|P3P 1.0 element definitions and translations - 4 September 2003 DRAFT|
|This draft represents a consensus of the P3P User Agent Task Force. The underlined text in the notes column indicates recent suggestions under consideration by the working group. Proposed revisions and comments are in red. Proposed changes to the P3P spec definitions are in green. A revised version (without the IE6 and Notes columns) will probably get incorporated into the P3P 1.1 specification. Please send feedback to public-p3p at w3.org.|
|P3P Element||P3P Spec Definition||IE6 Translation||Proposed Recommended Plain Language Translation||Notes|
|opturi (attribute of POLICY element)||URI of instructions that users can follow to request or decline to have their data used for a particular purpose (opt-in or opt-out)||Find out how to opt-in or opt-out at [with link to opturi]|
|ENTITY||Identifies the legal entity making the representation of the privacy practices contained in the policy||This policy is issued by: [display all entity information provided by site]||task force prefers "policy is issued by" language to "contact" language because it better reflects the normative definition of entity. Users should get contact info from DISPUTES field|
|ACCESS||the ability of the individual to view identified data and address questions or concerns to the service provider. Service providers MUST disclose one value for the access attribute. The method of access is not specified. Any disclosure (other than <all/>) is not meant to imply that access to all data is possible, but that some of the data may be accessible and that the user should communicate further with the service provider to determine what capabilities they have.||What types of information about myself do I have access to?||Your access to information about you:||(1) task force prefers "you" rather than "I/me" language. (2) task force prefers that headings not be in the form of questions, although a particular user agent implementer might choose to adopt language similar to our recommendation but changing the headings to questions|
|nonident||Web site does not collect identified data.||Personally identifiable information is not collected and therefore is not accessible.||We do not keep any information identified with you|
|all||All Identified Data: access is given to all identified data.||All personally identifiable information.||We give you access to all of our information identified with you|
|contact-and-other||Identified Contact Information and Other Identified Data: access is given to identified online and physical contact information as well as to certain other identified data.||Personally identifiable online and physical contact information, as well as to other information linked to an identifiable person.||We give you access to your contact information and some of our other information identified with you|
|ident-contact||Identifiable Contact Information: access is given to identified online and physical contact information (e.g., users can access things such as a postal address).||Personally identifiable online and physical contact information such as a postal address.||We give you access to only your contact information in our records||There is a typo in the P3P spec. "Identifiable" should be "Identified"|
|other-ident||Other Identified Data: access is given to certain other identified data (e.g., users can access things such as their online account charges).||Certain other information linked to an identifiable person such as online account charges.||We allow you to access some of our information identified with you, but not your contact information|
|none||None: no access to identified data is given.||None.||We do not give you access to our information about you|
|DISPUTES||Describes dispute resolution procedures that may be followed for disputes about a services' privacy practices, or in case of protocol violation. DS: Proposal to change spec defintion to "The service-provider offers or acknowledges the following ways for a user to resolve disputes about the service-provider's privacy practices or alleged protocol violations."||How does this Web site handle disputes about collected data?||Ways to resolve privacy-related disputes with us include:||DS: COMMENT 1: I stil have trouble
understanding what "protocol violations" is supposed mean to
COMMENT 2: I agree with the position that, as a general matter, users and websites can elect a dispute resolution procedure by contract. But I don't think the DISPUTES element & subelements should purport to create such a contract.
REASONS: It seems to me that P3Pstatements constitute unilateral assertionsby a website on how the site agrees to be bound. P3P statements are not well suited to serve as assertions by a website on how its visitors will be bound. A website's statements about rules that it asserts will bind its visitors usually appear in a Terms & Conditions section (e.g., "By using this site you agree that any disputes will be submitted tobinding arbitrations...; any legal actions will be subject to the exclusive jurisdiction of the state andfederal courts in the State of California..." etc.). I propose that the DISPUTES & REMEDIES subelements: (a) Allow a site to express its unilateral commitment to honor the indicated dispute resolution & redress mechanisms. Saying that the site "agrees to" a given resolution method is clearer than the current wording that the user "may" avail herself of a given procedure. or (b) Allow a site to express its opinion of what it is required to do to fulfill a given legal obligation.
Both of these concepts avoid putting the site in the position of presuming to express exclusive options or to offer legal advice-- both of which are perilous for the site.
|service||Individual may complain to the Web site's customer service representative for resolution of disputes regarding the use of collected data. The description MUST include information about how to contact customer service. DS: Proposal to change spec definition to: The service-provider's customer service reprseentative is available to help resolve users' disputes regarding the use of collected data. The description MUST include information about how to contact customer service.||%User Agents display the policies Short Description string here%||[display long description and short description, if provided, with hyperlink to service URI, otherwise display "customer service" with hyperlink to service URI]||DS: QUESTION: Is there a different bewteen "web site," "service," "service-provider," and "company" in the vocabulary?|
|independent||Individual may complain to an independent organization for resolution of disputes regarding the use of collected data. The description MUST include information about how to contact the third party organization.||%User Agents display the policies Short Description string here%||[display long description and short description, if provided, with hyperlink to service URI, otherwise display "independent organization" with hyperlink to service URI]|
Initial:Individual may file a legal complaint against the Web site.
DS: PROPOSAL: [Strike this subelement] As noted above, I believe the spec should enable sites to disclose what they bring to the table as opposed to encouraging them to interpret for users the rights that other authorities grant to the users. I propose that this subelement be stricken.
Final:The Entity making the statement believes that the authority referenced in the description offers recourse for disputes arising in connection with the privacy statement.
|An individual may file a legal complaint against the Web site.||
We believe that the authority referenced offers recourse for disputes arising in connection with the privacy statement. [display long description and short description, if provided, with hyperlink to service URI, otherwise display "legal complaint" with hyperlink to service URI]
|DS: I recommend changing the spec. A website isn't the consumer's attorney, and it's not for the website to say where someone is allowed to file suit (the more likely interpretation of the spec). And a website that wants to use the "court" parameter should not be forced into language that may mislead the consumer into thinking that other choices are not available.|
Disputes arising in connection with the privacy statement will be resolved in accordance with the law referenced in the description.
DS: PROPOSAL: The service-provider acknowledges or expresses its opinion that the indicated laws may affect users' rights or options for resolving disputes about the collected data. Indicated laws MUST be referenced in the description.
Final:The laws or regulations referenced in the description may provide recourse procedures and remedies for disputes arising in connection with the privacy statement.
|%User Agents display the policies Short Description string here%||
Final:We believe that laws or regulations referenced provide recourse and remedies for disputes arising in connection with the privacy statement.[display long description and short description, if provided, with hyperlink to service URI, otherwise display "law" with hyperlink to service URI]
|DS: Same as above. Website cannot
say what laws "will be" used. Website can acknowledge
jurisdiction. COMMENT: In the original wording, from a corporate
counselor persepct, I would advise a client to avoid usingthe
DISPUTES element. From an AAG perspective, if I saw that a company
had listed a value for a DISPUTES subelement and omitted a material
consumer alternative, I would have to question whether the company
had committed consumer fraud by misleading consumers, even if
The proposed language permits an expression thatI would be willing to endorse if I were representinga web-facing company.
Under current laws, for example, it is not a stretch to say that universities, banks, loan companies, mortgage lenders, loan brokers, some travel agents, sellers and manufacturers of vehicles, boats, RVs, etc. should anticipate including the following laws in "DISPUTES:law": Gramm-Leach-Bliley Financial Services Modernization Act (and the related Federal Trade Commission or other federal agency Privacy & Safeguards Rules); HIPAA; Fair Credit Reporting Act; Personal Information Protection and Electronic Documents Act (Canada, eff. 1/1/04); USA Patriot Act secs. 326, 352; Office of Foreign Asset Control transaction reporting regulations; Cailfornia SB 1386 (consumer notification of unauthorized access); federal and state Drivers Privacy Protection Acts; federal and state telemarketing laws; federal and state Unfair and Deceptive Acts & Practices laws; European Union Data Protection Directive; US Department of Commerce Safe Harbor; and the Telephone Consumer Protection Act.
commitment to redress (provided it is not presented as an exclusive
disagree with the position that, without an expression of redress, a
P3P policy is not meaningful. Redress exists whether or not it is
have served as the chief exhibits in enforcement efforts to date
demonstrates that privacy policies have meaning without specifying
From an enforcement point of view, I wouldn't blame a company for avoiding the REMEDIES element if the spec's wording increased the likelihood that the company could unwittingly perpetrate a material omission, as I noted in comments on the DISPUTES element.
From a corporate counsel point of view, I think most corporate counselors would consider themselves duty-bound to advise their clients against specifying REMEDIES, since prospectively binding the company to redress without some other legal mandate or business incentive might constitute a disservice to shareholders.
|correct||Errors or wrongful actions arising in
DS: PROPOSAL: The service-provider will attempt
to rectify errors or consequences arising from a breach of the
QUESTION: Has any company indicated that it would actually be willing to make the broad, prospective commitment expressed in the current spec language?
|money||If the service provider violates its
|law||Remedies for breaches of the policy
statement will be determined based on the law referenced in the human
readable description. DS: PROPOSAL: [For
reasons cited above for "DISPUTES:court", and because "REMEDIES:law"
would duplicate the values assigned to "DISPUTES:law," I propose that
the "law" subelement be stricken. If retained, I propose use of
language similar to that proposed for "DISPUTES:law".]
|NON-IDENTIFIABLE||This element signifies that either no data is collected (including Web logs), or that the organization collecting the data will anonymize the data referenced in the enclosing STATEMENT. In order to consider the data "anonymized", there must be no reasonable way for the entity or a third party to attach the collected data to the identity of a natural person. Some types of data are inherently anonymous, such as randomly-generated session IDs. Data which might identify natural people in some circumstances, such as IP addresses, names, or addresses, must have a non-reversible transformation applied in order be considered "anonymized".||We do not keep any information that could be used to identify you personally|
|PURPOSE||purposes for data processing relevant to the Web.||Why is this information collected?||The ways your information may be used:|
|current||Completion and Support of Current Activity: Information may be used by the service provider to complete the activity for which it was provided, such as the provision of information, communications, or interactive services -- for example to return the results from a Web search, to forward email, or place an order.||Information may be used by the Web site to complete the activity for which it was provided, whether the activity is a one-time event, such as returning the results from a Web search, forwarding an e-mail message or placing an order; or a recurring event, such as providing a subscription service or allowing access to an online address book or electronic wallet.||To provide the service you requested|
|admin||Web Site and System Administration: Information may be used for the technical support of the Web site and its computer system. This would include processing computer account information, information used in the course of securing and maintaining the site, and verification of Web site activity by the site or its agents.||Information may be used for the technical support of the Web site and its computer system. For example, to process computer account information, to secure and maintain the site, or to verify Web site activity by the site or its agents.||To perform web site and system administration|
|develop||Research and Development: Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market. This does not include personal information used to tailor or modify the content to the specific individual nor information used to evaluate, target, profile or contact the individual.||Information may be used to enhance, evaluate, or otherwise review the Web site, service, product, or market.||For research and development, but without connecting any information to you|
|tailoring||One-time Tailoring: Information may be used to tailor or modify content or design of the site not affirmatively selected by the particular individual where the information is used only for a single visit to the site and not used for any kind of future customization. For example, an online store that suggests other items a visitor may wish to purchase based on the items he has already placed in his shopping basket.||Information may be used to tailor or modify the content or design of the Web site during a single visit to the site. For example, an online store might suggest other items for a visitor to purchase based on items he has already placed in his shopping basket.||To customize the site for your current visit only|
|pseudo-analysis||Pseudonymous Analysis: Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying personally-identifiable information (such as name, address, phone number, email address, or IP address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals. For example, a marketer may wish to understand the interests of visitors to different portions of a Web site.||Information that is based upon a unique identifier but that cannot be linked to an individual may be used for research, analysis, and reporting. For example, the number of users within a ZIP code.||To do research and analysis in which your information may be linked to an ID code but not to your personal identity|
|pseudo-decision||Pseudonymous Decision: Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying personally-identifiable information (such as name, address, phone number, email address, or IP address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals. For example, a marketer may tailor or modify content displayed to the browser based on pages viewed during previous visits.||Information that is based upon a unique identifier but that cannot be linked an individual may be used to make a decision that directly affects that individual. For example, an individual within a certain ZIP code is presented with advertisements for companies located in that same ZIP code.||To make decisions that directly affect you without identifying you, for example to display content or ads based on links you clicked on previously|
|individual-analysis||Individual Analysis: Information may be used to determine the habits, interests, or other characteristics of individuals and combine it with personally identifiable information for the purpose of research, analysis and reporting. For example, an online Web site for a physical store may wish to analyze how online shoppers make offline purchases.||Information that can be linked to an individual may be used for research, analysis, and reporting. For example, data about the types of and price ranges of products an individual has looked at.||To do research and analysis that uses information about you|
|individual-decision||Individual Decision: Information may be used to determine the habits, interests, or other characteristics of individuals and combine it with personally identifiable information to make a decision that directly affects that individual. For example, an online store suggests items a visitor may wish to purchase based on items he has purchased during previous visits to the Web site.||Information that can be linked to an individual may be used to make a decision that directly affects that individual. For example, a Web site might show an individual houses that are within her ability to purchase, regardless of the price range she has researched before.||To make decisions that directly affect you using information about you, for example to recommend products or services based on your previous purchases|
|contact||Contacting Visitors for Marketing of Services or Products: Information may be used to contact the individual, through a communications channel other than voice telephone, for the promotion of a product or service. This includes notifying visitors about updates to the Web site. This does not include a direct reply to a question or comment or customer service for a single transaction -- in those cases, would be used. In addition, this does not include marketing via customized Webcontent or banner advertisements embedded in sites the user is visiting -- these cases would be covered by the , and , or and purposes.||Information may be used to contact an individual, through a communications channel other than voice telephone, for the promotion of a product or service. This includes notifying visitors about updates to the Web site.||To contact you through means other than telephone (for example, email or postal mail) to market services or products|
|telemarketing||Contacting Visitors for Marketing of Services or Products Via Telephone: Information may be used to contact the individual via a voice telephone call for promotion of a product or service. This does not include a direct reply to a question or comment or customer service for a single transaction -- in those cases, would be used.||Information may be used to contact the individual via voice telephone for promotion of a product or service.||To contact you by telephone to market services or products|
|other-purpose||Other Uses: Information may be used in other ways not captured by the above definitions. (A human readable explanation should be provided in these instances).||Other Uses: %User Agents display the policies string here%||For other uses: [include site's human, readable explanation; if site omits human-readable explanation say "not described here"]|
|RECIPIENT||the legal entity, or domain, beyond the service provider and its agents where data may be distributed.||Who has access to this information?||With whom we may share your information||TF will recommend to WG to remove "beyond the service provider and its agents" from spec definition for consistency with elements below|
|ours||Ourselves and/or our entities acting as our agents or entities for whom we are acting as an agent: An agent in this instance is defined as a third party that processes data only on behalf of the service provider for the completion of the stated purposes. (e.g., the service provider and its printing bureau which prints address labels and does nothing further with the information.)||This Web site, entities for whom it is acting as an agent, and/or entities acting as its agent. An agent in this instance is defined as a third party that processes data only for the completion of the stated purpose, such as a shipping firm or printing service.||Companies that help us fulfill your requests (for example, shipping a product to you), but these companies must not use your information for any other purpose|
|delivery||Delivery services possibly following different practices: Legal entities performing delivery services that may use data for purposes other than completion of the stated purpose. This should also be used for delivery services whose data practices are unknown.||Legal entities performing delivery services that may use data for purposes other than completion of the stated purpose.||Delivery companies that help us fulfill your requests and who may also use your information in other ways|
|same||Legal entities following our practices: Legal entities who use the data on their own behalf under equable practices. (e.g., consider a service provider that grants the user access to collected personal information, and also provides it to a partner who uses it once but discards it. Since the recipient, who has otherwise similar practices, cannot grant the user access to information that it discarded, they are considered to have equable practices.)||Legal entities that have equivalent practices to this Web site.||Companies that have privacy policies similar to ours|
|other-recipient||Legal entities following different practices: Legal entities that are constrained by and accountable to the original service provider, but may use the data in a way not specified in the service provider's practices (e.g., the service provider collects data that is shared with a partner who may use it for other purposes. However, it is in the service provider's interest to ensure that the data is not used in a way that would be considered abusive to the users' and its own interests.)||Legal entities that are constrained by and accountable to this Web site, but may use the data in a way not specified in this Web site s practices.||Companies that are accountable to us, though their privacy policies may be different from ours|
|unrelated||Unrelated third parties: Legal entities whose data usage practices are not known by the original service provider.||Legal entities whose data usage practices are not known by this Web site.||Other companies whose privacy policies are unknown to us|
|public||Public fora: Public fora such as bulletin boards, public directories, or commercial CD-ROM directories.||Public forums such as bulletin boards, public directories, or commercial CD-ROM directories.||People who may access your information from a public area, such as a bulletin board, chat room, or directory|
|RETENTION||the type of retention policy in effect||How long is the information retained?||How long we may keep your information|
|no-retention||Information is not retained for more than a brief period of time necessary to make use of it during the course of a single online interaction. Information MUST be destroyed following this interaction and MUST not be logged, archived, or otherwise stored. This type of retention policy would apply, for example, to services that keep no Web server logs, set cookies only for use during a single session, or collect information to perform a search but do not keep logs of searches performed.||Information is not retained longer than the single online interaction.||We do not keep your information beyond your current online session|
|indefinitely||Indefinitely: Information is retained for an indeterminate period of time. The absence of a retention policy would be reflected under this option. Where the recipient is a public fora, this is the appropriate retention policy. An example of a non-reversible transformation is removing the last seven bits of an IP address and replacing them with zeros. This transformation must be applied to all copies of the data, including those that might be stored on backup media. An algorithm that replaces identified data with unique corresponding values from a table is not considered non-reversible. In addition, a one-way cryptographic hash would not be considered non-reversible if the set of possible data values is small enough that all possible hashed values can be generated and compared with the value that someone is attempting to reverse.||Information is retained for an indeterminate period of time.||We may keep your information indefinitely|
|CATEGORIES||Categories are elements inside data elements that provide hints to users and user agents as to the intended uses of the data.||What kind of information does this Web site collect?||We may collect the following types of information about you|
|physical||Information that allows an individual to be contacted or located in the physical world, such as a telephone number or a postal address.||Name, address, phone number, or other physical contact information|
|online||Online Contact Information: Information that allows an individual to be contacted or located on the Internet -- such as email. Often, this information is independent of the specific computer used to access the network. (See the category "Computer Information")||Information that allows an individual to be contacted or located on the Internet, such as an e-mail address. Often, this information is independent of the specific computer used to access the network.||Email address or other online contact information|
|uniqueid||Unique Identifiers: Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying the individual. These include identifiers issued by a Web site or service.||Unique identifiers issued by a Web site or service for the purpose of identifying an individual over time.||Website login IDs and other identifiers (excluding government IDs and financial account numbers)|
|purchase||Purchase Information: Information actively generated by the purchase of a product or service, including information about the method of payment.||Information generated by the purchase of a product or service, including information about the method of payment.||Information about your purchases, including payment methods|
|financial||Financial Information: Information about an individual's finances including account status and activity information such as account balance, payment or overdraft history, and information about an individual's purchase or use of financial instruments including credit or debit card information. Information about a discrete purchase by an individual, as described in "Purchase Information," alone does not come under the definition of "Financial Information."||Information about an individual's finances, including account status, account balance, payment or overdraft history, and information about an individual's purchase or use of financial instruments, including credit cards or debit cards.||Financial information such as accounts, balances, and transaction history|
|computer||Computer Information: Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.||Information about the computer system that the individual is using to access the Internet, such as the IP number, domain name, browser type, or operating system.||Information about the computer you are using, such as its hardware, software, or Internet address|
|navigation||Navigation and Click-stream Data: Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.||Information generated by browsing the Web site, such as which pages are visited, and how long an individual stays on each page.||Which pages you visited on this web site and how long you stayed at each page|
|interactive||Interactive Data: Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.||Information generated from or reflecting explicit interactions with the Web site, such as queries to a search engine, or logs of account activity.||Activities you engaged in at this web site, such as your searches and transactions|
|demographic||Demographic and Socioeconomic Data: Data about an individual's characteristics -- such as gender, age, and income.||Demographic and socioeconomic data, , such as gender, age, and income, not tied to an identifiable person.||Information about social and economic categories that might apply to you, such as your gender, age, income, or where you are from|
|content||Content : The words and expressions contained in the body of a communication -- such as the text of email, bulletin board postings, or chat room communications.||The words and expressions contained in the body of a communication. For example, the text of an e-mail message, bulletin board postings, or chat room communications.||Messages you send to us or post on this site, such as email, bulletin board postings, or chat room conversations|
|state||State Management Mechanisms: Mechanisms for maintaining a stateful session with a user or automatically identifying users who have visited a particular site or accessed particular content previously -- such as HTTP cookies.||Mechanisms, such as HTTP cookies, for maintaining an active connection with an individual or for automatically identifying an individual who has visited a particular site or previously accessed particular content.||Cookies and mechanisms that perform similar functions|
|political||Political Information: Membership in or affiliation with groups such as religious organizations, trade unions, professional associations, political parties, etc.||Information about membership in or affiliation with groups such as religious organizations, trade unions, professional associations, political parties, etc.||Which groups you might be a member of such as religious organizations, trade unions, and political parties|
|health||Health Information: information about an individual's physical or mental health, sexual orientation, use or inquiry into health care services or products, and purchase of health care services or products.||Information about an individual's physical or mental health, sexual orientation, use of or inquiry into health care services or products, and purchase of health care services or products.||Health information such as information about your medical condition or your interest in health-related topics, services, or products|
|preference||Preference Data: Data about an individual's likes and dislikes -- such as favorite color or musical tastes.||Data about an individual's likes and dislikes, such as favorite color or musical tastes.||Information about your tastes or interests|
|location||Location Data: Information that can be used to identify an individual's current physical location and track them as their location changes -- such as GPS position data.||Information, such as global positioning data, that can be used to identify an individual's current physical location and track him as his location changes.||Information about an exact geographic location, such as data transmitted by your GPS-enabled device|
|government||Government-issued Identifiers: Identifiers issued by a government for purposes of consistently identifying the individual.||Identifiers issued by a government for purposes of identifying an individual over time, such as a driver s license number, social security number, or passport number.||Government-issued identifiers such as social security numbers|
|other-category||Other: Other types of data not captured by the above definitions. (A human readable explanation should be provided in these instances, between the and the tags.)||Other: %User Agents display the policies string here%||Other types of data: [include site's human, readable explanation; if site omits human-readable explanation say "not described here"]|
|optional (attribute of data elements)||indicates whether or not the site requires visitors to submit this data element to access a resource or complete a transaction|
|no||the data element is not optional (it is required)||[append to data element or category] (optional)|
|yes||the data element is optional|
|required (attribute of purpose and recipients elements)||Whether the purpose is a required practice for the site.|
|always||The purpose/recipient is always required; users cannot opt-in or opt-out of this use of their data.|
|opt-in||Data may be used for this purpose/recipient only when the user affirmatively requests this use -- for example, when a user asks to be added to a mailing list. An affirmative request requires users to take some action specifically to make the request. For example, when users fill out a survey, checking an additional box to request to be added to a mailing list would be considered an affirmative request. However, submitting a survey form that contains a pre-checked mailing list request box would not be considered an affirmative request. In addition, for any purpose that users may affirmatively request, there must also be a way for them to change their minds later and decline -- this MUST be specified at the opturi.||[append to purpose/recipient] -- only if you request this|
|opt-out||Data may be used for this purpose/recipient unless the user requests that it not be used in this way. When this value is selected, the service MUST provide clear instructions to users on how to opt-out of this purpose at the opturi. Services SHOULD also provide these instructions or a pointer to these instructions at the point of data collection.||[append to purpose/recipient] -- unless you opt-out|