Thank you for sharing!

Your article was successfully shared with the contacts you provided.
The World Wide Web Consortium (W3C) has developed a new protocol, called the Platform for Privacy Preferences (P3P), which provides a standard way for Web sites to communicate their privacy policies. P3P includes standard machine-readable privacy policy syntax as well as a simple protocol that Web browsers and other user agent tools can use to fetch P3P privacy policies automatically. P3P-enabled Web browsers allow users to do selective cookie blocking based on site privacy policies, as well as to get a quick “snapshot” of a site’s privacy policies. P3P is already built into the Microsoft Internet Explorer 6 (IE6) Web browser, and a P3P plug-in has been developed by AT&T (see AT & T Plug-in). Hundreds of Web sites have already implemented P3P, and several tools are available to help companies create and manage P3P files. The P3P specification is still going through the last stages of the W3C process. After a final review by the W3C membership, it is expected to become an official “recommendation” this spring. But Web sites can start implementing P3P today. HOW P3P WORKS The P3P protocol is a simple extension to the HTTP protocol used by Web browsers. P3P user agents use standard HTTP requests to fetch a P3P policy reference file from a special “well-known location” on the Web site to which a user is making a request. The policy reference file indicates the location of the P3P policy file that applies to each part of the Web site. There might be one policy for the entire site, or several different policies that each cover a different part of the site. The user agent can then fetch the appropriate policy, parse it, and take action according to the user’s preferences. P3P also allows sites to place policy reference files in locations other than the well-known location. In these cases, the site must declare the location of the policy reference file using a special HTTP header or by embedding a LINK tag in the HTML files to which the P3P policies apply. P3P files are encoded using extensible markup language (XML). P3P user agents can read this language, and display information about a site’s P3P policy in English or another human-readable language. P3P Deployment Overview.Some of the first questions webmasters ask when they are considering deploying P3P on their sites, are “how long is this going to take?” and “how difficult is this going to be?” The answers to these questions depend on the details of each particular Web site. A small company that already has a privacy policy posted on its site should be able to deploy P3P in a few hours — the technical work may even take less than 15 minutes. A large company may need to have its attorneys spend time reviewing their P3P policy, and they may need to figure out the best way to deploy P3P on a large number of servers around the world. Companies that provide “third-party” Web services such as advertising agencies and content distribution networks may have some more complicated decisions to make as well. To help estimate how much work it will be to deploy P3P on a particular site, here is an outline of the basic steps involved. Create a privacy policy.The privacy policy needs to include enough details to be able to use it to create a P3P policy. If there is already a detailed policy for the site, there may still be a few questions to revisit when the P3P policy is created, but most of the difficult work will already have been done. Here are the key points that should be included in a privacy policy that will be used to create a P3P policy: � The name and contact information for the company or organization. � A statement about the kind of access provided (can people find out what information is held about them, and if so, how can they access it?) � A statement about what privacy laws the company complies with, what privacy seal programs they participate in, and other mechanisms available to customers for resolving privacy disputes. This statement may also describe what remedies are offered should a privacy policy breach occur. � A description of the kinds of data collected, including what kinds of data may be linked to cookies. � A description of how collected data is used, and whether individuals can opt-in or opt-out of any of these uses. � Information about whether data may be shared with other companies, and if so, under what conditions and whether consumers can opt-in or opt-out of this. � Information about the site’s data retention policy, if any. � Information about how consumers can take advantage of opt-in or opt-out opportunities. Determine whether there will be one P3P policy for the entire site or different P3P policies for different parts of the site. If the site already has multiple privacy policies, then multiple P3P policies may be in order. For example, some sites have different policies associated with different types of services they offer. Even if the site has a single, comprehensive policy, multiple P3P policies may be needed with respect to various aspects of the site. For example, the site’s privacy policy might include a statement such as, “We do not collect personally identifiable information from visitors except when they fill out a form to order a product from us.” You might wish to create two P3P policies — one for use on most of the site where there are no forms, and the other for use specifically on the parts of the site where visitors fill out forms to order products. Create a P3P policy (or policies) for the site.A P3P policy generator tool can be used to create a P3P policy without learning XML. Create a policy reference file for the site.Most of the policy generator tools will also help create a policy reference file. Configure the Web server server for P3P.On most sites, this can be done by simply placing the P3P policy and policy reference files on the web server in the proper locations. However, some sites will want to configure their servers to send a special P3P header with every HTTP response, and some will want to add LINK tags to their HTML content. Some sites will also want to send compact versions of P3P policies with set cookie requests. Test the site to make sure it is properly P3P enabled.The W3C P3P Validator tool can be used to test a site and report back a list of any problems it finds. Of course, this tool cannot verify that a P3P policy matches a privacy policy or that either policy conforms to actual practices. But it can make sure that policy and policy reference files are syntactically correct and that everything has been configured properly. There is a W3C P3P Validator at W3C P3P. Generating a P3P Policy and Policy Reference File.The easiest way to create a P3P policy and policy reference file is usually to use a P3P policy generator or editor tool. One good P3P policy generator is the P3P Policy Editor from IBM. This tool features a drag-and-drop interface that allows editing of P3P policies by dragging icons representing P3P data elements and data categories into an editing window. In addition, the tool also has pop-up windows for setting the properties associated with each data element (purpose, recipient, etc.) and also fills out general information about the site’s privacy practices. The XML that has been created can be viewed as each data element is added, as well as a corresponding human-readable version of the policy. There is also a useful errors tab, which indicates problems with the policy, such as leaving out information from required fields. The tool comes with good documentation, and a set of templates for typical web sites. What’s more, this tool can create policy reference files. It is available free from the IBM Alphaworks Web site at IBM Alphaworks. Compact Policies.P3P-enabled Web sites have the option of providing short summaries of their policies with respect to cookies in HTTP response headers that set cookies. These compact policies are provided in addition to a site’s full P3P policies, and are designed as an optimization to allow for cookie processing to proceed at the same time that a full P3P policy is being evaluated. Sites can use only compact policies if they set cookies. While the compact policy is entirely optional for P3P-enabled Web sites, note that IE6 relies heavily on the compact policy. Many sites that set “third-party” cookies and do not use P3P compact policies are finding that IE6 blocks their cookies. Simple P3P-Enabled Web Site Example.Many sites, including personal home pages and sites designed primarily to provide information (as opposed to those designed to sell things or provide interactive services), have simple privacy policies. They tend to collect minimal amounts of data, and generally will either commit to using that data in very limited ways, or make no commitment that might limit future use of that data. Furthermore, for these simple sites one P3P policy is probably sufficient for the entire site. For more information about P3P, see P3P. Dr. Lorrie Faith Cranor is a principal technical staff member at AT&T Labs-Research in Florham Park, N.J. She chairs the P3P Specification Working Group at the World Wide Web Consortium and is author of a forthcoming O’Reilly book on P3P. She can be contacted through her Web site at Lorrie Cranor.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.