W3C P3P

An Introduction to P3P

Imagine walking down the street, looking in store windows. As you are about to enter a store, you see prominently displayed on the door an easy-to-read privacy policy that conforms to all local laws. Based on the notice you may decide to enter and shop or you may choose to take your business elsewhere. In this case, you choose to enter. After browsing the aisles, you select a product and head to the checkout counter. You hand over your credit card, cash or other payment mechanism. The information you provide during the transaction will only be used for the purposes stated in the store's policy. You sign and walk out with your purchase.

This is the P3P vision of online commerce. P3P is designed to provide Internet users with a clear understanding of how personal information will be used by a particular Web site. Web site operators will be able to use the P3P language to explain their privacy practices to visitors. Users will be able to configure their browsers or other software tools to provide notifications about whether Web site privacy policies match their preferences. Parents will also be able to set privacy-related rules that govern their children's activities online. Once Web sites and Internet users can better communicate about privacy, consumers will be able to make better judgments about how Web sites respect their privacy concerns.

What is P3P?

The Platform for Privacy Preferences Project, or P3P, is a specification under development by the World Wide Web Consortium (W3C). When implemented in Web sites and browsers, the P3P specification will bring a measure of ease and regularity to Web users wishing to decide if and under what circumstances to disclose personal information. The many privacy issues that bedevil the Internet can be partially addressed with the widespread adoption of the P3P specification. It offers an important opportunity to build greater technical support to inform Web users about privacy and acts as a catalyst on the part of Web sites seeking to incorporate privacy protections into the Web's infrastructure.

P3P 1.0 creates the framework for standardized, machine-readable privacy policies, and consumer products that read these policies. Web sites express their privacy policies in a simple standardized format that can be downloaded automatically and read by web browsers and other end-user software tools. These tools can display information about a site's privacy policy to end users, and take actions based on a user's preferences. Such tools might provide positive feedback to users when the sites they visit have privacy policies matching their preferences, and provide warnings when a mismatch occurs. They may also notify users when a site's privacy policy changes.

While P3P does not alone resolve all online privacy issues, users' confidence in online transactions will increase when they are presented with meaningful information and choices about web site privacy practices.

There are two key components to the successful implementation of P3P, the web site component and the "client" software component.

The web site component: P3P enables web sites to "translate" their human-readable privacy practices into a standard, machine-readable format (XML) that can be retrieved automatically and interpreted easily by a user's browser. Web sites can use the P3P specification to perform this translation manually. However, automated tools can be used to make this process much simpler. Once the translation has been completed, some simple server configurations are necessary for a Web site to inform visitors automatically that it uses P3P.

The "client" software component: P3P clients automatically fetch and "read" P3P privacy policies on web sites. A user's browser that is equipped for P3P can check a web site's privacy policy automatically and inform the user of a web site's information practices. P3P client software can be built into a web browser, or built into plug-ins, browser helper objects, proxies, or other application software.

What P3P 1.0 Does and Does Not Do

P3P 1.0 will provide greater transparency by standardizing notices and making them machine-readable. However, by itself, P3P 1.0 does not resolve all privacy issues for either the user or the Web site. For example, although P3P 1.0 does allow companies to point to third party assurance organizations or government bodies that oversee their practices, the specification contains no enforcement mechanism to ensure that a company actually follows its practices.

While earlier drafts of the P3P specification attempted to address a broader range of issues, it was decided to keep P3P 1.0 a sleeker, simpler specification. This will make P3P implementation easier, while still allowing developers to innovate and build new global solutions. In fact, there have been early implementations in the U.S., Germany, and Japan that are focused on the unique situations in each country.

When Will I See Products and Web Sites that Use P3P? How Can I Make My Web Site P3P compliant?

Several companies are already building or have expressed an interest in building Web tools that use P3P. Developers from companies of all sizes are encouraged to build innovative P3P tools to capture this burgeoning marketplace. Sites that want to see what their privacy policy would look like using P3P are also encouraged to investigate P3P further. The W3C is planning interoperability workshops throughout the year to allow implementors, Web site developers, corporations, privacy advocates and users to see how P3P implementations are moving along.

Where can I get more information about P3P?

The most up-to-date information is available at the official P3P Web site: http://www.w3.org/p3p, which includes links to the latest specification, FAQ, news articles, and contact information.


Last update $Date: 2000/07/01 01:39:15 $ by $Author: massimo $.

Copyright 1997-1999 W3C (MIT, INRIA, Keio ), All Rights Reserved. W3C liability,trademark, document use and software licensing rules apply. Your interactions with this site are in accordance with our public and Member privacy statements.