W3C P3P

Make Your Web Site P3P Compliant

How to Create and Publish Your Company's P3P Policy (in 6 Easy Steps)

1. Create a written privacy policy for your company or organization. You may want to consult the P3P Guiding Principles Document for resources and helpful hints. If you already have a policy, you will probably want to review it with its authors who wrote it. Make sure to note all of the data you collect, what you do with that data, who has access to it, and for how long you keep it. These pieces of your policy will later be read into a P3P generator that will create a machine-readable version of your policy.

2. At this point, you should decide what policies apply to what pages on the site. Many companies have more than one P3P policy depending on how many different data collection techniques and purposes for different pages. This way, a user will know exactly how their data will be used for a given page or form. Of course, a user can always reference the written policy to see the overall practices of the site, but specifying practices for certain directories or pages often will make browsing more seamless for the average user.

Many company's websites are made up of several different pieces, each of which may collect information differently, or not at all. Each different section will likely have a privacy policy that is slightly different from the policies of other parts of your site. When creating your P3P policy, you can choose to have one general P3P policy that attempts to describe all of the various data collecting components of your site. However, constructing multiple P3P policies, one for each part of your site where you have different policies or you collect vastly different kinds of information, will make your overall privacy policy easier to understand for both you and your customers. You should realize that your human-readable policy will still be available to users so you will still have the opportunity to present an overall policy for site.

When preparing to create your machine-readable P3P policy file, you must understand how many different privacy policies are in effect on your site and under what conditions each applies. P3P policies, like their human-readable counterparts, can apply to a single directory or file, or to all files and directories except one or more that you specify. Additionally, you can differentiate between policies for a single page or group of pages based on what operations are being performed (e.g. PUT, DELETE, GET).

The P3P 1.0 Specification describes the privacy policies of an example company, CatalogExample. This company applies one policy to those users who simply browse their site and another to those who purchase products. From the "browse" group, CatalogExample collects information about their computer and what pages they visit. This information is used by the company and their agents for administrative purposes "to improve our site." Those users who purchase products from CatalogExample must give them more detailed data (e.g. name, address, financial information). This information is used to complete the purchase and ship the product. The user has the option to store information for later reuse and has access to his/her information to make updates and corrections. The two distinct data collection procedures and their unique applications convinced CatalogExample that they should use at least two P3P policies.

3. Next, select a P3P Policy generator to use. The following generators are currently available:

Take your company's existing privacy policy, or the one that you've just written, and use it to guide you through the generation process. Print out the current P3P Specification available from the W3C P3P site. You will need to note the following features:

P3P Policy generators are software applications that assist you in creating and, eventually publishing, your company's P3P Policy, or policies. There are currently three generators available, IBM P3P Policy Editor, PrivacyBot.com, and YOUpowered's Consumer Trust. These are changing along with the P3P specifications to remain up-to-date. The generators take you through each part of the P3P policy as you enter the necessary information. Be sure to fill in all fields so that the policy is correctly and fully formatted; browsers do not read or accept incorrectly formatted XML files. Other generators are expected soon.

After printing out the current P3P Specification from the W3C P3P site, take your companies privacy policy, or policies, and identify the following features:

There are currently fourteen predefined data categories, and "other", in P3P. Data types for collected information should be categorized by one of these fifteen options. Be as specific as possible when listing the types of data collected. Before you choose "other" it is important that you check again to make sure that it does not fit into one of the 14 defined categories. The data collected must also be classified into one or more of six specified purposes that let users know how you are using the data that you've collected. You must further designate one or more of six possible recipient options to describe who has access to the data. Finally, you have to state for how long the information is being retained -- there are five options ranging from no retention to indefinite retention.

4. Enter the necessary information into the P3P generator. Make sure you fill in all necessary fields and descriptions (P3P files include several human-readable components so that users can quickly find out important information such as a contact address in the Entity field). Common P3P generators will have an error-checking function that will alert you to omitted or incorrectly entered information. Save this file as policy1.xml. If you have multiple P3P policies (for sites with various, specific privacy policies), number them accordingly (policy2.xml, policy3.xml, and so on).

Once you have finished filling in all of the necessary pieces of information and descriptions, use the error-checking function that your generator likely has; it will alert you to omissions and incorrectly entered information. Check that you've entered human-readable descriptions wherever you are given the option to. These longhand descriptions will make your machine-readable policy more useful to consumers and easier for you to debug. If you determined that your site needs multiple privacy policies and accompanying P3P policies, be sure to save them separately and number them accordingly (policy1.xml, policy2.xml, etc.).

5. The generator should also create a policy reference file for you. This file will instruct web browsers where to look for the P3P policy on any given page. You should save this file as p3p.xml. You should then upload both the P3P policy file(s) and the policy reference file to your server's root directory.

The policy reference file, usually saved as p3p.xml, tells web browsers where to find the P3P policy that applies to any given page on your site. As mentioned earlier, you are able to include and exclude pages and whole directories when creating your privacy policies, as long as all pages and directories are ultimately accounted for. The following XML code is an example policy reference file (Example 2.2) from the P3P 1.0 Specification.

<META xmlns="http://www.w3.org/2001/09/P3Pv1">
    <POLICY-REFERENCES>
        <POLICY-REF about="/P3P/Policy3.xml">
            <INCLUDE>/cgi-bin/</INCLUDE>
            <INCLUDE>/servlet/</INCLUDE>
            <EXCLUDE>/sevlet/unknown</EXCLUDE>
        </POLICY-REF>

        <POLICY-REF about="/P3P/Policy2.xml">
            <INCLUDE>/catalog/</INCLUDE>
        </POLICY-REF>

        <POLICY-REF about="/P3P/Policy1.xml">
            <INCLUDE>/*</INCLUDE>
            <EXCLUDE>/sevlet/unknown</EXCLUDE>
        </POLICY-REF>
    </POLICY-REFERENCES>
</META>

In this example, Policy1.xml refers to all files excluding those under the "catalog", "cgi-bin", and "servlet" directories. Policy2.xml refers to all files under the "catalog" directory. The remaining directories, "cgi-bin" and "servlet", are covered under Policy3.xml with the exception of the "servlet" subdirectory "unknown". There is no P3P policy referenced to "servlet/unknown" and this should be noted in the human-readable privacy policy.

The policy reference file contains the includes and excludes, and any more specific task classifications, that web browsers will use to navigate your P3P policies and apply the correct policy to each page. The generator should create this file for you. Once created, take the policy reference file (p3p.xml) and your P3P policy file(s) (policy1.xml, policy2.xml, etc.) and upload them to your server's root directory.

6. The final step is making sure that you've done everything correctly. You can simply go to http://www.w3.org/P3P/validator.html and enter any URL on your site and it will tell you if there are any errors. If there are errors, you may want to go back to Step 3. When you are finished with this process, you will be asked if you wish to be listed on our list of web sites using P3P.

Note: The P3P specification will likely change over the next few months. As a result, you may have to update the P3P policy that you are creating now.


Copyright 1997-2000 W3C (MIT, INRIA, Keio ), All Rights Reserved. W3C liability, trademark, document use and software licensing rules apply. Your interactions with this site are in accordance with our public and Member privacy statements.

last revised $Date: 2002/05/08 04:26:06 $ by $Author: koike $