Consent Choices Working Draft

How to read this diff:

removed old parts are marked as ~~this one~~
new parts are marked as this one

Mode=HTML: this mode is experimental, errors are probable
Consent Choices Working Draft

The Platform for Privacy Preferences 1.1 (P3P1.1):
Specification of Statement Grouping (WG.SG)

W3C Working Draft 01 11 September 2002

This version:

TBD
$Revision: 1.1 $ on $Date: 2003/05/22 09:45:31 $ GMT by $Author: rigo $

Latest version:

TBD

Previous version:

NA

Editor

Matthias Schunter, IBM

Authors

Jeremy Epling, Microsoft

Lorrie Cranor, AT&T

Matthias Schunter, IBM

Copyright ©2003 W3C^® (MIT, INRIA, Keio), All Rights Reserved. W3C liability, trademark, document use and software licensing rules apply.

Abstract

The Statement Grouping task force will consider the creation of a mechanism that will allow for Web sites to indicate a set of practices that can be grouped together based on how the user interacts with the Web site (e.g. a registered member, a seller on an auction Web site, etc) and how opt-in or opt-out choices may be applied to these groups. This document describes a draft proposal how to group consent choices. The basic idea we propose is to add a <STATEMENT-GROUP id = "somename" /> extension to the <STATEMENT> where all statements with the same statement-group id can only be displayed and opted in or out of together. There will also be the addition of a <STATEMENT-GROUP-DEF id="somename" short-description="somename's description" consent = "opt-in" /> extension to the <POLICY> that will define the group description to be displayed in the user agent's P3P viewer and the consent type for this practice. The numbering of the sections is the corresponding numbering of the P3P 1.0 Specification.

Status of This Document

This is an editors' draft with no standing.

3 Policy Syntax and Semantics

[We propose that our extensions be included in a new section 3.7]

3.7 POLICY extensions

This section describes P3P policy syntax added after P3P 1.0 became a Recommendation. In order to preserve backward compatibility with P3P 1.0, this syntax has been added using the extension mechanism.

3.7.1 GROUP-INFO extension

[The GROUP-INFO extension should be documented here, as per bugzilla 171]

3.7.2 STATEMENT-GROUP-DEF extension and ~~STATMENT-GROUP~~ STATEMENT-GROUP extension

The STATEMENT-GROUP-DEF extension is used to define an identifier and optionally properties that can be applied to a group of STATEMENT elements using the STATEMENT-GROUP extension. P3P user agents that understand these two extensions MAY take this information into account when displaying P3P policy information for users. For example, statements that belong to the same group might be displayed together under a single heading.

<STATEMENT-GROUP-DEF>

an optional extension placed inside a P3P policy before the occurrence of the first STATEMENT element that defines an identifier and optionally properties that can be applied to a group of STATEMENT elements

id

This attribute contains a string that identifies a statement group. It is required to be unique within a policy.

short-description

A short human readable description of the statement group, not to exceed 255 characters.

consent

This attribute is used to indicate whether or not a user can simultaneously consent to (or withdraw consent from) all the data usage and recipients referenced in the statements that comprise this group. There are four possible values for this attribute. A value of opt-in indicates that a user can simultaneously opt-in. A value of opt-out indicates that a user can simultaneously opt-out. A value of always indicates that no opt-in or opt-out options are available. A value of mixed indicates that opt-in or opt-out may be available for some or all of the data uses and recipients individually, but users are not able to simultaneously consent to or withdraw consent from all of them. If this attribute is omitted, the default value is mixed.

[xx]
sg-extension

=

"<EXTENSION ~~optional="yes">~~ optional="yes"> *[sg-def] </EXTENSION>"

sg-def

=

<STATEMENT-GROUP-DEF id=" [quotedstring] " [consent = " ("opt-in" | "opt-out" | "always" | "mixed")] short-description = " ~~[quotedstring]"~~ "[quotedstring]" xmlns = "http://www.w3.org/2004/01/P3Pv1_1"/>"

(Note that the optional attribute does not need to be explicitly included because its default value is yes.)

[NEED TO CHECK BNF SYNTAX AND DECIDE ON NAMESPACE ABOVE AND BELOW!]

A statement can be associated with a statement group. Each statement can have at most one <STATEMENT-GROUP> extension.

<STATEMENT-GROUP>

an optional extension placed inside a STATEMENT element that identifies the statement group to which that statement belongs

id

This attribute contains a string that identifies a statement group that has been defined using a corresponding STATEMENT-GROUP-DEF element.

[xx]
sg-extension

=

"<EXTENSION ~~optional="yes">~~ optional="yes"> <STATEMENT-GROUP id=" [quotedstring] " xmlns = "http://www.w3.org/2004/01/P3Pv1_1"> </EXTENSION>"

Because P3P 1.0 user agents are unaware of this extension (and thus will ignore it), all statements that belong to statement groups that have consent attributes with values of opt-in, opt-out, or ~~always~~ MUST use the corresponding required attribute on all PURPOSE and RECIPIENTS ~~elements~~ ~~(alternatively,~~ if ~~consent="always"~~ elements. If consent="always" the required attribute ~~may~~ MUST be omitted as its default value is ~~always).~~ always. Any user agent that relies on this extension MUST check to make sure this requirement has been followed. If a user agent finds an inconsistency between a consent attribute and a required attribute it MUST either ignore the extension altogether or treat the statement group as if its consent value was mixed.

Note that the purpose current and the recipient ours do not take a required attribute and thus cannot be used in statement groups with consent values other than required.or mixed.

Statement groups serve two main purpose:

A statement group allows policy authors to describe what sections of their P3P policy apply to different user interactions with their site/service. E.g., an e-commerce site may define one group that describes data collection for web browsing and another group that describes the additional data that is collected when items are bought. This enables a person who just browses the site to be aware that only a small portion of the policy is relevant to him/her.

The consent attribute of the statement group enables a site to define usages that can only be opted in- or out together. E.g., an opt-in to a frequent-flyer club implies collection of email and phone for contact as well as clickstream data for individual analysis.

Statement groups are intended primarily as hints to user agents on how to display P3P policy information to users. As currently specified, they are not intended for use in automated decision-making. For example, user agents cannot make judgments automatically about which statement groups apply to the activities of their users.

<POLICY> ... <EXTENSION ~~optional="yes">~~ optional="yes"> <STATEMENT-GROUP-DEF id="browsing" consent = "always" short-description="Browsing the site" xmlns = "http://www.w3.org/2004/01/P3Pv1_1"/> </EXTENSION> ... <STATEMENT> <EXTENSION ~~optional="yes">~~ optional="yes"> <STATEMENT-GROUP id="browsing" xmlns = "http://www.w3.org/2004/01/P3Pv1_1"/> </EXTENSION> ... </STATEMENT> ... </POLICY>

The Platform for Privacy Preferences 1.1 (P3P1.1):
Specification of Statement Grouping (WG.SG)

W3C Working Draft 01 11 September 2002

Abstract

Status of This Document

3 Policy Syntax and Semantics

3.7 `POLICY` extensions

3.7.1 `GROUP-INFO` extension

3.7.2 `STATEMENT-GROUP-DEF` extension and STATMENT-GROUP `STATEMENT-GROUP` extension

The Platform for Privacy Preferences 1.1 (P3P1.1): Specification of Statement Grouping (WG.SG)