W3C

The Platform for Privacy Preferences 1.1 (P3P1.1):
Specification of Consent Choice (WG.CC)

W3C Working Draft 22 May 2002

This version:
TBD
$Revision: 1.1 $ on $Date: 2003/05/22 09:45:31 $ GMT by $Author: rigo $
Latest version:
TBD
Previous version:
NA
Editor
Matthias Schunter, IBM
Authors
Lorrie Cranor, AT&T
Matthias Schunter, IBM

Abstract

The Consent Choices task force will consider the creation of a mechanism that will allow web sites to indicate a set of practices to which opt-in or opt-out choices may be applied as a group. This document describes a draft proposal how to group consent choices. The basic idea we propose is to add a <CONSENT-GROUP id="somename"> extension to the <STATEMENT> where all statements with the same consent-id can only be opted in or out together. The numbering of the sections is the corresponding numbering of the P3P 1.0 Specification.

Status of This Document

This is an editors' draft with no standing.


Table of Contents

  1. Introduction
  2. Statement
    1. Statement that belongs to a Consent Group (P3P 1.1)


1. Introduction

This document describes statement extensions that aim at grouping consent. This is the output of the P3P 1.1 Working Group on Consent Choices (CC). The only change we propose is to add an extension sub-element that can contain an ID of a consent group.

Editor's Note: I am not sure how we want to specify P3P 1.1. I see two choices:

Since I feel that the latter is nicer for the readers, I temporarily opted for this approach, i.e., Section 3.3 is a copy from P3P where I've marked all P3P 1.1 extensions in red.

3.3 Statements

[here go the other sub-chapters of the P3P 1.0 spec]

3.3.7 Statement that belongs to a Consent Group (P3P 1.1)

All statements that contain the same id in their consent-group extensions belong together. This means that either all elements with required="opt-in" or with required="opt-out" can only be opted together. A user may not be allowed by the recipient to opt for a subset of these elements.

<CONSENT-GROUP>
an element inside the <EXTENSION> subelement of a <STATEMENT>. This element that identifies a consent group. Each statement MUST have at most one consent-group extension. A statement with a consent-group extension MUST have only opt-in or opt-out elements.
id
This attribute contains a string that identifies a consent group.
[xx]
cg-extension
=
"<EXTENSION>
  <CONSENT-GROUP id=" quotedstring ">
</EXTENSION>"

For example, an enterprise allows to choose whether your phone and email can be used by yourself for marketing. However, once you allow your data to be used for marketing by itself, the collector requires that you allow it to forward the data to third parties for telemarketing as well.

<STATEMENT>
 <EXTENSION>
   <CONSENT-GROUP id="marketing">
 </EXTENSION>
 <PURPOSE><contact required="opt-in"/></PURPOSE>
 <RECIPIENT><ours required="opt-in"></RECIPIENT>
 <DATA-GROUP>
    <DATA ref="#user.business-info.telecom.telephone" optional="yes"/>
    <DATA ref="#user.home-info.online.email" optional="yes"/>
 </DATA-GROUP>
</STATEMENT>
<STATEMENT>
 <EXTENSION>
   <CONSENT-GROUP id="marketing">
 </EXTENSION>
 <PURPOSE><telemarketing required="opt-in"/></PURPOSE>
 <RECIPIENT><other-recipient required="opt-in"></RECIPIENT>
 <DATA-GROUP>
    <DATA ref="#user.business-info.telecom.telephone" optional="yes"/>
    <DATA ref="#user.home-info.online.email" optional="yes"/>
 </DATA-GROUP>
</STATEMENT>