- From: Lorrie Cranor <lorrie@cs.cmu.edu>
- Date: Tue, 24 Feb 2004 13:19:22 -0500
- To: "Hamblin, Shelia" <shelia.hamblin@ed.gov>
- Cc: "'www-p3p-policy@w3.org'" <www-p3p-policy@w3.org>
You have a choice. If you have two policies, the policy for the listserv pages should mention the listservs AND the web server logs and cookies (if you use cookies on those pages). The other policy would not mention the listservs. It is easier to administer a single policy that discloses all your practices in one policy. However, if you want to make it clear that you don't collect PII anywhere except on the listserv pages than you will want to have two policies. I hope that helps! Lorrie On Feb 24, 2004, at 1:09 PM, Hamblin, Shelia wrote: > Hello, > > I am trying to implement p3p on our federal website, but I am not sure > how best to do it. We collect the usual web logs and we set session > cookies, but we also have pages that allow people to join listservs. > The question I have is should I combine all of these into one policy, > or separate them? If I combine them, then I have to choose (in the > <ACCESS> field) whether we collect personally identifiable information > or not, which for the most part we don't. If I create a separate > policy for the listservs, then this policy does not discuss the web > logs or cookies on our site. Other federal agencies seem to be using > only one policy, but I'm not sure if this is correct. Any help is > great appreciated. > > Thanks, > Shelia Hamblin > US Department of Education > OCIO/Development Services Group > (202) 205-2140 > -- Lorrie Faith Cranor <http://lorrie.cranor.org/> (Note, as of Dec 2003 I'm at Carnegie Mellon University) P3P Specification Working Group Chair <http://www.w3.org/p3p/> Book: Web Privacy with P3P <http://p3pbook.com/>
Received on Tuesday, 24 February 2004 13:19:06 UTC