wording changes related to identifiable from Lorrie Cranor on 2001-04-24 (www-p3p-dev@w3.org from April 2001)

From: Lorrie Cranor <lorrie@research.att.com>
Date: Tue, 24 Apr 2001 16:51:04 -0400
To: <www-p3p-dev@w3.org>, <www-p3p-policy@w3.org>
Message-ID: <05d601c0cd00$775afe40$9816cf87@barbaloot>
The following wording changes will be made to the
P3P spec. These all relate to the terms identify, identifiable,
and related terms. These changes should have limited
impact in practice other than to make things more clear.
However, if your site makes statements in which
the exact definition of PII or any of these related terms is
critical, please read this very carefully.



1.1.3 P3P Policies

Change "P3P policies use an XML encoding of the P3P vocabulary to
identify the legal entity making the ...." to "P3P policies use an XML
encoding of the P3P vocabulary to provide contact information for the
legal entity making the ...."


1.3 Terminology

Remove term "Personally Identifiable Data"

Add term "Identified Data: Data that reasonably can be used by the
data collector to identify an individual."

Change definition of Safe Zone from "Part of a Web site where the
service provider performs only minimal data collection, and any data
that is collected is used only in non-identifiable ways." to "Part of
a Web site where the service provider performs only minimal data
collection, and any data that is collected is used only in ways that
would not reasonably identify an individual."

Change definition of URI from "A Uniform Resource Identifier used to
identify Web resources...." to "A Uniform Resource Identifier used to
locate Web resources...."


2.2.2 HTTP Headers

Change "The policyref URI MUST NOT be used for any other purpose
beyond identifying and referencing P3P policies." to "The policyref
URI MUST NOT be used for any other purpose beyond locating and
referencing P3P policies."


2.3.2.7 The COOKIE-INCLUDE and COOKIE-EXCLUDE elements

Change "If CatalogExample sets a cookie so that it can identify its
customers and observe their behavior on its web site, ...." to "If
CatalogExample sets a cookie so that it can recognize its customers
and observe their behavior on its web site, ...."


2.4.3 The "Safe Zone"

Change "... in which minimal data collection takes place and any data
that is collected is used only in non-identifiable ways." to "... in
which minimal data collection takes place and any data that is
collected is used only in ways that would not reasonably identify an
individual."

Change "In addition, servers SHOULD NOT use in an identifiable way any
information collected while serving a policy file/policy reference
file or responding to a HEAD request." to "In addition, servers SHOULD
NOT use in ways that would reasonably identify an individual any
information collected while serving a policy file/policy reference
file or responding to a HEAD request."

Remove "Note that the safe zone requirements do not say that sites cannot 
keep identifiable information -- only that they SHOULD NOT use in an 
identifiable way any information collected while serving a policy 
file." 


3.1.1 English language policies

Change "... we will only use this information to improve our site and
will not store it in an identifiable way." to "... we will only use
this information to improve our site and will not store it with
information we could use to identify you."


3.2.5 The ACCESS element

Change: "the ability of the individual to view identifiable
information and ...." to "the ability of the individual to view
identified data and ...."

Change defintion of <nonident/> from "Identifiable Data is Not Used"
to "Web site does not collect identified data."

Change defintion of <all/> from "All Identifiable Information: access
is given to all identifiable information." to "All Identified Data:
access is given to all identified data."

Change definition of <contact-and-other/> from "Identifiable Contact
Information and Other Identifiable Information: access is given to
identifiable online and physical contact information as well as to
other information linked to an identifiable person." to "Identified
Contact Information and Other Identified Data: access is
given to identified online and physical contact information as well
as to certain other identified data."

Change definition of <ident-contact/> from "Identifiable Contact
Information: access is given to identifiable online and physical
contact information (e.g., users can access things such as a postal
address)." to "Identifiable Contact Information: access is given to
identified online and physical contact information (e.g., users can
access things such as a postal address)."

Change definition of <other-ident/> from "Other Identifiable
Information: access is given to certain other information linked to an
identifiable person (e.g., users can access things such as their
online account charges)." to "Other Identified Data: access is given
to certain other identified data (e.g., users can access things such
as their online account charges)."

Change definition of <none/> from "None: no access to identifiable
information is given." to "None: no access to identified data is
given."


3.3.3 The NON-IDENTIFIABLE element

Keep as is


3.3.4 The PURPOSE element

Change definition of <pseudo-analysis/> from "... without tying
personally-identifiable information (such as name, address, phone
number, email address, or IP address) to the record." to "... without
tying identified data (such as name, address, phone number, or email
address) to the record." 

Change definition of <pseudo-decision/> from "... without tying
personally-identifiable information (such as name, address, phone
number, email address, or IP address) to the record." to "... without
tying identified data (such as name, address, phone number, or email
address) to the record." 

Change definition of <individual-analysis/> from "... personally
identifiable information ...." to "... identified data ...."

Change definition of <individual-decision/> from "... personally
identifiable information ...." to "... identified data ...."


3.4 Categories

Change definition of <uniqueid/> from "... issued for purposes of
consistently identifying the individual." to "... issued for purposes
of consistently identifying or recognizing the individual."

Change definition of <state/> from "... automatically identifying
users ...." to "... automatically recognizing users ...."


5.5.2 Variable-Category Data Elements/Structures

Change "... where a service declares that cookies are used for
identifying the user .... " to "... where a service declares that
cookies are used to recognize the user .... "

Change "... uses cookies both for identifying the user at this site
...." to "... uses cookies both to recognize the user at this site
...."


Appendix 7: P3P Guiding Principles
Notice and Communication

Change "... identifying the purpose for which personal information is
collected ...." to "... expressing the purpose for which personal
information is collected ...."
Received on Tuesday, 24 April 2001 16:57:21 UTC