World Wide Web Consortium Issues P3P 1.0 as a W3C Recommendation
P3P gives people more control over use of personal information on the Web
http://www.w3.org/ -- 16 April 2002 -- The World Wide Web Consortium (W3C) has issued the Platform for Privacy Preferences (P3P) 1.0 as a W3C Recommendation, representing cross-industry agreement on an XML-based language for expressing Web site privacy policies. Declaring P3P a W3C Recommendation indicates that it is a stable document, contributes to Web interoperability, and has been reviewed by the W3C Membership, who favor its widespread adoption. P3P was designed by a Working Group composed of privacy advocates, Web technology leaders, data protection commissioners, and global ecommerce companies.
"Web site privacy policies are good, but understanding privacy policies is better," remarked Tim Berners-Lee, W3C Director. "P3P serves as the keystone to resolving larger issues of both privacy and security on the Web."
P3P Helps People Make Informed Choices
The Platform for Privacy Preferences Project (P3P) 1.0, developed by W3C, provides a standard, simple, automated way for users to gain more control over the use of personal information on Web sites they visit.
At its most basic level, P3P is a standardized set of multiple-choice questions, covering all the major aspects of a Web site's privacy policies. Taken together, the answers present a machine readable version of the site's privacy policy, a clear snapshot of how a site handles personal information about its users. P3P-enabled Web sites make this information available in a standard, machine-readable format.
P3P enabled browsers can "read" this snapshot automatically and compare it to the consumer's own set of privacy preferences. P3P enhances user control by putting privacy policies where users can find them, in a form users can understand, and, most importantly, enables users to act on what they see.
"With P3P we are enabling the development of a whole new class of Web tools and services that will help users protect their privacy while streamlining ecommerce transactions," explained Daniel J. Weitzner, W3C Technology and Society Domain Leader, "The fact that the Web now has a standard language for describing privacy practices will enable a new level of transparency in Web-based interactions. The added facility for dealing with privacy issues will be especially important with mobile and other new forms of Web access."
P3P Results from International Cooperation
P3P is created through the consensus-based W3C Process. Participants in the development of P3P represent leadership in industry, government, and research. Chaired by Dr. Lorrie Cranor of AT&T Labs-Research; they include 180solutions.com; Akamai Technologies; American Express; America Online, Inc.; AT&T; AvenueA; University of California, Irvine; Center for Democracy and Technology, USA; Charles Schwab Consultants; Citigroup; Doubleclick Inc.; Electronic Network Consortium (ENC), Japan; Engage; Ericsson; GMD/Fraunhofer; Hewlett Packard Company; IBM; IDcide; Independent Center for Privacy Protection Schleswig-Holstein, Germany; Internet Education Foundation; Joint Research Center of the European Commission; Microsoft; NCR; NEC; Ontario Office of Information and Privacy; PrivacyBank; along with invited experts. Many organizations have provided statements of support, some are announcing implementations.
"International representation was key to providing a privacy vocabulary that meets diverse needs and requirements," explained Rigo Wenning, W3C Privacy Activity Lead. "The Working Group also benefitted from the joint presence of industry, public authorities and academics. The design of P3P takes into account the multitude of privacy frameworks all over the world."
Next Steps for P3P Focus on Implementation
W3C's lists of P3P-enabled Web sites and P3P software continue to grow, including both plug-ins and browser-based implementations, P3P policy generators, and a P3P validator.
W3C's P3P Working Group plans to continue to provide resources and assistance to implementers who wish to make their sites P3P compliant. In addition to the P3P homepage, other useful resources include p3ptoolbox.org in cooperation with the Internet Education Foundation, and the JRC P3P demonstration and research platform. W3C continues to maintain discussion fora for implementers and those interested in P3P.
About the World Wide Web Consortium [W3C]
The W3C was created to lead the Web to its full potential by developing common protocols that promote its evolution and ensure its interoperability. It is an international industry consortium jointly run by the MIT Laboratory for Computer Science (MIT LCS) in the USA, the National Institute for Research in Computer Science and Control (INRIA) in France and Keio University in Japan. Services provided by the Consortium include: a repository of information about the World Wide Web for developers and users, and various prototype and sample applications to demonstrate use of new technology. To date, nearly 500 organizations are Members of the Consortium. For more information see http://www.w3.org/
P3P is a registered trademark of the World Wide Web Consortium.
- Contact Americas, Australia --
- Janet Daly, <janet@w3.org>, +1.617.253.5884 or +1.617.253.2613
- Contact Europe --
- Marie-Claire Forgue, <mcf@w3.org>, +33.492.38.75.94
- Contact Asia --
- Saeko Takeuchi <saeko@w3.org>, +81.466.49.1170
Testimonials for W3C P3P 1.0 Recommendation
In English: America Online Inc. | AT&T | Carnegie Mellon University | Center for Democracy and Technology, USA | DoubleClick | Ericsson | Hewlett Packard Company | Information Commissioner for the United Kingdom | Information and Privacy Commissioner, Ontario, Canada | Joint Research Centre of the European Commission | IBM | Microsoft | NEC | Privacy Council | Proctor & Gamble | Independent Centre for Privacy Protection, Schleswig-Holstein, Germany | Commissioner for Data Protection, Brandenburg, Germany | University of Kassel | Vanderbilt University
In French: INRIA
In German: Unabhängiges Landeszentrum, Datenschutz Schleswig-Holstein
America Online Inc.
AOL has always regarded consumer privacy as one of our most important values. In addition to supporting robust self-regulatory initiatives and industry best practices, we strongly support technologies like P3P that empower consumers to personalize their online experience and make informed choices about their privacy. We commend W3C for the work it has done on this important issue, and we look forward to continuing to work with W3C and other interested organizations on ways to enhance and implement the P3P standard and other similar technologies.
-- Tatiana Gau, Senior Vice President, Integrity Assurance, America Online Inc.AT&T
Customers have long relied on AT&T as a privacy leader to make responsible decisions about how to use and protect customer information. P3P takes privacy control to the next level, by empowering consumers to make their own privacy decisions in real time as they surf the web. AT&T is proud to have been a leader in the W3C efforts to develop and support P3P. We encourage consumers to try our free Privacy Bird software, which uses P3P to automatically read online privacy policies and compare them with the user's privacy preferences.
-- Michael C. Lamb, Chief Privacy Officer, AT&TCarnegie Mellon University
Our study of P3P suggests that it provides an important first step in automating personal information privacy assurances on the web. My grandfather once told me, "never take a move back in Chess." I believe that P3P is a move that can be confidently made forward that we will not have to take back. While P3P lacks a number of features that must ultimately be a part of automating personal information privacy assurances, our studies, in analysis, software, and in teaching, have suggested that P3P can be adopted with confidence that the essential characteristics of the platform will be carried forward. I certainly recommend its adoption by any group seeking to facilitate communications about privacy assurances.
-- Bob Thibadeau, Director, Internet Systems Laboratory, School of Computer Science, Carnegie Mellon UniversityCenter for Democracy and Technology, USA
CDT believes that the P3P 1.0 Specification is an important step in data protection and privacy because it promotes greater transparency among Web sites and their privacy practices. While P3P alone will not resolve each and every critical aspect surrounding privacy issues, the use of automated privacy policies will help facilitate the clear understanding of privacy practices before users agree to hand over personal information to Web sites, which is an essential first step. P3P provides the reliable foundation for much needed frameworks incorporating additional privacy enhancing technologies; better consumer education; and baseline legislation to create a national standard for privacy expectations online.
-- Ari Schwartz, Policy Analyst, Center for Democracy and Technology (USA)DoubleClick
3P has already had a dramatic effect on the practices of Web sites by causing thousands of companies to take a hard look at their data practices. Businesses that never addressed data retention in their privacy policies are now realizing that they need to address this in their P3P statements. Just being required to make the statement "I keep your data forever" has prodded many businesses to implement purging policies! Similarly, sites are now more carefully self-auditing and describing their cookie practices. The result in just a few months has been much more accuracy and transparency for users.
-- Jules Polonetsky, Chief Privacy Officer, DoubleClickEricsson
Privacy is important to Ericsson. We have been working on ways to make sure that the users privacy is safeguarded, while enabling convenience. There is often a trade-off between convenience and the user's right to privacy and control. Users in the mobile Internet are extra sensitive to privacy violations, as well as extra interactions. We believe that any standard must address these questions, and we feel P3P is a good first step. Ericsson has been involved in the development of P3P. We have been working at how to use P3P to make sure that user data delivery in the mobile Internet is done in a way that safeguards the users privacy. Ericsson looks forward at continuing to assist the P3P working group as P3P gains more traction in the mobile Internet.
-- Helena Lindskog, Privacy Manager for EricssonHewlett Packard Company
P3P 1.0 is the set of building blocks for consistency in declaring data collection practices across the world wide web. We believe it will be become the standard for privacy interoperability. HP has implemented P3P on its major e-commerce sites, including hpshopping.com, and will complete our implementation across hp.com over the next several months. HP believes that P3P is a key piece of the solution for better serving customer privacy needs through technology, baseline privacy legislation, third party oversight and consumer education.
--Barbara Lawler, Chief Privacy Officer, Hewlett Packard CompanyInformation Commissioner for the United Kingdom
Can I say how much I welcome this work which is a practical step to providing individuals with control over their information? I hope P3P will prove to be a useful part of the package of technical, self-regulatory and legal measures to protect personal privacy on the World Wide Web.
-- Elizabeth France, Information Commissioner for the United KingdomInformation and Privacy Commissioner, Ontario, Canada
The Platform for Privacy Preferences (P3P) provides a valuable service to those online - it provides openness and transparency of privacy policies, where they were once lacking. P3P also gives users increased control over their personal information and brings a common vocabulary to Web privacy policies. Awareness of online privacy issues among Web site developers has risen considerably due to the work of the P3P team. Consequently, an ever-increasing number of Web sites are becoming P3P-enabled. Consumer privacy expectations continue to remain high, and P3P plays an important role in addressing some of those expectations. My office remains committed to the development of P3P and other privacy enhancing tools for the Web.
-- Ann Cavoukian, Ph.D., Information and Privacy Commissioner, Ontario, CanadaIBM
P3P is proving itself to be a workable tool for individuals to better manage their privacy preferences online. IBM is pleased to have supported this effort through the development of the standard itself as well as P3P-compliant software.
-- Martin Presler-Marshall, P3P Working Group co-chair and co-author, IBMJoint Research Centre of the European Commission
As an active participant on the W3C P3P working group, the Joint Research Centre welcomes the P3P standard as one important technical solution in improving trust relationships between consumers and e-business, in particular as a way of providing unambiguous, machine processable information on privacy practices. We will be continuing to contribute to support the standard and its implementations through work on our P3P demonstration and research platform. Related to this, we are also maintaining a P3P Resource center which aims to give users hands on experience of the standard's implications.
-- Giles Hogben and Marc Wilikens, Cybersecurity Research Group, Joint Research Centre of the European CommissionMicrosoft
Microsoft salutes the W3C P3P committee. We've been pleased to be part of this industry effort to produce a technology that helps Internet surfers select their own level of privacy protection in dealing with Web sites. P3P takes a step towards providing consumers with more choices, so they have a better understanding about the information that is collected about them. In Microsoft's implementation of P3P in our browser technology, the settings facilitate an understanding of what takes place in the background when consumers visit sites on the Web. From a design perspective, it is very important for us to give consumers a privacy choice and control model, and also maintain the quick, productive and efficient browser software experience that people have come to expect. P3P provided the flexibility for us to strike that balance.
-- Richard Purcell, Privacy Officer, Microsoft CorporationNEC
NEC is pleased to see P3P 1.0 become a W3C Recommendation. P3P provides a standard way for web sites to disclose their privacy policies, and thus enables individuals to control their personal information while using the web. NEC has been supporting W3C's P3P activity for years - P3P validator service is now a common web site check tool, and our ISP service "BIGLOBE" implemented P3P privacy policies on more than thirty web sites.
-- Fumio Onimaru, Senior Manager, Technical Standards, External Relations Division, NEC CorporationPrivacy Council
Privacy Council is fully committed to the P3P specification developed by the W3C. We believe that P3P is one of the most important achievements in privacy enabling technology for the Internet. It provides a clear and concise mechanism for regulating consumer preferences when browsing or procuring goods and services from a Web site. In our opinion, P3P will make it easier for every Web site to comply with the spirit of privacy regulations by creating electronically readable privacy policies. It also establishes baseline accountability for Internet businesses to disclose privacy policies that truly reflect actual practices.
-- Dr. Larry Ponemon, CEO, Privacy CouncilProctor & Gamble
Proctor & Gamble is implementing P3P because it promises to significantly help consumers control how their personal information is gathered and used by web sites. P3P provides a common, machine-readable language for privacy, allowing consumers to easily read, understand, and compare the privacy policies of web sites they visit. This in turn will build their trust and confidence that their personal information will be managed in accordance with their wishes.
-- Mel Peterson, Privacy Manager, The Proctor & Gamble CompanyIndependent Centre for Privacy Protection, Schleswig-Holstein, Germany
P3P is the first international effort to integrate privacy protection into the information technology of the global networks. This is a starting point to achieve more transparency, more choice and more orientation for the citizens on the internet. Now, we have to implement and to disseminate P3P. In the interest of the human right of privacy, there have to be further efforts in standardization.
-- Dr. Thilo Weichert, Independent Centre for Privacy Protection Schleswig-Holstein, GermanyCommissioner for Data Protection, Brandenburg, Germany
P3P is a necessary but not sufficient condition for privacy. The Platform for Privacy Preferences (P3P) is the most sophisticated proposal that has been made from a technical perspective so far to enhance privacy protection on the Web... [while] it cannot replace a regulatory framework of legislation, contracts, or codes of conduct... it [can] operate within such a framework.
-- Dr. Alexander Dix, LL.M., Commissioner for Data Protection and Access to Information, State of Brandenburg, GermanyUniversity of Kassel
The recommendation of the P3P-Standard is an important step towards privacy protection in the Internet. It will enhance the transparency of data processing and improve the opportunity of the users to choose services according to their privacy protection behavior. It will increase privacy protection awareness of all people involved. And it gives consumer associations or privacy protection officers a chance to design and distribute popular user preferences and popular policies and to contribute in this way to a privacy protection culture. The recommendation, however, does not support all privacy requirements in Germany and Europe. But the standard allows individual further developments, that meet further requirements of privacy protection. The recommendation is a first practical step with further steps to follow.
-- Prof. Dr. Alexander Rossnagel, University of Kassel, GermanyVanderbilt University
As one of the premiere research centers in the world for the study of digital commerce, eLab (http://elab.vanderbilt.edu/) recognizes the great importance and need for privacy policy standards. Digital businesses need to know who their customers are and these customers need the ability to control how their information is released to others. P3P addresses both these needs by providing communication about data privacy practices between customers and Web sites as well as enhanced user control over the use and disclosure of personal information. eLab support 's P3P's goal to reach a state of privacy equilibrium where the technology supported as a standard would allow consumers to take advantage of custom Web sites and control the information they share.
-- Donna Hoffman, Professor of Marketing and Co-Director and Co-Founder of eLab, Vanderbilt UniversityINRIA
P3P est une recommandation très importante parce qu'elle apporte une solution standardisée à l'amélioration du contrôle des infomations personnelles sur le Web. P3P permet d'augmenter la confiance des utilisateurs, et par voie de conséquence, d'augmenter le nombre d'usagers du Web. Cette confiance va également permettre l'innovation puisqu'il faut s'attendre à l'émergence de nouveaux services innovants, qui vont bénéficier à la fois aux utilisateurs finaux et aux transactions commerciales.
-- Gérard Giraudon, Directeur du Développement et des Relations Industrielles, INRIAUnabhängiges Landeszentrum, Datenschutz Schleswig-Holstein
P3P ist der erste internationale Ansatz, Datenschutz in informationstechnische Produkte im Kontext der globalen Vernetzung zu integrieren. Damit ist ein Anfang gemacht, um mehr Transparenz, mehr Wahlfreiheit und mehr Bürgerorientierung im Internet zu realisieren. Nun geht es darum, P3P zu implementieren und zu verbreiten. Weitere Standardisierungsbemühungen im Interesse des Grundrechtsschutzes müssen folgen.
-- Dr. Thilo Weichert, Unabhängiges Landeszentrum, Datenschutz Schleswig-Holstein