The W3C P3P Specification Working Group has released an updated Platform for Privacy Preferences 1.0 Deployment Guide as well as a 'Proposed Recommendation' version of The Platform for Privacy Preferences 1.0 (P3P1.0) Specification. The review period for the PR specification ends on 25-February-2002. P3P version 1.0 is "a protocol designed to inform Web users of the data-collection practices of Web sites. It provides a way for a Web site to encode its data-collection and data-use practices in a machine-readable XML format known as a P3P policy. The P3P specification defines: (1) A standard schema for data a Web site may wish to collect, known as the 'P3P base data schema'; (2) A standard set of uses, recipients, data categories, and other privacy disclosures; (3) An XML format for expressing a privacy policy; (4) A means of associating privacy policies with Web pages or sites, and cookies; (5) A mechanism for transporting P3P policies over HTTP. The accompanying Guide explains what's involved in deploying P3P on a Web site, how to decide how many P3P policies to use and how to map those policies onto the Web site, different ways to publish your privacy policy, and step-by-step instructions for deploying your privacy policy on various popular Web servers."
Bibliographic information:
- The Platform for Privacy Preferences 1.0 (P3P1.0) Specification. W3C Proposed Recommendation 28-January-2002. Edited by Massimo Marchiori (W3C/MIT/University of Venice) Authored by: Lorrie Cranor (AT&T), Marc Langheinrich (ETH Zurich), Massimo Marchiori (W3C/MIT/UNIVE), Martin Presler-Marshall (IBM), and Joseph Reagle (W3C/MIT). Version URL: http://www.w3.org/TR/2002/PR-P3P-20020128/. Latest Version URL: http://www.w3.org/TR/P3P/. Previous Version URL: http://www.w3.org/TR/2001/WD-P3P-20010928/.
- The Platform for Privacy Preferences 1.0 Deployment Guide. W3C Note 11-February-2002. By Martin Presler-Marshall (IBM). Version URL: http://www.w3.org/TR/2002/NOTE-p3pdeployment-20020211. Previous Version URL: http://www.w3.org/TR/2001/NOTE-p3pdeployment-20011130.
From the Proposed Recommendation specification: "The Platform for Privacy Preferences Project (P3P) enables Web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit. Although P3P provides a technical mechanism for ensuring that users can be informed about privacy policies before they release personal information, it does not provide a technical mechanism for making sure sites act according to their policies. Products implementing this specification may provide some assistance in that regard, but that is up to specific implementations and outside the scope of this specification. However, P3P is complementary to laws and self-regulatory programs that can provide enforcement mechanisms. In addition, P3P does not include mechanisms for transferring data or for securing personal data in transit or storage. P3P may be built into tools designed to facilitate data transfer. These tools should include appropriate security safeguards... The P3P1.0 specification defines the syntax and semantics of P3P privacy policies, and the mechanisms for associating policies with Web resources. P3P policies consist of statements made using the P3P vocabulary for expressing privacy practices. P3P policies also reference elements of the P3P base data schema -- a standard set of data elements that all P3P user agents should be aware of. The P3P specification includes a mechanism for defining new data elements and data sets, and a simple mechanism that allows for extensions to the P3P vocabulary."
From the P3P Deployment Guide: "Deploying P3P on a Web site requires:
- Creating one or more policy statements which describes the data the site collects and how it will be used. These are XML documents, typically less than 10K bytes in size. The policy statements must be published on the Web site.
- Creating a policy reference file, which gives the URL for the site's policy statements, and indicates what portions of the site - and the site's cookies - are covered by which statements. This is an XML document, and is typically a few kilobytes in size. The policy reference file then must be published on the Web site.
- The site's human-readable privacy policy must be published. P3P policies contain a link pointing to a human-readable version of the privacy policy, so the human-readable policy must be published at the same time that the machine-readable XML version is published.
- Telling browsers how to locate the policy reference file. There are several mechanisms available to do this. The policy reference file can be published in a predefined location on the site, the server can send an HTTP response header giving the location of the reference file, or the site's HTML content can be modified to contain links to the reference file.
Principal references:
- The Platform for Privacy Preferences 1.0 (P3P1.0) Specification. PR version.
- The Platform for Privacy Preferences 1.0 Deployment Guide
- P3P mailing list
- P3P and Privacy on the Web FAQ
- References for P3P Implementations
- W3C Privacy Activity Statement
- "Platform for Privacy Preferences (P3P) Project" - Main reference page.