Archives

P3P Privacy Policies

The Platform for Privacy Preferences Project, more commonly known as P3P was designed by the World Wide Web Consortium aka W3C in response to the increased use of the Internet for sales transactions and subsequent collection of personal information. P3P is a special protocol that allows a website’s policies to be machine readable, granting web users’ greater control over the use and disclosure of their information while browsing the web.

 

Why was P3P created?

Many websites and advertising companies use technologies, such as tracker cookies, to monitor a user’s activity on the Internet in order to create unique user profiles and tailored advertising. However, many individuals may see such monitoring as a violation of privacy, especially since many of these cookies may be placed on a user’s computer without the individual’s knowledge. P3P was designed as a way to give web users greater control over what cookies are placed on their computer and what kind of information is released.

How does P3P work?

 

P3P is a protocol used to turn a website’s text based privacy policies into a machine readable format. A web user sets their browser preferences according to the level of protection they wish to use for their information. When a user attempts to access a website, the P3P privacy policy alerts the user’s web browser of the site’s intended use of cookies and personal information, including what information is collected, how it is used and how long it is stored. When the user navigates to a site which requires more personal information than their privacy preferences allow, the user will be notified and given the option to proceed to the site even though the site may collect information they don’t want to disclose. If a user navigates to a site that uses cookies the user wishes to reject, the cookie will be automatically blocked by the web browser as the user accesses the site.

P3P privacy policies are usually stored in an XML file and in a compact form in the HTTP header or HTML head of a web page. Privacy Bird is a free browser plug in that allows users to control and view P3P privacy policies. Internet Explorer also makes use of P3P to provide cookie blocking features.

Benefits of P3P

  • P3P allows web users to view and understand privacy policies in simple terms without the use of technical jargon.
  • P3P automatically blocks cookies or websites (and therefore the collection of certain types of information) according to a user’s privacy preferences.
  • Builds trust in websites using P3P and in electronic transactions as a whole because privacy policies are more visible and controllable.
  • P3P is designed to address and support privacy options on a global level, no matter the level of protection guaranteed by individual privacy laws.

 

Criticisms of P3P

 

P3P has faced strong opposition, especially by the Electronic Privacy Information Center which nicknamed it “Pretty Poor Policy.” Criticisms of P3P include:

  • P3P is too difficult and confusing for individuals to use and understand.
  • Implementing P3P policies on a website is completely voluntary and will prevent or restrict users from accessing sites that do adequately protect their information simply because a P3P policy has not been created.
  • P3P uses the privacy principles of Notice and Choice to control privacy options, however there is no enforcement through technical measures or legislation to ensure the user’s information is protected. Some believe the creation of P3P has been used as a way to circumvent or postpone the creation of stronger legislation regarding the use of cookies and personal information on the Internet.

Creating P3P Privacy Policies

For Website owners that wish to implement P3P on their site, there are a number of tools available to help with the creation of such a policy even if the website maintainer does not have a strong understanding of XML.

To Implement a P3P Privacy Policy:

1.  Create a human-readable privacy policy stating the companies privacy practices and place it on the website.(Most companies should already have one written to follow the Fair Information Practices)

2.  Use a P3P Privacy Policy generator or software program to translate a natural language privacy policy into machine readable format by answering simple questions regarding the use and collection of information. Many programs will also create compact policies. Some generators or programs include:

      a.

IBM’s P3P Policy Editor

      b.

P3P Wiz

      c.

P3P Edit

3.  Make sure the P3P policy links back to the human-readable privacy policies. This should be accomplished automatically with

4.  Deploy the P3P policy on the website.

    a.  Compact Policies should be placed on the header of every web page
    b.  A retrievable XML file should be located in the “well known location” for P3P– /w3c/p3p.xml

Summary

P3P allows web users to gain greater control over the use and disclosure of their information and allows website owners to build confidence with their consumers. However, P3P polices must be backed with privacy practices that are carried out and enforced for P3P to be effective. While P3P does not eliminate or even adequately resolve privacy issues on the Internet, it does begin to address the problem and provides added options for the privacy conscious.

CIPP Candidate Preparation

 

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

  • Privacy Considerations for Sensitive Information Online (Foundations III.B.) including Privacy notices and methods of communication (III.B.b) and Choice and consent (III.B.c)

 

Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>