How to Deploy P3P Privacy Policies on Your Web Site
[This documentation is preliminary and is subject to change.]
This overview explains the steps to take when deploying a Platform for Privacy Preferences (P3P) privacy scheme on a Web site beginning with the Web site's natural language privacy policy. The examples are oversimplified and used only to illustrate the steps to deployment. For details on content, vocabulary, and structure of P3P privacy policies and alternate deployment options, see the Platform for Privacy Preferences (P3P) specification.
The Steps for Deploying P3P
The following graphic shows the steps for deploying P3P.
Translating the Natural Language Privacy Policy into a Full P3P Privacy Policy
The preceding figure shows the flow of events when deploying P3P on your Web site. The first step is to translate the natural language privacy policy into a full P3P privacy policy using an XML schema that can be read by user agents such as Microsoft Internet Explorer 6. The XML schema is defined by the P3P Project which is part of the World Wide Web Consortium (W3C). There are tools available that can help create a full P3P privacy policy.
The following example shows a simple natural language policy.
At Blue Yonder Airlines, we care about your privacy. When you browse through our site, we collect information on the efficiency and working of our Web site. This information includes the number of times a web page is accessed, the browser used, and paths taken when moving through the Web site. We purge this information yearly. We also collect your zip code but will prompt you to enter it. With your permission, this information is aggregated with information collected from all visitors to our Web site and used for market analysis. This information might be provided to third parties. Once prompted for your zip code, you will not be prompted again if your browser privacy preferences allow cookies. Blue Yonder Airlines uses cookies (small files on your computer) to store whether you have entered your zip code or declined to do so. We access this information each time you visit our site so that you are only prompted the first time you visit our site.
The following XML syntax shows the corresponding P3P full privacy policy derived from the preceding natural language policy.
<POLICY xmlns="http://www.w3.org/2000/12/p3pv1"
discuri="http://www.blueyonderairlines.com/ourprivacypolicy.html"
opturi="http://www.blueyonderairlines.com/optin.html">
<ENTITY>
<DATA-GROUP>
<DATA ref="#business.name">Blue Yonder Airlines</DATA>
<DATA ref="#business.contact-info.postal.street">3456 Main St.</DATA>
<DATA ref="#business.contact-info.postal.city">Tampa</DATA>
<DATA ref="#business.contact-info.postal.stateprov">Fl</DATA>
<DATA ref="#business.contact-info.postal.postalcode">77062</DATA>
<DATA ref="#business.contact-info.postal.country">USA</DATA>
<DATA ref="#business.contact-info.online.email">molly@blueyonderairlines.com</DATA>
<DATA ref="#business.contact-info.telecom.telephone.intcode">1</DATA>
<DATA ref="#business.contact-info.telecom.telephone.loccode">800</DATA>
<DATA ref="#business.contact-info.telecom.telephone.number">5550158</DATA>
</DATA-GROUP>
</ENTITY>
<ACCESS><nonident/></ACCESS>
<STATEMENT>
<PURPOSE><admin/><develop/></PURPOSE>
<RECIPIENT><ours/></RECIPIENT>
<RETENTION><stated-purpose/></RETENTION>
<DATA-GROUP>
<DATA ref="#dynamic.clickstream.server"/>
<DATA ref="#dynamic.http.useragent"/>
</DATA-GROUP>
</STATEMENT>
<STATEMENT>
<PURPOSE><pseudo-analysis required="opt-in"/></PURPOSE>
<RECIPIENT><other-recipient/></RECIPIENT>
<RETENTION><indefinitely/></RETENTION>
<DATA-GROUP>
<DATA ref="#user.home-info.postal.postalcode">
<CATEGORIES><demographic/></CATEGORIES>
</DATA>
</DATA-GROUP>
</STATEMENT>
</POLICY>
Creating Compact Policies for Cookies from the Full P3P Privacy Policy
Once a full P3P policy is written, compact policies can be created. A compact policy is created by aggregating compact token representations of the full P3P privacy policy content. Compact policies are used to indicate the privacy practices of a Web service that uses cookies. The following example shows a compact policy derived from the full P3P privacy policy in the preceding example.
"NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
The three-letter compact policy tokens map to element values in the full P3P policy. For example, the ACCESS element value, <nonident/>, and CATEGORIES element value, <demographic/>, in the preceding full P3P policy appear as the tokens NOI and DEM in the compact policy. DATA elements defined in the P3P Base Data Schema (see P3P specification for more details) have corresponding CATEGORIES where the compact token form is used in the compact policy. For example, the DATA element value <DATA ref="#dynamic.http.useragent"/> maps to the P3P CATEGORIES element <computer/> whose corresponding compact token is COM. These representative CATEGORIES might not be included in the full P3P policy, but they are required for the compact policy. See the P3P specification for more information on how policy content is incorporated into a compact policy.
Deploying P3P on a Web Site
Once full P3P policies and compact polices are defined, they can be deployed on the Web site using the following methods.
The Policy-Reference File
The policy-reference file is an XML file that defines the location of a Web service's privacy policies, the Web pages, and any corresponding cookies for which a privacy policy applies. This file should be located at /w3c/p3p.xml which is referred to as "the well-known location" in the P3P specification. Alternatively, the URL of the policy-reference file can be included in the P3P HTTP header or in the LINK tag of a Web page. The following example shows a policy reference file that points to a single privacy policy that also covers a Web site's cookies.
<META xmlns="http://www.w3.org/2000/12/p3pv1">
<POLICY-REFERENCES>
<POLICY-REF about="Full_P3P_Policy.xml">
<INCLUDE>\*</INCLUDE>
<COOKIE-INCLUDE name="*" value="*" domain="*" path="*"/>
</POLICY-REF>
</POLICY-REFERENCES>
</META>
Compact Policies and the HTTP Header
Compact policies are added to HTTP headers associated with cookie operations. Internet Explorer 6 uses these compact policies to filter cookies based on a user's privacy preferences. The following example shows the syntax for the P3P header using the preceding compact policy example. For more information on how Internet Explorer 6 blocks or allows cookies, see Privacy in Internet Explorer 6.
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Deployment Summary
The following list summarizes the common steps to deployment.
- Name the policy-reference file
p3p.xmland deploy it at /w3c/p3p.xml. - Deploy full P3P policy files within the same directory, for example, /w3c/full_p3p_policy.xml.
- Set compact policies for all cookies in the HTTP header.
Related topics
- Conceptual
- Privacy in Internet Explorer 6
- Other Resources
- W3C: Platform for Privacy Preferences (P3P) Project
- Platform for Privacy Preferences (P3P) specification
- Make your Web site P3P Compliant (W3C)
Build date: 3/14/2012
