collected for what purposes (maybe because that's how user agents tend to express it), but it also has to declare what other data will be used for those purposes. Let's say that my user agent allows me to express that: 1. I don't want to accept or send cookies containing sensitive personal information. 2. I don't want to accept or send any cookies whose purpose is to enable someone to contact me by phone or email for marketing purposes. In the example I gave, if a site sets a cookie containing a loyalty number (UNI) and declares that it is for indiv. analysis (IVA), then as I understand it now it should also declare purchase (PUR) since that's what the the loyalty # will be used to look up for the analysis. The fact that the company could also look up my phone number and email address is not relevant since that's not the purpose of this cookie, right? Okay, that makes sense, and the user agent implementation might allow that cookie if it didn't map UNI and PUR to "sensitive personal information." But I don't think the user agent could allow you to express #1 but not #2 (say you don't mind telemarketing and online contact). Then if the loyalty # was being collected for telemarketing, the policy would have to include PHY in addition to UNI and TEL, and the user agent couldn't allow the cookie, even though it doesn't violate the expressed preferences, because it couldn't distinguish that the cookie doesn't contain a phone number. That troubles me, but it's something of an orthogonal issue to the points you raise. Jack -----Original Message----- From: Rigo Wenning To: public-p3p-spec@w3.org Sent: 5/20/2003 5:06 AM Subject: Re: potential requirement/guidelines on acceptable Purpose / Cate g ory combinations On Mon, May 19, 2003 at 02:25:42PM -0400, Dobbs, Brooks wrote: > What this all boils down to is, if the data collector declares a purpose > that requires identity, then they obviously HAVE the identity. If you claim > that you are going to telemarket to me, you have my phone number. I think > that it is now generally understood that the actual phone number won't be > stored as the clear text value within the cookie but rather referenced > through a UNI value of the cookie. To the data subject it doesn't matter if > you reference using phone #, loyalty #, credit card # or a SSN so long as > the intent or the data construct is to use the value to reference other data > (though clearly for some these you may need to go past simply UNI even for > the reference string itself). http://www.w3.org/TR/P3P/#cookies I think we specified that already by saying in 2.3.2.7 The COOKIE-INCLUDE and COOKIE-EXCLUDE elements: A cookie policy MUST cover any data (within the scope of P3P) that is stored in that cookie or linked via that cookie. It MUST also reference all purposes associated with data stored in that cookie or enabled by that cookie. In addition, any data/purpose stored or linked via a cookie MUST also be put in the cookie policy. In addition, if that linked data is collected by HTTP, then the policy that covers that GET/POST/whatever request must cover that data collection. Best, Rigo
Received on Tuesday, 20 May 2003 08:35:26 UTC