W3C

P3P Harmonized Vocabulary

W3C Working Draft 26 August 1999

This Version 
http://www.w3.org/TR/1999/WD-P3P-19990826/vocab
Latest Version: 
http://www.w3.org/TR/WD-P3P/vocab.html
Previous Version:
http://www.w3.org/TR/1999/WD-P3P-19990407/vocab
Editor:
Joseph Reagle, W3C, (mailto:reagle@w3.org)


Abstract

This document of the P3P specification specifies the English language semantics for privacy related disclosures such as categories, purpose, identifiable use, recipients, and access.

Status of This Document

This is a subspecification of the P3P specification for review by W3C members and other interested parties. This document has been produced by the P3P Harmonized Vocabulary WG as part of the P3P Activity. While this document will eventually be advanced toward W3C Recommendation status, it is inappropriate to use W3C Working Drafts as reference material or to cite them as other than "work in progress." The underlying concepts of the draft are fairly stable and we encourage the development of experimental implementations and prototypes so as to provide feedback on the specification. However, this Working Group will not allow early implementations to affect their ability to make changes to future versions of this document.

This draft document will be considered by W3C and its members according to W3C process. This document is made public for the purpose of receiving comments that inform the W3C membership and staff on issues likely to affect the implementation, acceptance, and adoption of P3P.

Send comments to www-p3p-public-comments@w3.org (archived at http://lists.w3.org/Archives/Public/www-p3p-public-comments/).


Table of Contents

  1. Introduction
  2. Compliance Requirements
  3. Definitions
  4. Data Categories: a type, or quality of specific data element such as last_name.
  5. Data Collection Purposes:  the purpose of the data collection
  6. Qualifications on Purposes: additional information on how the purpose is realized
  7. General Disclosures: describe the user's capabilities to further understand a service provider's practices
  8. References
  9. Acknowledgements

Introduction

The P3P Specification [P3P] specifies an [XML] / [RDF] application that defines the structure, or grammar, of a P3P proposal. This document, the harmonized vocabulary, describes the terms that fit into the P3P grammar; this process is technically called the "semantic definition of an XML/RDF schema or vocabulary." For example, the P3P specification states that P3P statements must declare the purposes for which data are collected, this document specifies a list of six such purposes and their meaning.

P3P can support multiple schemas. However, P3P is likely to be most effective when a single base vocabulary is widely used since information practice statements are most useful when they can be readily understood by users and their computer agents. Complementary vocabularies may develop to cater to jurisdiction-specific concerns not addressed by the base vocabulary. This can be easily accomplished through the XML-namespace [XML-names] facility, which allows tags from different XML schemas to be intermixed. However, the semantics of this specification always dominate those of an external namespace. For instance, someone cannot place an attribute within a proposal that says "and this proposal is void on Tuesdays" and argue this excuses them from the semantics defined in the P3P specification.

Therefore, this document includes a base set of vocabulary elements useful for expressing privacy policies reflective of a diversity of privacy laws, self-regulatory norms, and cultural notions about privacy. This vocabulary can be used to express policies as diverse as anonymous browsing to the provision of personalized Web content and services. However, P3P implementations need not restrict themselves solely to vocabularies defined within this document.

Note, in addition to the terms specified in the harmonized vocabulary, P3P requires services to specify in their proposals the service provider's identity (entity), an experience space to which their practices apply (e.g., realm: http://www.w3.org), the location at which users can find a human-readable explanation of the service's privacy policies (discURI) and an optional human-readable description of the result (e.g., consequence: "to offer customized sports updates"). In addition, services may specify an "assuring party" that attests that the service provider will abide by its proposal (assurance), follow guidelines in the processing of data, or other relevant assertions. Entity, realm, discURI, consequence, and assurance elements are fully specified in the P3P Syntax Specification.

Security issues and protocols are not addressed by this document. Information about the characteristics and strength of those protocols is critical to a user's decision regarding the transmission of information. However, an assumption of P3P is that communication and storage security is achieved through means other than P3P itself (such as SSL).

Legal issues regarding law enforcement demands for information are not addressed by this document. It is possible that a service provider that otherwise abides by its proposal of not redistributing data to others may be required to do so by force of law.

In this document we introduce the specific terms of the harmonized vocabulary along with their defintions. The words in square brackets next to each term designate an abbreviated version of the term used in XML/RDF representations.
Comment: Much of the work done on this schema was conducted under significant time pressure. Accordingly, there is interest from members of the working group to have some of these issues revisited in the future by the W3C or other entities as appropriate.

2 Compliance Requirements

This specification is a representation of a rough, inclusive consensus from the Harmonization WG -- meaning that which is specified is recommended as a minimal set of terms. The recommendation and requirements are offset in a colored table. Requirements are expressed over variables which the WG thinks values must be defined for in order to be a valid P3P proposal. Products must support the ability to parse and act upon all the variables defined, though we do not specify the way such values need to be acted upon or presented in a graphical user interface; these are left to implementations and user configuration -- which is addressed in the P3P Implementation Guide.

2.1 Nature of Disclosures

To simplify practice declaration, service providers may aggregate any of the disclosures (purposes, recipients, and identifiable use) within a statement over data elements. Service providers MUST make such aggregations as an additive operation. For instance, a site that distributes your age to ours (ourselves and our agents), but distributes your zip code to published (unrelated third parties or public fora), MAY say they distribute your name and zip code to ours and published. Such a statement appears to distribute more data than actually happens. It is up to the service provider to determine if their disclosure deserves specificity or brevity.

Also, one must always disclose all options that apply. Consider a site with the sole purpose of collecting information for the purposes of contact (Contacting Visitors for Marketing of Services or Products). Even though this is considered to be for the current (Completion and Support of Current Activity) purpose, the site must state both contact and current purposes. Consider a site which distributes information to ours in order to redistribute it to published, the site must state both ours and published recipients.

Definitions

Equable Practice
A practice that is very similar to another in that the purpose, recipients, and identifiable use are the same or more constrained than the original, and the other disclosures are not substantially different. For example, two sites with otherwise similar practices that follow different -- but similar -- sets of industry guidelines.
Identifiable Use
The use of information relating to an individual that identifies that individual -- this may include linking information with personally identifiable information from other sources or combining information so as to infer a person's identity.
Personally Identifiable Data
Any information relating to an identified or identifiable individual. Note that this vocabulary uses a broader term -- Identifiable Use -- that focuses on the way information is used.
Purpose
The reason(s) for data collection and use.
Practice / Statement
The set of disclosures and (optional) solicitations regarding data usage, including purpose, identifiable use, recipients and other disclosures.
Proposal
A collection of one or more privacy statements together with information asserting the identity, URI, assurances, and disclosures of the service covered by the proposal.
Service Provider (Data Controller, Legal Entity)
The person or organization which offers information, products or services from a Web site, collects information, and is responsible for the representations made in a practice statement.

Data Categories

A data category is a quality of a data element that may be used by the user's agent to determine what type of element is under discussion.
Status Optional: Service providers MAY use data categories to describe data elements or data sets. If a service provider requires a representation of data that is not otherwise referenceable in an easily understood way, we recommend the following terms be used according to their corresponding definitions.

Physical Contact Information [physical]
Information that allows an individual to be contacted or located in the physical world -- such as phone number or address. 
Online Contact Information [online]
Information that allows an individual to be contacted or located on the Internet -- such as email. Often, this information is independent of the specific computer used to access the network. (See Computer Information
Unique Identifiers [uniqueid]
Non-financial identifiers issued for purposes of consistently identifying the individual -- such as SSN or Web site IDs. 
Financial Account Identifiers [financial]
Identifiers that tie an individual to a financial instrument, account, or payment system -- such as a credit card or bank account number. 
Computer Information [computer]
Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system. 
Navigation and Click-stream Data [navigation]
Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page. 
Interactive Data [interactive]
Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, logs of account activity, or purchases made on the Web. 
Demographic and Socio-economic Data [demograph]
Data about an individual's characteristics -- such as gender, age, and income. 
Preference Data [pref]
Data about an individual's likes and dislikes -- such as favorite color or musical tastes. 
Content [content]
The words and expressions contained in the body of a communication -- such as the text of email, bulletin board postings, or chat room communications. 
State Management Mechanisms [state]
Mechanisms for maintaining a stateful session with a user or automatically identifying users who have visited a particular site or accessed particular content previously -- such as HTTP cookies.
Other [other]
Other types of data not captured by the above definitions. (A human readable explanation should be provided in these instances.)

* Note: The Computer, Navigation, Interactive and Content categories can be distinguished as follows. The Computer category includes   information about the user's computer including IP address and software configuration. Navigation data describes actual user behavior related to browsing. When an IP address is stored in a log file with information related to browsing activity, both the Computer category and the Navigation category should be used. Interactive Data is data actively solicited to provide some useful service at a site beyond browsing. Content is information exchanged on a site for the purposes of communication.

The Other category should be used only when data is requested that does not fit into any other category.

Purposes Defined

The following specifies and defines a set of six purposes for data processing relevant to the Web.
Status Required: Service providers MUST use the following terms to explain the purpose of data collection. Service providers MUST disclose all that apply. If a service provider does not disclose that a data element will be used for a given purpose, that is a representation that data will not be used for that purpose. Service providers that disclose that they use data for "other" purposes MUST provide human readable explanations of those purposes.

Completion and Support of Current Activity  [current]
The use of information by the service provider to complete  the activity for which it was provided, such as the provision of information, communications, or interactive services -- for example to return the results from a Web search, to forward email, or place an order.
Web Site and System Administration [admin]
The use of information solely for the technical support of the Web site and its computer system. This would include processing computer account information, and information used in the course of securing and maintaining the site.
Customization of Site to Individuals [custom]
The use of information to tailor or modify the content or design of the site to the particular individual.
Research and Development [research]
The use of information to enhance, evaluate, or otherwise review the site, service, product, or market. This does not include personal information used to tailor or modify the content to the specific individual nor information used to evaluate, target, profile or contact the individual. 
Contacting Visitors for Marketing of Services or Products [contact]
The use of information to contact the individual for the promotion of a product or service. This includes notifying visitors about updates to the Web site.
Other Uses [other]
The use of information not captured by the above definitions. (A human readable explanation should be provided in these instances.) 

Purpose Qualifiers

Qualifiers are appended to a purpose to provide additional information on how the purpose is realized with respect to a data element or set of data elements.

Identifiable Use [ID]
Is data used in a way that is personally identifiable -- including linking it with personally identifiable information from other sources?  While some data is obviously identifiable (such as full name), other data (such as zip code, salary, or birth date) could allow a person to be identified depending on how it is used. Also, a technically astute person in some circumstances could determine the identity of a user from the IP number in a HTTP log. This requires a specific effort and is based on how that IP number is registered, whether it is used by more than one person on a computer, or if it is dynamically allocated by an internet service provider. Consequently, we refrain from defining any particular data or set of data as personally identifiable and instead focus on whether data is used in an identifiable way. Thus identifiable use applies to data commonly considered to be personally identifiable as well as other data that is used in an identifiable way.
Status Required: Services MUST disclose one of the values of the Identifiable qualifier.
Non-identifiable [nonid]
Identifiable [id]
Recipients (Domain of Use) [RECPNT]
The recipients defines an organizational area, or domain, beyond the service provider and its agents where data may be distributed.
Status Required: Services must disclose all the Recipients that apply

Comment: Creating a set of values which are simple, informative to the user, and accurate for service provider representations is very challenging and the WG is not completely satisfied with the results. For instance, the issue of transaction facilitators, such as shipping or payment processors, who are necessary for the completion and support of the activity but may follow different practices was problematic. As it stands, such organizations should be represented in whichever category most accurately reflects their practices with respect to the original service provider.

Ourselves and/or our agents [ours]
Ourselves and our agents. We define an agent in this instance as a third party that processes data only on behalf of the service provider for the completion of the stated purposes. (e.g., The service provider and its printing bureau which prints address labels and does nothing further with the information.)
Organizations following our practices [same]
Organizations who use the data on their own behalf under equable practices. (e.g., Consider a service provider that grants the user access to collected personal information, they also provide it to a partner who uses it once but discards it. Since the recipient, who has otherwise similar practices, cannot grant the user access to information that it discarded, they are considered to have equable practices.) 
Organizations following different practices [other]
Organizations that are constrained by and accountable to the original service provider, but may use the data in a way not specified in the service provider's practices. (e.g. The service provider collects data that is shared with a partner who may use it for other purposes. However, it is in the service providers interest to ensure that the data is not used in a way that would be considered abusive to the users' and its own interests.) 
Unrelated third parties or public fora [published]
Organizations or fora whose data usage practices are not known by the original service provider. (e.g. data is provided as part of a commercial CD-ROM directory, or it is posted on a public on-line Web directory.) 

General Disclosures

The following are general disclosures about the policies of the service provider. Further information on the policies would be found at the discURI.

Access to Identifiable Information [ACCESS]
the ability of the individual to view identifiable information and address questions or concerns to the service provider.
Status Required: Service providers must disclose all Access capabilities that apply. The methods of access is not specified. This disclosure applies to the identifiable use disclosure. Any disclosure is not meant to imply that access to all data is possible, but that some of the data may be accessible and that the user should communicate further with the service provider to determine what capabilities they have. 

Comment: Service providers may also wish to provide capabilities to access to information collected through means other than the Web at the discURI. However, the scope of P3P statements are limited to data collected through HTTP or other Web transport protocols. Also, if access is provided through the Web we recommend the use of strong authentication and security mechanisms for such access, however security issues are outside the scope of this document.

Identifiable Data is Not Used [nonid]
[this should be consistent with the use of the identifiable qualifier].
Identifiable Contact Information [contact]
access is given to identifiable online and physical contact information (e.g., users can access things such as a postal address).
Other Identifiable Information [other_ident]
access is given to other information linked to an identifiable person. (e.g., users can access things such as their online account charges).
Indentifiable Contact Information and Other Identifiable Information [contact_and_other]
access is given to identifiable online and physical contact information aw well as to other information linked to an identifiable person.
None [none]
no access to identifiable information is given.
Assurance (Accountability)
Does the site have an assuring party that attests that the service will abide by its proposal, follows guidelines in the processing of data, or other relevant assertions. Assurance may come from the service provider or an independent assuring party.
Status Required (but specified elsewhere): A required version of this disclosure is implemented through the assurance field, defined in the P3P1.0 specification. 

Comment: We expect this field can be used in a number of ways, from representing that one's privacy practices are self assured, audited by a third party, or under the jurisdiction of a regulatory authority.

Other_Disclosures [OTHER]
Are Disclosures Made with respect to the following:
Status Optional: If a site wishes to signify in a proposal that it makes a disclosure about change_agreement, or retention, it may do so with the following. No disclosure means that the service provider makes no representation of a policy on that topic. 

Comment: Some members of the working group felt that 1) disclosures could be made about other topics such as security (see the purpose section), 2) more specific values should be provided, and 3) that such disclosures should be required. However, a strong consensus for this could not be reached in the available time.

Change Agreement [change_agreement]
Does the service provider make a disclosure regarding the capability for the user to cancel, or renegotiate the existing agreement at a future time?
Retention [retention]
Does the service provider make a disclosure on how long data is retained?

References

[P3P]
Marchiori M. and Jaye D. Platform for Privacy Preferences (P3P) Syntax Specification. World Wide Web Consortium. ?-?-1998 (Working Draft)
[RDF]
O. Lassila, R. Swick. " Resource Description Framework (RDF) Model and Syntax Specification," World Wide Web Consortium. 22 February 1999 (Recommendation)
[XML-names]
T. Bray, D. Hollander, A. Layman. "Namespaces in XML." World Wide Web Consortium. 14-January-1999. (Recommendation).
[XML]
T. Bray, J. Paoli, C. M. Sperberg-McQueen. "Extensible Markup Language (XML) 1.0 Specification," World Wide Web Consortium. 10-February-1998. (Recommendation)

Acknowledgements (Non-normative)