The P3P recommendation defines how a user agent can discover a domain's policies (via a policy reference file) that apply to the resources served by the domain, and the syntax and semantics for P3P policies. P3P policies include general assertions that apply to the entire policy as well as specific assertions -- called statements -- that apply only to the handling of particular types of data.
The general assertions in a P3P policy are composed by:
- an ENTITY element (legal entity making the representation of the privacy practices contained in the policy)
- a ACCESS element (indicates whether the site provides access to various kinds of information it collects about the user (this is now required according to the GDPR))
- a DISPUTE element (describes dispute resolution procedures that may be followed for disputes about a services' privacy practices)
- a REMEDIES element (describes remedies in case a policy breach occurs)
Statements describe data practices as applied to data elements (described in DATA-GROUP). The STATEMENT element is a container that groups together:
- a PURPOSE element (contains one or more purposes of data collection or uses of data, see below).
- a RECIPIENT element (contains one or more recipients of the collected data)
- a RETENTION element (indicates the kind of retention policy that applies to the collected data)
- a DATA-GROUP element (contains one or more DATA elements, see below)
- a CONSEQUENCE element (optional, consequences that can be shown to a human user to explain why the suggested practice may be valuable in a particular instance even if the user would not normally allow the practice)
- EXTENSIONS elements (optional, indicates portions of the policy which belong to an extension. The meaning of the data within the EXTENSION element is defined by the extension itself)
A STATEMENT element may optionally contain the NON-IDENTIFIABLE element, signifying either that there is no data collected under this STATEMENT, or that all of the data referenced by that STATEMENT will be anonymized upon collection.
When aggregate statistics are used or shared such that it would not be possible to derive data for individual people or households based on these statistics, no disclosures about these statistics are necessary in a P3P policy, although they apply to the original data before it is aggregated.
P3P defines the following purposes:
- Completion and Support of Activity For Which Data Was Provided: Information may be used by the service provider to complete the activity for which it was provided, whether a one-time activity such as returning the results from a Web search, forwarding an email message, or placing an order; or a recurring activity such as providing a subscription service, or allowing access to an online address book or electronic wallet.
- Web Site and System Administration: Information may be used for the technical support of the Web site and its computer system. This would include processing computer account information, information used in the course of securing and maintaining the site, and verification of Web site activity by the site or its agents.
- Research and Development: Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market. This does not include personal information used to tailor or modify the content to the specific individual nor information used to evaluate, target, profile or contact the individual.
- One-time Tailoring: Information may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization. For example, an online store might suggest other items a visitor may wish to purchase based on the items he has already placed in his shopping basket.
- Pseudonymous Analysis: Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals. For example, a marketer may wish to understand the interests of visitors to different portions of a Web site.
- Pseudonymous Decision: Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals. For example, a marketer may tailor or modify content displayed to the browser based on pages viewed during previous visits.
- Individual Analysis: Information may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data for the purpose of research, analysis and reporting. For example, an online Web site for a physical store may wish to analyze how online shoppers make offline purchases.
- Individual Decision: Information may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data to make a decision that directly affects that individual. For example, an online store suggests items a visitor may wish to purchase based on items he has purchased during previous visits to the Web site.
- Contacting Visitors for Marketing of Services or Products: Information may be used to contact the individual, through a communications channel other than voice telephone, for the promotion of a product or service. This includes notifying visitors about updates to the Web site.
- Historical Preservation: Information may be archived or stored for the purpose of preserving social history as governed by an existing law or policy. This law or policy MUST be referenced in the<DISPUTES> element and MUST include a specific definition of the type of qualified researcher who can access the information, where this information will be stored and specifically how this collection advances the preservation of history.
- Contacting Visitors for Marketing of Services or Products Via Telephone: Information may be used to contact the individual via a voice telephone call for promotion of a product or service.
- Other Uses: Information may be used in other ways not captured by the above definitions.
Categories of data
Categories provide hints to users and user agents as to the intended uses of the data.
P3P defines the following categories:
- Physical Contact Information: Information that allows an individual to be contacted or located in the physical world -- such as telephone number or address.
- Online Contact Information: Information that allows an individual to be contacted or located on the Internet -- such as email.
- Unique Identifiers: Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.
- Purchase Information: Information actively generated by the purchase of a product or service, including information about the method of payment.
- Financial Information: Information about an individual's finances including account status and activity information such as account balance, payment or overdraft history, and information about an individual's purchase or use of financial instruments including credit or debit card information.
- Computer Information: Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.
- Navigation and Click-stream Data: Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.
- Interactive Data: Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.
- Demographic and Socioeconomic Data: Data about an individual's characteristics -- such as gender, age, and income.
- Content: The words and expressions contained in the body of a communication -- such as the text of email, bulletin board postings, or chat room communications.
- State Management Mechanisms: Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously -- such as HTTP cookies.
- Political Information: Membership in or affiliation with groups such as religious organizations, trade unions, professional associations, political parties, etc.
- Health Information: information about an individual's physical or mental health, sexual orientation, use or inquiry into health care services or products, and purchase of health care services or products.
- Preference Data: Data about an individual's likes and dislikes -- such as favorite color or musical tastes.
- Location Data: Information that can be used to identify an individual's current physical location and track them as their location changes -- such as GPS position data.
- Government-issued Identifiers: Identifiers issued by a government for purposes of consistently identifying the individual.
- Other: Other types of data not captured by the above definitions.
P3P is not implemented in major browsers, so here we report the criticism that has been made about its possible applications.
Issues (some superseded by the GDPR not reported):
- The possibility of adapting this vocabulary to the needs and regulatory context of specific geographic regions is not envisaged.
- The vocabulary has not been developed with reference to the highest known standards of data protection and privacy, but has instead sought to formalise lower common standards.
- Absence of a framework of enforceable data protection rules risks shifting the onus primarily onto the individual user to protect himself, while it is the 'data controller' who is responsible for complying with data protection principles
- Level of knowledge about the risks posed by data processing to individual privacy cannot realistically be expected of most citizens.
- P3P could mislead EU-based operators into believing that they can be discharged of their legal obligations (e.g. granting individual users a right of access to their data) if the individual user consents to this as part of the on-line negotiation
- Most Internet users are unlikely to alter any pre-configured settings on their browser, the 'default' position regarding a user's privacy preferences will have a major impact on the overall level of on-line privacy protection.