The Platform for Privacy Preferences 1.1 (P3P1.1):
Specification of Statement Grouping (WG.SG)
W3C Working Draft 11 September 2002
- This version:
- http://www.w3.org/P3P/2003/10-cc-changes-to-P3P.html
- Latest version:
- http://www.w3.org/P3P/2003/10-cc-changes-to-P3P.html
- Previous version:
- http://www.w3.org/P3P/2003/09-cc-changes-to-P3P.html
- Editors
- Matthias Schunter, IBM
- Rigo Wenning, W3C
- Authors
- Jeremy Epling, Microsoft
- Lorrie Cranor, AT&T
- Matthias Schunter, IBM
Copyright © 2003
W3C® (MIT,
ERCIM,
Keio), All Rights Reserved. W3C
liability,
trademark
and document use
rules apply.
Abstract
The Statement Grouping task force will consider the creation of a
mechanism that will allow for Web sites to indicate a set of practices that
can be grouped together based on how the user interacts with the Web site
(e.g. a registered member, a seller on an auction Web site, etc) and how
opt-in or opt-out choices may be applied to these groups. This document
describes a draft proposal how to group consent choices. The basic idea we
propose is to add a <STATEMENT-GROUP id
= "somename" /> extension to the <STATEMENT>
where all statements with the same statement-group id can only be displayed
and opted in or out of together. There will also be the addition of a
<STATEMENT-GROUP-DEF id="somename" short-description="somename's
description" consent = "opt-in" /> extension to the
<POLICY> that will define the group description to be
displayed in the user agent's P3P viewer and the consent type for this
practice. The numbering of the sections is the corresponding numbering of the
P3P 1.0 Specification.
Status of This Document
This is an editors' draft with no standing.
[We propose that our extensions be included in a new section 3.7]
3.7 POLICY extensions
This section describes P3P policy syntax added after P3P 1.0 became a
Recommendation. In order to preserve backward compatibility with P3P 1.0,
this syntax has been added using the extension mechanism.
3.7.1 GROUP-INFO extension
[The GROUP-INFO extension should be documented here, as per bugzilla 171]
The STATEMENT-GROUP-DEF extension is used to define an
identifier and optionally properties that can be applied to a group of
STATEMENT elements using the STATEMENT-GROUP
extension. P3P user agents that understand these two extensions MAY take this
information into account when displaying P3P policy information for users.
For example, statements that belong to the same group might be displayed
together under a single heading.
<STATEMENT-GROUP-DEF>- an optional extension placed inside a P3P policy before the
occurrence of the first
STATEMENT element that defines an
identifier and optionally properties that can be applied to a group of
STATEMENT elements
id- This attribute contains a string that identifies a statement group.
It is required to be unique within a policy.
short-description- A short human readable description of the statement group, not to
exceed 255 characters.
consent- This attribute is used to indicate whether or not a user can
simultaneously consent to (or withdraw consent from) all the data usage
and recipients referenced in the statements that comprise this group.
There are four possible values for this attribute. A value of
opt-in indicates that a user can simultaneously opt-in. A
value of opt-out indicates that a user can simultaneously
opt-out. A value of always indicates that no opt-in or
opt-out options are available. A value of mixed indicates
that opt-in or opt-out may be available for some or all of the data
uses and recipients individually, but users are not able to
simultaneously consent to or withdraw consent from all of them. If this
attribute is omitted, the default value is mixed.
| [xx] |
sg-extension |
= |
"<EXTENSION optional="yes">
*[sg-def]
</EXTENSION>" |
|
sg-def |
= |
<STATEMENT-GROUP-DEF id=" [quotedstring] "
[consent = " ("opt-in" | "opt-out" | "always" | "mixed")]
short-description = "[quotedstring]"
xmlns = "http://www.w3.org/2004/01/P3Pv1_1"/>"
|
(Note that the optional attribute does not need to be
explicitly included because its default value is yes.)
[NEED TO CHECK BNF SYNTAX AND DECIDE ON NAMESPACE ABOVE AND BELOW!]
A statement can be associated with a statement group. Each statement can
have at most one <STATEMENT-GROUP> extension.
<STATEMENT-GROUP>- an optional extension placed inside a
STATEMENT element
that identifies the statement group to which that statement belongs
id- This attribute contains a string that identifies a statement group
that has been defined using a corresponding
STATEMENT-GROUP-DEF element.
| [xx] |
sg-extension
|
=
|
"<EXTENSION optional="yes">
<STATEMENT-GROUP id=" [quotedstring] "
xmlns = "http://www.w3.org/2004/01/P3Pv1_1">
</EXTENSION>"
|
Because P3P 1.0 user agents are unaware of this extension (and thus will
ignore it), all statements that belong to statement groups that have
consent attributes with values of opt-in,
opt-out, MUST use the corresponding required
attribute on all PURPOSE and RECIPIENTS elements.
If consent="always" the required attribute MUST be
omitted as its default value is always. Any user agent that
relies on this extension MUST check to make sure this requirement has been
followed. If a user agent finds an inconsistency between a
consent attribute and a required attribute it MUST
either ignore the extension altogether or treat the statement group as if its
consent value was mixed.
Note that the purpose current and the recipient
ours do not take a required attribute and thus
cannot be used in statement groups with consent values other
than required.or mixed.
Statement groups serve two main purpose:
- A statement group allows policy authors to describe what sections of
their P3P policy apply to different user interactions with their
site/service. E.g., an e-commerce site may define one group that
describes data collection for web browsing and another group that
describes the additional data that is collected when items are bought.
This enables a person who just browses the site to be aware that only a
small portion of the policy is relevant to him/her.
- The
consent attribute of the statement group enables a
site to define usages that can only be opted in- or out together. E.g.,
an opt-in to a frequent-flyer club implies collection of email and phone
for contact as well as clickstream data for individual analysis.
Statement groups are intended primarily as hints to user agents on how to
display P3P policy information to users. As currently specified, they are not
intended for use in automated decision-making. For example, user agents
cannot make judgments automatically about which statement groups apply to the
activities of their users.
<POLICY>
...
<EXTENSION optional="yes">
<STATEMENT-GROUP-DEF id="browsing"
consent = "always"
short-description="Browsing the site"
xmlns = "http://www.w3.org/2004/01/P3Pv1_1"/>
</EXTENSION>
...
<STATEMENT>
<EXTENSION optional="yes">
<STATEMENT-GROUP id="browsing"
xmlns = "http://www.w3.org/2004/01/P3Pv1_1"/>
</EXTENSION>
...
</STATEMENT>
...
</POLICY>