Copyright © 2003 W3C® (MIT, ERCIM, Keio), All Rights Reserved. W3C liability, trademark and document use rules apply.
The Statement Grouping task force will consider the creation of a
mechanism that will allow for Web sites to indicate a set of practices that
can be grouped together based on how the user interacts with the Web site
(e.g. a registered member, a seller on an auction Web site, etc) and how
opt-in or opt-out choices may be applied to these groups. This document
describes a draft proposal how to group consent choices. The basic idea we
propose is to add a <STATEMENT-GROUP id
= "somename" /> extension to the <STATEMENT>
where all statements with the same statement-group id can only be displayed
and opted in or out of together. There will also be the addition of a
<STATEMENT-GROUP-DEF id="somename" short-description="somename's
description" consent = "opt-in" />
extension to the
<POLICY>
that will define the group description to be
displayed in the user agent's P3P viewer and the consent type for this
practice. The numbering of the sections is the corresponding numbering of the
P3P 1.0 Specification.
This is an editors' draft with no standing.
[We propose that our extensions be included in a new section 3.7]
POLICY
extensionsThis section describes P3P policy syntax added after P3P 1.0 became a Recommendation. In order to preserve backward compatibility with P3P 1.0, this syntax has been added using the extension mechanism.
GROUP-INFO
extension[The GROUP-INFO extension should be documented here, as per bugzilla 171]
STATEMENT-GROUP-DEF
extension and
STATEMENT-GROUP
extensionThe STATEMENT-GROUP-DEF
extension is used to define an
identifier and optionally properties that can be applied to a group of
STATEMENT
elements using the STATEMENT-GROUP
extension. P3P user agents that understand these two extensions MAY take this
information into account when displaying P3P policy information for users.
For example, statements that belong to the same group might be displayed
together under a single heading.
<STATEMENT-GROUP-DEF>
STATEMENT
element that defines an
identifier and optionally properties that can be applied to a group of
STATEMENT
elementsid
short-description
consent
opt-in
indicates that a user can simultaneously opt-in. A
value of opt-out
indicates that a user can simultaneously
opt-out. A value of always
indicates that no opt-in or
opt-out options are available. A value of mixed
indicates
that opt-in or opt-out may be available for some or all of the data
uses and recipients individually, but users are not able to
simultaneously consent to or withdraw consent from all of them. If this
attribute is omitted, the default value is mixed
.[xx] | sg-extension |
= |
"<EXTENSION optional="yes"> *[sg-def] </EXTENSION>" |
sg-def |
= |
<STATEMENT-GROUP-DEF id=" [quotedstring] " [consent = " ("opt-in" | "opt-out" | "always" | "mixed")] short-description = "[quotedstring]" xmlns = "http://www.w3.org/2004/01/P3Pv1_1"/>" |
(Note that the optional
attribute does not need to be
explicitly included because its default value is yes
.)
[NEED TO CHECK BNF SYNTAX AND DECIDE ON NAMESPACE ABOVE AND BELOW!]
A statement can be associated with a statement group. Each statement can
have at most one <STATEMENT-GROUP> extension.
<STATEMENT-GROUP>
STATEMENT
element
that identifies the statement group to which that statement belongsid
STATEMENT-GROUP-DEF
element.[xx] | sg-extension |
= |
"<EXTENSION optional="yes"> <STATEMENT-GROUP id=" [quotedstring] " xmlns = "http://www.w3.org/2004/01/P3Pv1_1"> </EXTENSION>" |
Because P3P 1.0 user agents are unaware of this extension (and thus will
ignore it), all statements that belong to statement groups that have
consent
attributes with values of opt-in
,
opt-out
, MUST use the corresponding required
attribute on all PURPOSE
and RECIPIENTS
elements.
If consent="always"
the required
attribute MUST be
omitted as its default value is always
. Any user agent that
relies on this extension MUST check to make sure this requirement has been
followed. If a user agent finds an inconsistency between a
consent
attribute and a required
attribute it MUST
either ignore the extension altogether or treat the statement group as if its
consent
value was mixed
.
Note that the purpose current
and the recipient
ours
do not take a required
attribute and thus
cannot be used in statement groups with consent
values other
than required
.or mixed
.
Statement groups serve two main purpose:
consent
attribute of the statement group enables a
site to define usages that can only be opted in- or out together. E.g.,
an opt-in to a frequent-flyer club implies collection of email and phone
for contact as well as clickstream data for individual analysis.Statement groups are intended primarily as hints to user agents on how to display P3P policy information to users. As currently specified, they are not intended for use in automated decision-making. For example, user agents cannot make judgments automatically about which statement groups apply to the activities of their users.
<POLICY> ... <EXTENSION optional="yes"> <STATEMENT-GROUP-DEF id="browsing" consent = "always" short-description="Browsing the site" xmlns = "http://www.w3.org/2004/01/P3Pv1_1"/> </EXTENSION> ... <STATEMENT> <EXTENSION optional="yes"> <STATEMENT-GROUP id="browsing" xmlns = "http://www.w3.org/2004/01/P3Pv1_1"/> </EXTENSION> ... </STATEMENT> ... </POLICY>