P3P Consent/Choices Definition Mechanism

The following is a proposal for future work on P3P submitted following the November 2002 Workshop on the Future of P3P

Purpose and Scope

Currently, data subjects opt-in or opt-out to elements within a statement. For example, they can opt-out of a certain recipient for a given set of statements and retention policies. This implies that they automatically opt-in or opt-out to the resulting cross product with this recipient and all purposes and retentions. This is usually not what a user wants. In practice, a customer usually opts in for a abstract textual description that reflects many uses.

Since opt-in and opt-out usually corresponds to certain business processes in an organization that require multiple data elements for multiple purposes, it is advisable to introduce `consent blocks' that enable to opt-in or opt-out to a set of statements. This can be formalized by named consent descriptors that can be opt-in or opt-out and describe (in text) what the consent means. Each statement can then specify a consent descriptor. If this particular consent has been given, the statement is applicable. Otherwise, it is not applicable.

If P3P wants to specify a format for _collecting_ consent in P3P 2.0, we'd be willing to contribute as well. Collecting consent would require elements that fix primary and secondary recipients and purposes.


  1. Matthias Schunter
  2. Elaborate our proposal to express consent choices in P3P 1.1
  3. Discussions with the P3P 1.1 working group

Matthias Schunter

Last update $Date: 2003/05/23 13:58:13 $ by $Author: rigo $