The following is a proposal for future work on P3P submitted following the November 2002 Workshop on the Future of P3P
Currently, data subjects opt-in or opt-out to elements within a statement. For example, they can opt-out of a certain recipient for a given set of statements and retention policies. This implies that they automatically opt-in or opt-out to the resulting cross product with this recipient and all purposes and retentions. This is usually not what a user wants. In practice, a customer usually opts in for a abstract textual description that reflects many uses.
Since opt-in and opt-out usually corresponds to certain business processes in an organization that require multiple data elements for multiple purposes, it is advisable to introduce `consent blocks' that enable to opt-in or opt-out to a set of statements. This can be formalized by named consent descriptors that can be opt-in or opt-out and describe (in text) what the consent means. Each statement can then specify a consent descriptor. If this particular consent has been given, the statement is applicable. Otherwise, it is not applicable.
If P3P wants to specify a format for _collecting_ consent in P3P 2.0, we'd be willing to contribute as well. Collecting consent would require elements that fix primary and secondary recipients and purposes.
Resources
Last update $Date: 2003/05/23 13:58:13 $ by $Author: rigo $