The Platform for Privacy Preferences 1.1 (P3P1.1):
Specification of Statement Grouping (WG.SG)
W3C Working Draft 01 September 2002
- This version:
- TBD
$Revision: 1.1 $ on $Date: 2003/05/22 09:45:31 $ GMT by $Author: rigo $
- Latest version:
- TBD
- Previous version:
- NA
- Editor
- Matthias Schunter, IBM
- Authors
- Jeremy Epling, Microsoft
- Lorrie Cranor, AT&T
- Matthias Schunter, IBM
Copyright
©2003 W3C® (MIT, INRIA,
Keio), All Rights Reserved. W3C liability,
trademark,
document
use and software
licensing rules apply.
Abstract
The Statement Grouping task force will consider the creation of a mechanism
that will allow for Web sites to indicate a set of practices that can be grouped
together based on how the user interacts with the Web site (e.g. a registered
member, a seller on an auction Web site, etc) and how opt-in or opt-out choices may be applied to these
groups. This document describes a draft proposal how to group consent choices.
The basic idea we propose is to add a
<STATEMENT-GROUP id = "somename" /> extension to the
<STATEMENT> where all statements with the same
statement-group id
can only be displayed and opted in or out of together. There will also be the
addition of a <STATEMENT-GROUP-DEF id="somename"
short-description="somename's description" consent = "opt-in" />
extension to the <POLICY> that
will define the group description to be displayed in the user agent's P3P viewer and
the consent type for this practice. The numbering of the sections is the
corresponding numbering of the P3P 1.0 Specification.
Status of This Document
This is an editors' draft with no standing.
[We propose that our extensions be included in a new section 3.7]
3.7 POLICY extensions
This section describes P3P policy syntax added after P3P 1.0 became a
Recommendation. In order to preserve backward compatibility with P3P
1.0, this syntax has been added using the extension mechanism.
3.7.1 GROUP-INFO extension
[The GROUP-INFO extension should be documented here, as per
bugzilla
171]
The STATEMENT-GROUP-DEF extension is used to define
an identifier and optionally properties that can be applied to a group
of STATEMENT elements using
the STATEMENT-GROUP extension.
P3P user agents that understand these two extensions MAY take this
information into account when displaying P3P policy information for
users. For example, statements that belong to the same group might
be displayed together under a single heading.
<STATEMENT-GROUP-DEF>- an optional extension placed inside a P3P policy before the
occurrence of the first
STATEMENT element that defines an identifier and
optionally properties that can be applied to a group
of STATEMENT elements
id- This attribute contains a string that identifies a statement group. It is required to be unique within a policy.
short-description- A short human readable description of the statement group, not
to exceed 255 characters.
consent- This attribute is used to indicate whether or not a user can
simultaneously consent to (or withdraw consent from) all the data
usage and recipients referenced in the statements that comprise this
group. There are four possible values for this attribute. A value
of
opt-in indicates that a user can simultaneously
opt-in. A value of opt-out indicates that a user can
simultaneously opt-out. A value of always indicates
that no opt-in or opt-out options are available. A value
of mixed indicates that opt-in or opt-out may be
available for some or all of the data uses and recipients
individually, but users are not able to simultaneously consent to or
withdraw consent from all of them. If this attribute is omitted,
the default value is mixed.
| [xx] |
sg-extension
|
=
|
"<EXTENSION optional="yes">
*[sg-def]
</EXTENSION>"
|
|
sg-def |
= |
<STATEMENT-GROUP-DEF id=" [quotedstring] "
[consent = " ("opt-in" |
"opt-out" |
"always" |
"mixed")]
short-description = " [quotedstring]"
xmlns = "http://www.w3.org/2004/01/P3Pv1_1"/>" |
(Note that the optional attribute does not need to be
explicitly included because its default value
is yes.)
[NEED TO CHECK BNF SYNTAX AND DECIDE ON NAMESPACE ABOVE AND BELOW!]
A statement can be associated with a statement group. Each
statement can have at most one <STATEMENT-GROUP> extension.
<STATEMENT-GROUP>- an optional extension placed inside a
STATEMENT
element that identifies the statement group to which that
statement belongs
id- This attribute contains a string that identifies a statement
group that has been defined using a corresponding
STATEMENT-GROUP-DEF element.
| [xx] |
sg-extension
|
=
|
"<EXTENSION optional="yes">
<STATEMENT-GROUP id=" [quotedstring] "
xmlns = "http://www.w3.org/2004/01/P3Pv1_1">
</EXTENSION>"
|
Because P3P 1.0 user agents are unaware of this extension (and thus
will ignore it), all
statements that belong to statement groups that
have consent attributes with values
of opt-in, opt-out, or always
MUST use the corresponding required attribute on
all PURPOSE and RECIPIENTS elements
(alternatively, if
consent="always" the required attribute
may be omitted as its default value is always). Any
user agent that relies on this extension MUST check to make sure
this requirement has been followed. If a user agent finds an
inconsistency between a consent attribute and
a required attribute it MUST either ignore the
extension altogether or treat the statement group as if
its consent value was mixed.
Note that the purpose current and the
recipient ours do not take
a required attribute and thus cannot be used in
statement groups with consent values other
than mixed.
Statement groups serve two main purpose:
- A statement group allows policy authors to describe what
sections of their P3P policy apply to different user interactions
with their site/service. E.g., an e-commerce site may define one
group that describes data collection for web browsing and another
group that describes the additional data that is collected when
items are bought. This enables a person who just browses the site to
be aware that only a small portion of the policy is relevant to
him/her.
- The
consent attribute of the statement group
enables a site to define usages that can only be opted in- or out
together. E.g., an opt-in to a frequent-flyer club implies
collection of email and phone for contact as well as clickstream
data for individual analysis.
Statement groups are intended primarily as hints to user agents on
how to display P3P policy information to users. As currently
specified, they are not intended for use in automated
decision-making. For example, user agents cannot make judgments
automatically about which statement groups apply to the activities
of their users.
<POLICY>
...
<EXTENSION optional="yes">
<STATEMENT-GROUP-DEF id="browsing"
consent = "always"
short-description="Browsing the site"
xmlns = "http://www.w3.org/2004/01/P3Pv1_1"/>
</EXTENSION>
...
<STATEMENT>
<EXTENSION optional="yes">
<STATEMENT-GROUP id="browsing"
xmlns = "http://www.w3.org/2004/01/P3Pv1_1"/>
</EXTENSION>
...
</STATEMENT>
...
</POLICY>