P3P 1.0: A New Standard in Online Privacy

How can we empower users with more control over their online privacy?

The privacy of an individual's personal data on the Internet is a top concern for business, government, media and the public. Opinion surveys consistently show that privacy concerns are a leading impediment to the further growth of Web-based commerce. Initial efforts by Web sites to publicly disclose their privacy policies have had some impact. But these policies are often difficult for users to locate and understand, too lengthy for users to read, and change frequently without notice.

Introducing the Platform for Privacy Preferences Project (P3P)

P3P 1.0, developed by the World Wide Web Consortium, is emerging as an industry standard providing a simple, automated way for users to gain more control over the use of personal information on Web sites they visit. At its most basic level, P3P is a standardized set of multiple-choice questions covering all the major aspects of a Web site's privacy policies. Taken together, they present a clear snapshot of how a site handles personal information about its users.

P3P-enabled Web sites make this information available in a standard, machine-readable format. P3P-enabled browsers can"read" this snapshot automatically and compare it to the consumer's own set of privacy preferences.

P3P enhances user control by putting privacy policies where users can find them, in a form users can understand, and, most importantly, enables users to act on what they see.

In short, the P3P specification brings ease and regularity to Web users wishing to decide whether and under what circumstances to disclose personal information. User confidence in online transactions increases as they are presented with meaningful information and choices about Web site privacy practices.

"The World Wide Web Consortium, the group that designs standards for the Web, is creating a new way [P3P] for Web sites to transmit the site's privacy policy automatically, and allow users to signal only the information they are willing to share."
-- The New York Times 2/22/2000

A First Step

The P3P standard is designed to do one job and do it well - to communicate to users, simply and automatically, a Web site's stated privacy policies, and how they compare with the user's own policy preferences. This, in itself, is a major step forward.

P3P does not set minimum standards for privacy, nor can it monitor whether sites adhere to their own stated procedures. Addressing all of the complicated, fundamental issues surrounding privacy on the Web will require the appropriate combination of technology, a legal framework and self-regulatory practices.

The P3P 1.0 specification is now advancing through the W3C process towards its final state as a W3C recommendation over the next year. The experience of implementers and feedback from businesses, policy makers and users around the world will be critical in shaping the final technology design.

"In the context of proper legislation, P3P is the most promising solution to cyberspace privacy. It will make it easy for companies to explain their practices in a form that computers can read, and make it easy for consumers to express their preferences in a way that computers will automatically respect."
-- Professor Lawrence Lessig, Stanford Law School

The P3P Vocabulary

Nine aspects of online privacy are covered by P3P. Five topics detail the data being tracked by the site.

The remaining four topics explain the site's internal privacy policies.

"P3P will help responsible online businesses empower users to choose the privacy relationship best for them."
-- Christine Varney, former FTC Commissioner

How It Works

P3P enables Web sites to translate their privacy practices into a standardized, machine-readable format (Extensible Markup Language XML) that can be retrieved automatically and easily interpreted by a user's browser. Translation can be performed manually or with automated tools. Once completed, simple server configurations enable the Web site to automatically inform visitors that it supports P3P. See the P3P technical report for complete technical specifications.

A diagram showing how P3P state

On the user side, P3P clients automatically fetch and read P3P privacy policies on Web sites. A user's browser equipped for P3P can check a Web site's privacy policy and inform the user of that site's information practices. The browser could then automatically compare the statement to the privacy preferences of the user, self-regulatory guidelines, or a variety of legal standards from around the world. P3P client software can be built into a Web browser, plug-ins, or other software.

a p3p client interaction

"The Platform for Privacy Preferences (P3P) is the most sophisticated proposal that has been made from a technical perspective so far to enhance privacy protection on the Web... [while] it cannot replace a regulatory framework of legislation, contracts, or codes of conduct... it [can] operate within such a framework."
-- Dr. Alexander Dix, LL.M., Commissioner for Data Protection and Access to Information, State of Brandenburg, Germany

Participants, Supporters, Developers

The following companies and organizations have been active participants in developing P3P.

  • America Online
  • AT&T
  • Center for Democracy & Technology
  • Citigroup
  • Crystaliz
  • Direct Marketing Association
  • Electronic Network Consortium
  • Geotrust
  • Gesellschaft für Mathematik und Datenverarbeitung (GMD)
  • Hewlett Packard
  • IBM
  • IDcide
  • International Security, Trust, and Privacy Alliance
  • Internet Alliance
  • Jotter Technologies Inc.
  • Microsoft
  • NCR
  • NEC
  • Netscape
  • Nokia
  • Ontario Office of the Information and Privacy Commissioner
  • Phone.com, Inc.
  • Privacy Commission of Schleswig-Holstein, Germany
  • TRUSTe

P3P 1.0 at a Glance

About W3C

The World Wide Web Consortium (W3C) was founded in 1994 by Tim Berners-Lee, the inventor of the Web, to promote universal access and to guide the Web's development with careful consideration for the novel legal, commercial, and social issues raised by this technology.

A non-profit, industry-supported consortium it includes researchers and engineers from more than 420 participating institutions W3C is jointly administered by MIT's Laboratory for Computer Sciences (MIT-LCS) in the U.S., the National Institute for Research in Computer Science and Control (INRIA) in France, and Keio University in Japan. W3C has developed and published more than twenty technological recommendations for the Web, including HTML, XML, and CSS.

Contact Us

If you are interested in implementing P3P, visit the P3P Home Page. For more information on joining the W3C or its P3P Working Groups, please contact any of the following:

Lorrie Cranor, Specification Working Group Chair, AT&T, lorrie@research.att.com

Janet Daly, Head of Communications, W3C,janet@w3.org

Harriet Pearson, Policy Outreach Working Group Co-Chair, IBM, hpearson@us.ibm.com

Ari Schwartz, Policy Outreach Working Group Co-Chair, Center for Democracy and Technology, ari@cdt.org

Daniel Weitzner, Technology and Society Domain Leader, W3C, djweitzner@w3.org

Rigo Wenning, Policy Analyst, W3C, rigo@w3.org

Note on this brochure and formats:

This brochure was prepared for the June 21, 2000 P3P interop event. It is available as a single PDF file or as separate PDF files for each page. The single file version must be reduced in order to print on 8.5 x 11 or A4 paper.

Full brochure in PDF

Individual pages in PDF

last revised $Date: 2006/05/12 15:20:18 $ by $Author: rigo $