P3P Position Paper - Workshop on the long-term future of P3P

Jeroen de Rooij



The Platform for Privacy Preferences Project (P3P) is emerging as an industry standard providing a simple, automated way for users to gain more control over the use of personal information on Web sites they visit. At its most basic level, P3P is a standardized set of multiple-choice questions, covering all the major aspects of a Web site's privacy policies. Taken together, they present a clear snapshot of how a site handles personal information about its users. P3P-enabled Web sites make this information available in a standard, machine-readable format. P3P enabled browsers can "read" this snapshot automatically and compare it to the consumer's own set of privacy preferences. P3P enhances user control by putting privacy policies where users can find them, in a form users can understand, and, most importantly, enables users to act on what they see [1].


EPAL is a formal language for writing enterprise privacy policies to govern data handling practices in IT systems according to fine-grained positive and negative authorization rights [2].

P3P versus EPAL

P3P enables a web-site to describe what kind of data is collected and how this data will be used. A P3P policy may contain the purposes, the recipients, the retention period, and a textual explanation of why this data is needed. P3P defines standardized categories for each kind of information included in a policy. Unlike P3P, EPAL defines the privacy-practices that are implemented inside an enterprise. Since this depends on internal details of the enterprise, it results in much more detailed policies that can be enforced and audited automatically. However, the resulting privacy guarantees can sometimes be simplified as a P3P promise that is offered for the users of the services [2].


To enhance the position of P3P in the future we believe it is necessary to integrate 'front-end' privacy language (P3P) with 'back-end' privacy languages and PETs used by organizations internally. Arguments for our position are:

  1. At this moment in time front-end privacy statements do not guarantee that privacy is respected in the back-end. We believe that privacy guarantee in the back-end is key to give P3P and other privacy languages a good fingerprint in the market.
  2. At this moment in time users look at privacy statements as a promise that can easily be broken (P3P is a matter of Trust). To make e-commerce and e-business a success Trust must be replaced by Transparent Confidence.
  3. Risks related to inconsistency between the front-end privacy statement and the back-end is difficult to manage and poses risks for companies. Integration is key to improve the quality of privacy management.
  4. It is neither effective nor efficient to use different formats and tools to manage privacy in the front-end and in the back-end. Different formats and tools demands multiple investments in knowledge and techniques and also increases the change of errors and inconsistencies.
  5. It is neither effective nor efficient to audit a privacy statement and the compliance of it within an organization 'manually': if an audit in the back-end results in a 'privacy proof audit statement' than this audit statement should automatically apply to the front-end privacy statement.


The privacy life cycle (policy development; data handling modelling; gap and risk analyses; implementation; monitoring and enforcement; audit and reporting) should be supported by a well structured set of tools and formats. These tools and formats together with privacy enhanced business IT systems must guarantee compliance with privacy regulation and principles.


Future research and development should - also - be focused on building a structured set of integrated tools that enable effective and efficient privacy management. These tools should support the privacy life cycle end-to-end where privacy components (like privacy policy and statements) should be made re-usable within the life cycle. Furthermore privacy awareness amongst citizens and the availability of privacy tools should get more emphasis.