Fwd: Re: Differences between P3P policy and full privacy policy from Sotos Barkas on 2000-12-08 (www-p3p-policy@w3.org from December 2000)

From: Sotos Barkas <skbarkas@yahoo.com>
Date: Fri, 8 Dec 2000 14:58:07 -0800 (PST)
To: www-p3p-policy@w3.org
Message-ID: <20001208225807.64998.qmail@web9907.mail.yahoo.com>
Thank you Lorrie for this careful analysis. I found
the two questions that a company should ask to keep
the P3P and human-readable policies consistent very
useful. Would love to hear how others have handled
potential differences between their P3P and
human-readable policies.

It makes sense to expect that the average user will
take advantage of P3P and not read the full
human-readable policy. As user agent implementations
vary, it is also reasonable to assume that a user may
have set their preferences to summarize the policy at
even higher levels of abstraction. This is outside the
control of the web site privacy policy authors.

Have there been discussions about embedding the full
human-readable policy (rather than offering a link to
it) and always showing the full policy in every
implementation of a user agent?

Sotos

--- Lorrie Cranor <lorrie@research.att.com> wrote:
> From: "Lorrie Cranor" <lorrie@research.att.com>
> To: "Sotos Barkas" <skbarkas@yahoo.com>,
> <www-p3p-policy@w3.org>
> Date: Thu, 7 Dec 2000 16:50:19 -0500
> Subject: Re: Differences between P3P policy and full
> privacy policy
> 
> Good  questions... here is my take... others should
> feel free to jump in too....
> 
> > Unless a site re-writes their formal privacy
> notice to
> > use the exact P3P vocabulary and model, it is
> possible
> > that the P3P policy and formal privacy notice are
> > different. It is possible for the P3P policy to be
> a
> > summary, while the full privacy notice has more
> > information. How significant is it that such
> > differences exist? Would a web site's legal
> counsel
> > need additional background?
> 
> I think that in most cases the P3P policy will be a
> summary, and the human-readable policy will have
> more information. The important thing, is that they
> are consistent. So for example, to take an extreme
> case -- if the human readable policy said the same
> thing as the P3P policy, but had the disclaimer that
> we only abide by this policy for customers who live
> in Zimbabwe -- I think the FTC and most courts would
> find the site to be misleading its customers.
> So I think companies should ask
> - is there anything in our P3P policy that 
>   conflicts with what we say in our human-readable
> policy?
> - is there any qualifications that we make in our 
>   human-readable policy but not in our P3P policy
>   that would be likely to mislead people who
>   only look at our P3P policy?
> 
> In general I would expect the extra information in
> the
> human-readable policy to provide more specific
> details about the policy. The P3P policy may
> say we share data with "legal entities following
> our practices" for example, while the human-readable
> policy might say something like "From time to time
> we may share customer data with carefully selected
> business partners who will treat it with the same 
> degree of care and confidentiality as we do. These
> partners are selected for their ability to offer you
> outstanding savings on premium products."
> 
> There are also some things that we say in the P3P
> spec that the P3P language does not provide enough
> flexibility to express, and therefore, the
> human-readable
> policy must express them. For example, if a site
> has a data retention policy they can indicate that
> in
> the P3P policy, but the details must be provided in 
> the human-readable policy.
> 
> > If the P3P agent view of a policy is not intended
> to
> > exactly represent the full privacy policy, how are
> > users educated to the point that P3P should only
> be a
> > general guide and that they still need to read the
> > full policy?  
> 
> That is up to each user agent. But by putting a link
> to the human-readable policy in the P3P policy, we
> make it possible for user agents to offer users a 
> button to jump directly to the site's human-readable
> policy.
> 
> > As a reference, please note that the P3P FAQ (item
> 8)
> > includes a list of future improvement
> considerations,
> > one of which is a mechanism for users to
> explicitly
> > agree to a P3P policy and to establish
> > non-repudiation.
> 
> And certainly the issues you raise will have to be
> discussed
> in more detail before such improvements are added.
> These future improvements will not show up in P3P
> version
> 1. If and when we start working on version 2, that's
> when
> they will be considered.
> 
> Lorrie
> 
> 
> 


__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/
Received on Friday, 8 December 2000 17:58:42 UTC