Re: Example of Web Services Providers' Implementation of P3P from Rigo Wenning on 2003-11-12 (www-p3p-policy@w3.org from November 2003)

From: Rigo Wenning <rigo@w3.org>
Date: Wed, 12 Nov 2003 19:45:58 +0100
To: Christian Manzella <christian@boatventures.com>
Cc: www-p3p-policy@w3.org
Message-ID: <20031112184557.GD706@rigo.w3.org>

Their are multiple parts in your question:

1/ If you provide the service for a customer and you have no control
over the data you collect, you are just a data-processor (using the
terms of the EC-Data Protection Directive). This means, you just have to
install the policy of your client on your service or you can point to
their policy in your policy reference file. 

So in this case, the agent does not appear, only the entity actually
collecting the data (by the way of their agent, you) really collects
data. In this case, you implement P3P just with their privacy practices.
This takes a lot of education and explaining, but it is an add-on of
your service.

2/ If you are just providing the service selling it to others, things
get a bit more complex. P3P 1.0 can't express agent relationsships.
In fact, there is a relationsship between you and your customer that
might even contain provisions about sharing and utilization of data
collected in the context of that service. This is especially annoying in
the case of e.g. ads that are served in the same page. The page is thus
built out of multiple sources. Every source is supposed to have their
own privacy policy (and PRF). 

There is currently work under way to ease the task for user-agents and
to spare round-trips. P3P 1.1 wants to allow site A to express that site
B has an agreement with them. In this case, the user-agent can get all
the privacy metadata with the first set of round-trips. See
http://lists.w3.org/Archives/Public/public-p3p-spec/ for more
information or ask further questions in this list. The initial
description of the issue can be found at:
http://www.w3.org/P3P/2003/03-status.html

Best, 
-- 
Rigo Wenning            W3C/ERCIM
Policy Analyst          Privacy Activity Lead
mail:rigo@w3.org        2004, Routes des Lucioles
http://www.w3.org/      F-06902 Sophia Antipolis

On Wed, Nov 12, 2003 at 12:46:05PM -0500, Christian Manzella wrote:
> 
> I'm trying to find a concrete example of a company that provides web
> services, such as web sites, to other companies and how they have
> implemented P3P.  Everything I've read seems to be written with the
> concept that the site owner is also the responsible for the server
> hosting the site, and many examples I've read almost seem to speak as if
> the server only contains one site.
> 
> Any help would be appreciated.
> 
> Christian Manzella
> christian_manzella@reyrey.com
> Reynolds and Reynolds
> 757.233.8324

Received on Wednesday, 12 November 2003 13:46:17 UTC