- From: Rigo Wenning <rigo@w3.org>
- Date: Wed, 12 Nov 2003 19:45:58 +0100
- To: Christian Manzella <christian@boatventures.com>
- Cc: www-p3p-policy@w3.org
Their are multiple parts in your question: 1/ If you provide the service for a customer and you have no control over the data you collect, you are just a data-processor (using the terms of the EC-Data Protection Directive). This means, you just have to install the policy of your client on your service or you can point to their policy in your policy reference file. So in this case, the agent does not appear, only the entity actually collecting the data (by the way of their agent, you) really collects data. In this case, you implement P3P just with their privacy practices. This takes a lot of education and explaining, but it is an add-on of your service. 2/ If you are just providing the service selling it to others, things get a bit more complex. P3P 1.0 can't express agent relationsships. In fact, there is a relationsship between you and your customer that might even contain provisions about sharing and utilization of data collected in the context of that service. This is especially annoying in the case of e.g. ads that are served in the same page. The page is thus built out of multiple sources. Every source is supposed to have their own privacy policy (and PRF). There is currently work under way to ease the task for user-agents and to spare round-trips. P3P 1.1 wants to allow site A to express that site B has an agreement with them. In this case, the user-agent can get all the privacy metadata with the first set of round-trips. See http://lists.w3.org/Archives/Public/public-p3p-spec/ for more information or ask further questions in this list. The initial description of the issue can be found at: http://www.w3.org/P3P/2003/03-status.html Best, -- Rigo Wenning W3C/ERCIM Policy Analyst Privacy Activity Lead mail:rigo@w3.org 2004, Routes des Lucioles http://www.w3.org/ F-06902 Sophia Antipolis On Wed, Nov 12, 2003 at 12:46:05PM -0500, Christian Manzella wrote: > > I'm trying to find a concrete example of a company that provides web > services, such as web sites, to other companies and how they have > implemented P3P. Everything I've read seems to be written with the > concept that the site owner is also the responsible for the server > hosting the site, and many examples I've read almost seem to speak as if > the server only contains one site. > > Any help would be appreciated. > > Christian Manzella > christian_manzella@reyrey.com > Reynolds and Reynolds > 757.233.8324
Received on Wednesday, 12 November 2003 13:46:17 UTC