The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
Advanced Search
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors

Cover Stories
Articles & Papers
Press Releases

XML Query

XML Applications
General Apps
Government Apps
Academic Apps

Technology and Society
Tech Topics
Related Standards
Created: January 20, 2005.
News: Cover StoriesPrevious News ItemNext News Item

W3C Releases Revised Platform for Privacy Preferences (P3P v1.1) Specification.


An updated Working Draft of The Platform for Privacy Preferences 1.1 (P3P 1.1) Specification has been produced by members of the W3C P3P Specification Working Group. Work on this document has been managed as part of the Privacy Activity within the W3C Technology and Society Domain.

P3P defines a standard set of uses, recipients, data categories, and other privacy disclosures, together with an XML format for expressing a privacy policy; it also describes a means of associating privacy policies with Web pages or sites, and cookies.

P3P is designed as a "standardized set of multiple-choice questions covering all the major aspects of a Web site's privacy policies. Taken together, they present a clear snapshot of how a site handles personal information about its users. The P3P specification brings ease and regularity to Web users wishing to decide whether and under what circumstances to disclose personal information. User confidence in online transactions increases as they are presented with meaningful information and choices about Web site privacy practices."

P3P is now emerging "as an industry standard providing a simple, automated way for users to gain more control over the use of personal information on Web sites they visit. The privacy of an individual's personal data on the Internet is a top concern for business, government, media and the public. Opinion surveys consistently show that privacy concerns are a leading impediment to the further growth of Web-based commerce. Initial efforts by Web sites to publicly disclose their privacy policies have had some impact. But these policies are often difficult for users to locate and understand, too lengthy for users to read, and change frequently without notice."

P3P-enabled Web sites make privacy information available in a standard, machine-readable format, and P3P-enabled browsers can read the snapshot automatically, comparing it to the consumer's own set of privacy preferences.

The current P3P v1.1 document, along with its normative references, "includes all the specification necessary for the implementation of interoperable P3P 1.1 applications. P3P 1.1 is based on the P3P 1.0 Recommendation and adds some features using the P3P 1.0 Extension mechanism. It also contains a new binding mechanism that can be used to bind policies for XML Applications beyond HTTP transactions."

P3P v1.1 user agents "can be built into Web browsers, browser plug-ins, or proxy servers. They can also be implemented as Java applets or JavaScript; or built into electronic wallets, automatic form-fillers, or other user data management tools. P3P user agents look for references to a P3P policy at a well-known location, in P3P headers in HTTP responses, and in P3P link tags embedded in HTML content. These references indicate the location of a relevant P3P policy."

W3C has provided several developer tools and guidelines to assist website administrators. Web sites "can implement P3P 1.1 on their servers by translating their human-readable privacy policies into P3P syntax and then publishing the resulting files along with a policy reference file that indicates the parts of the site to which the policy applies. Automated tools can assist site operators in performing this translation. P3P 1.1 can be implemented on existing HTTP/1.1-compliant Web servers without requiring additional or upgraded software. Servers may publish their policy reference files at a well-known location, or they may reference their P3P policy reference files in HTML/XHTML content using a link tag. Alternatively, compatible servers may be configured to insert a P3P extension header into all HTTP responses that indicates the location of a site's P3P policy reference file."

Changes in P3P Version 1.1 have been based upon feedback provided at a Workshop in Dulles/Virginia and a Workshop in Kiel/Germany. "To the extent that suggestions have found sufficient support, they are now included in this new P3P 1.1 Working Draft. All new features are built using P3P's own Extension mechanism. Those extensions are contained in a new XML Schema in Appendix 5 and carry their own new namespace."

Bibliographic Information

The Platform for Privacy Preferences 1.1 (P3P1.1) Specification. W3C Working Draft. 4-January-2005. Version URL: Edited by Rigo Wenning (W3C / ERCIM). Latest Version URL: Previous Version URL:

Working Draft Authors: Lorrie Cranor (CMU - P3P 1.0 and P3P 1.1), Brooks Dobbs (Doubleclick Inc. - P3P 1.1), Serge Egelman (CMU - P3P 1.1), Giles Hogben (Joint Research Center of the European Commission - P3P 1.1), Jack Humphrey (Coremetrics), Marc Langheinrich (ETH Zurich - P3P 1.0), Massimo Marchiori (W3C/MIT/University of Venice - P3P 1.0), Martin Presler-Marshall (IBM - P3P 1.0), Joseph Reagle (W3C/MIT - P3P 1.0), Matthias Schunter (IBM - P3P 1.1), David A. Stampley (Invited Expert), and Rigo Wenning (W3C). See also the Working Group Contributors in (non-normative) Appendix 8.

P3P Version 1.1 Overview

"The Platform for Privacy Preferences Project (P3P) enables Web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit.

Although P3P provides a technical mechanism for ensuring that users can be informed about privacy policies before they release personal information, it does not provide a technical mechanism for making sure sites act according to their policies. Products implementing this specification MAY provide some assistance in that regard, but that is up to specific implementations and outside the scope of this specification. However, P3P is complementary to laws and self-regulatory programs that can provide enforcement mechanisms. In addition, P3P does not include mechanisms for transferring data or for securing personal data in transit or storage. P3P may be built into tools designed to facilitate data transfer. These tools should include appropriate security safeguards.

The P3P1.1 specification defines the syntax and semantics of P3P privacy policies, and the mechanisms for associating policies with Web resources. P3P policies consist of statements made using the P3P vocabulary for expressing privacy practices. P3P policies also reference elements of the P3P base data schema — a standard set of data elements that all P3P user agents should be aware of. The P3P specification includes a mechanism for defining new data elements and data sets, and a simple mechanism that allows for extensions to the P3P vocabulary.

P3P provides a way for a Web site to encode its data-collection and data-use practices in a machine-readable XML format known as a P3P policy. The P3P specification defines:

  • A standard schema for data a Web site may wish to collect, known as the 'P3P base data schema'
  • A standard set of uses, recipients, data categories, and other privacy disclosures
  • An XML format for expressing a privacy policy
  • A means of associating privacy policies with Web pages or sites, and cookies
  • A mechanism for transporting P3P policies over HTTP

The goal of P3P is twofold. First, it allows Web sites to present their data-collection practices in a standardized, machine-readable, easy-to-locate manner. Second, it enables Web users to understand what data will be collected by sites they visit, how that data will be used, and what data/uses they may 'opt-out' of or 'opt-in' to...

P3P policies use an XML with namespaces encoding of the P3P vocabulary to provide contact information for the legal entity making the representation of privacy practices in a policy, enumerate the types of data or data elements collected, and explain how the data will be used. In addition, policies identify the data recipients, and make a variety of other disclosures including information about dispute resolution, and the address of a site's human-readable privacy policy. P3P policies must cover all relevant data elements and practices. However, legal issues regarding law enforcement demands for information are not addressed by this specification. It is possible that a site that otherwise abides by its policy of not redistributing data to others may be required to do so by force of law. P3P declarations are positive, meaning that sites state what they do, rather than what they do not do. The P3P vocabulary is designed to be descriptive of a site's practices rather than simply an indicator of compliance with a particular law or code of conduct. However, user agents may be developed that can test whether a site's practices are compliant with a law or code.

P3P policies represent the practices of the site. Intermediaries such as telecommunication providers, Internet service providers, proxies and others may be privy to the exchange of data between a site and a user, but their practices may not be governed by the site's policies. In addition, note that each P3P policy is applied to specific Web resources (Web pages, images, cookies, etc.) listed in a policy reference file. By placing one or more P3P policies on a Web site, a company or organization does not make any statements about the privacy practices associated with other Web resources not mentioned in their policy reference file, with other online activities that do not involve data collected on Web sites covered by their P3P policy, or with offline activities that do not involve data collected on Web sites covered by their P3P policy..." [2005-01-04 spec Introduction]

Other Privacy Specifications

Enterprise Privacy Authorization Language (EPAL)

In November 2003 W3C acknowledged receipt of IBM's Enterprise Privacy Authorization Language (EPAL) Version 1.2 as a Member Submission request. The specification includes two parts: a prose description of syntax and semantics, with formal definition of the EPAL syntax presented in an XML Schema. The EPAL technical specification defines a "formal language for writing enterprise privacy policies to govern data handling practices in IT systems according to fine-grained positive and negative authorization rights. It concentrates on the core privacy authorization while abstracting data models and user-authentication from all deployment details such as data model or user-authentication..."

EPAL is thus an interoperability language for exchanging privacy policy in a structured format between applications or enterprises, supporting the ability to encode an enterprise's privacy-related data-handling policies and practices and providing a language that can be imported and enforced by a privacy-enforcement systems. The goal of EPAL is: (1) to enable organizations to be demonstrably compliant with their stated policies; (2) to reduce overhead and the cost of configuring and enforcing data handling policies; and (3) to leverage existing standards and technologies. Whereas the W3C Platform for Privacy Preferences (P3P) Recommendation defines a global terminology that can be used to describe the privacy promises of an enterprise, EPAL aims at formalizing enterprise-internal privacy policies, which requires a fine-grained vocabulary; it also includes a fine-grained hierarchy of purposes for which an enterprise collects data."

EPAL references:

Privacy Policy Profile of XACML

The Privacy Policy Profile of XACML is one of several profiles added in the XACML Version 2.0 Committee Draft, balloted for approval as an OASIS Standard in January 2005. It was edited by Tim Moses (Entrust); XACML Committee Draft. Version 01. 16-September-2004. Document identifier: 'access_control-xacml-2.0-privacy_profile-spec-cd-01'. 7 pages. The profile defines 'Custodian" (the entity to which personally-identifiable information is entrusted) and 'Owner' (the subject of personally-identifiable information), and specifies attributes to support privacy principles in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980). The Privacy profile does not use any new features in the core XACML 2.0, and can be used equally well with XACML 1.0 or XACML 1.1.

"The Relationship Between XACML and P3P Privacy Policies." By Anne Anderson (Sun Microsystems). Version: 1.12. November 11, 2004 (or later). "This note addresses the relationship between the OASIS eXtensible Access Control Markup Language (XACML) and the W3C Platform for Privacy Preferences (P3P) as two privacy policy languages... The expressions in the two languages should be compatible. That is, if a P3P policy says that 'the only data the site collects on its home page is the data found in standard HTTP access logs', then the corresponding XACML privacy policy will allow a 'write' operation to the specific file that contains the source for the site's home page where the data to be written is the content of specific fields (clientAddress, userName, localTime, bytesSentToClient, referrer, etc.) in the specific file containing the HTTP access log. The XACML policy is a concrete application of the P3P policy to actual users, resources, actions, and purposes. XACML policies express not just privacy policies, but policies for any type of access to resources. In this way, a complete set of XACML policies can be audited to ensure that privacy policies are not being circumvented via other access control policies... P3P policies and XACML policies serve complementary purposes. P3P policies express privacy policies in terms that human users can understand; they express externally published policies in a generalized, high-level form. XACML policies express the same privacy policies in terms that computer access control mechanisms can understand and enforce; they express policies in a fine-grained, internally applicable form. The two levels of policy should be consistent with each other, and together they enable an auditor to determine whether the enterprise is complying with its stated privacy policies..."


Liberty Alliance Architecture Framework for Privacy Preference Expression Languages (PPELs)

Version 1.0 of the Liberty architecture framework for supporting Privacy Preference Expression Languages (PPELs) was released November 12, 2003. 15 pages. It provides the principles for a multi-leveled policy approach.

"The Liberty ID-WSF framework enables participants to associate a privacy policy, encoded in any privacy preference language, with a message using SOAP headers. The PPELs document "gives a high-level example of how privacy preferences can be handled using a multi-leveled policy approach in the communication between a Service Provider and Web Services Provider. In the multi-leveled policy framework, a limited, hierarchical set of privacy policies is used to describe the privacy practices of a Service Provider, and the privacy preferences of a Principal. When requesting attributes, the Service Provider or Web Services Consumer indicates its context specific privacy policy. The Web Services Provider acting on the Principal's behalf, then compares the requestor's privacy policy against the Principal's privacy policy preference for the attributes in question and decides whether to release the attributes. In case of a mismatch, the transaction is cancelled or the interaction service invoked..."


Principal References

Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation


XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Bottom Globe Image

Document URI:  —  Legal stuff
Robin Cover, Editor: