W3C has published The Platform for Privacy Preferences 1.0 (P3P1.0) Specification as a Recommendation, signifying that it "is a stable document and may be used as reference material or cited as a normative reference from another document." The P3P specification document has been produced by the W3C P3P Specification Working Group as part of the Privacy Activity in the W3C Technology and Society Domain; contributors included "privacy advocates, Web technology leaders, data protection commissioners, and global ecommerce companies." P3P provides "a standard, simple, automated way for users to gain more control over the use of personal information on Web sites they visit. At its most basic level, P3P is a standardized set of multiple-choice questions, covering all the major aspects of a Web site's privacy policies. Taken together, the answers present a machine readable version of the site's privacy policy, a clear snapshot of how a site handles personal information about its users. P3P-enabled Web sites make this information available in a standard, machine-readable format. P3P enabled browsers can 'read' this snapshot automatically and compare it to the consumer's own set of privacy preferences. P3P enhances user control by putting privacy policies where users can find them, in a form users can understand, and, most importantly, enables users to act on what they see." W3C also published a companion working draft of A P3P Preference Exchange Language 1.0 (APPEL1.0) which "complements the P3P1.0 specification by specifying a language for describing collections of preferences regarding P3P policies between P3P agents. Using this language, a user can express her preferences in a set of preference-rules (called a ruleset), which can then be used by her user agent to make automated or semi-automated decisions regarding the acceptability of machine-readable privacy policies from P3P enabled Web sites."

Bibliographic information:

• The Platform for Privacy Preferences 1.0 (P3P1.0) Specification. W3C Recommendation 16-April -2002. Version URL: http://www.w3.org/TR/2002/REC-P3P-20020416/. Latest Version URL: http://www.w3.org/TR/P3P/. Previous Version URL: http://www.w3.org/TR/2002/PR-P3P-20020128/. Edited by Massimo Marchiori (W3C / MIT / University of Venice) Authors: Lorrie Cranor (AT&T), Marc Langheinrich (ETH Zurich), Massimo Marchiori (W3C / MIT / University of Venice), Martin Presler-Marshall (IBM), and Joseph Reagle (W3C/MIT).

• A P3P Preference Exchange Language 1.0 (APPEL1.0). W3C Working Draft 15-April-2002. Version URL: http://www.w3.org/TR/2002/WD-P3P-preferences-20020415. Latest Version URL: http://www.w3.org/TR/P3P-preferences. Previous Version URL: http://www.w3.org/TR/2001/WD-P3P-preferences-20010226. Edited by Marc Langheinrich (ETH Zurich). Authors: Lorrie Cranor (AT&T Labs-Research), Marc Langheinrich (ETH Zurich) and Massimo Marchiori (W3C/MIT).

From the P3P1.0 Introduction:

The Platform for Privacy Preferences Project (P3P) enables Web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit.

Although P3P provides a technical mechanism for ensuring that users can be informed about privacy policies before they release personal information, it does not provide a technical mechanism for making sure sites act according to their policies. Products implementing this specification may provide some assistance in that regard, but that is up to specific implementations and outside the scope of this specification. However, P3P is complementary to laws and self-regulatory programs that can provide enforcement mechanisms. In addition, P3P does not include mechanisms for transferring data or for securing personal data in transit or storage. P3P may be built into tools designed to facilitate data transfer. These tools should include appropriate security safeguards.

The P3P1.0 specification defines the syntax and semantics of P3P privacy policies, and the mechanisms for associating policies with Web resources. P3P policies consist of statements made using the P3P vocabulary for expressing privacy practices. P3P policies also reference elements of the P3P base data schema -- a standard set of data elements that all P3P user agents should be aware of. The P3P specification includes a mechanism for defining new data elements and data sets, and a simple mechanism that allows for extensions to the P3P vocabulary.

P3P version 1.0 is a protocol designed to inform Web users of the data-collection practices of Web sites. It provides a way for a Web site to encode its data-collection and data-use practices in a machine-readable XML format known as a P3P policy. The P3P specification defines: (1) A standard schema for data a Web site may wish to collect, known as the 'P3P base data schema'; (2) A standard set of uses, recipients, data categories, and other privacy disclosures; (3) An XML format for expressing a privacy policy; (4) A means of associating privacy policies with Web pages or sites, and cookies; (5) A mechanism for transporting P3P policies over HTTP...

From the announcement, 'Next Steps for P3P Focus on Implementation:' "W3C's lists of P3P-enabled Web sites and P3P software continue to grow, including both plug-ins and browser-based implementations, P3P policy generators, and a P3P validator. W3C's P3P Working Group plans to continue to provide resources and assistance to implementers who wish to make their sites P3P compliant. In addition to the P3P homepage, other useful resources include p3ptoolbox.org in cooperation with the Internet Education Foundation, and the JRC P3P demonstration and research platform. W3C continues to maintain discussion fora for implementers and those interested in P3P."

Testimonials for the W3C P3P 1.0 Recommendation have been provided by America Online Inc., AT&T, Carnegie Mellon University, Center for Democracy and Technology, USA, Unabhängiges Landeszentrum, Datenschutz Schleswig-Holstein, DoubleClick, Ericsson, Hewlett Packard Company, Information Commissioner for the United Kingdom, Information and Privacy Commissioner, Ontario, Canada, INRIA, Joint Research Centre of the European Commission, IBM, Microsoft, NEC, Privacy Council, Proctor & Gamble, Independent Centre for Privacy Protection, Schleswig-Holstein, Germany, Commissioner for Data Protection, Brandenburg, Germany, University of Kassel, and Vanderbilt University.