Use Case 2

Here is one use case: Data Subject (Jane) visits Data Steward's website. At the bottom of the page, a Privacy Commons (PC) logo identifies Steward's privacy policy. Clicking on the logo takes Jane to privacycommons.org, where she can access human-readable, lawyer-readable, and possibly machine-readable versions of Steward's PC Policy. Jane can decide whether she likes the policy, and browses other model policies. She chooses a policy that represents her own minimum privacy requirements by dragging a machine-readable link to her browser. The browser now automatically checks each website visited against her PC Policy choices.

Jane returns to Steward's website. The browser compares Steward's PC Policy and Jane's PC Policy, and indicates that it meets her minimum requirements. Jane spends 10 minutes browsing, and decides to sign up for a newsletter and make a purchase. At the time of purchase or sign-up, she clicks a box indicating "I agree to be bound by and accept the benefits of Steward's PC Policy. By clicking yes, you are entering into a contract with Steward pursuant to the terms of the Privacy Policy." She clicks yes, and makes the purchase by entering her e-mail address, physical address, credit card number, and phone number.

Three days later she calls to check the order of her status. Over the phone, she confirms her credit card number and also gives her date of birth and refers a friend.

This hypothetical set of facts raises all sorts of questions and possibilities: Was a contract formed? Does Steward have any enforceable duties to Jane? What rights does her friend have? Is her date of birth also protected? What if there is a breach? And many more…