P3P Privacy

This overview explains the steps to take when deploying a Platform for Privacy Preferences (P3P) privacy scheme on a Web site beginning with the Web site’s natural language privacy policy. The examples are oversimplified and used only to illustrate the steps to deployment.

The Steps for Deploying P3P

The following graphic shows the steps for deploying P3P.

Translating the Natural Language Privacy Policy into a Full P3P Privacy Policy

The preceding figure shows the flow of events when deploying P3P on your Web site. The first step is to translate the natural language privacy policy into a full P3P privacy policy using an XML schema that can be read by user agents such as Microsoft Internet Explorer 6. The XML schema is defined by the P3P Project which is part of the World Wide Web Consortium (W3C). There are tools available that can help create a full P3P privacy policy.

The following example shows a simple natural language policy.

At Green Jet Airlines, we care about your privacy. When you browse through our site, we collect information on the efficiency and working of our Web site. This information includes the number of times a web page is accessed, the browser used, and paths taken when moving through the Web site. We purge
this information yearly.

We also collect your zip code but will prompt you to enter it. With your permission, this information is aggregated with information collected from all visitors to our Web site and used for market analysis. This information might be provided to third parties. Once prompted for your zip code, you will not be prompted again if your browser privacy preferences allow cookies.

Green Jet Airlines uses cookies (small files on your computer) to store whether you have enterp3p.orged your zip code or declined to do so. We access this information each time you visit our site so that you are only prompted the first time you visit our site.

The following XML syntax shows the corresponding P3P full privacy policy derived from the preceding natural language policy.





<DATA ref=”#business.name”>Green Jet Airlines</DATA>
<DATA ref=”#business.contact-info.postal.street”>8461 Main St.</DATA>
<DATA ref=”#business.contact-info.postal.city”>Orlando</DATA>
<DATA ref=”#business.contact-info.postal.stateprov”>Fl</DATA>
<DATA ref=”#business.contact-info.postal.postalcode”>32828</DATA>
<DATA ref=”#business.contact-info.postal.country”>USA</DATA>
<DATA ref=”#business.contact-info.online.email”>molly@p3p.org</DATA>
<DATA ref=”#business.contact-info.telecom.telephone.intcode”>1</DATA>
<DATA ref=”#business.contact-info.telecom.telephone.loccode”>800</DATA>
<DATA ref=”#business.contact-info.telecom.telephone.number”>5550158</DATA>








<DATA ref=”#dynamic.clickstream.server”/>
<DATA ref=”#dynamic.http.useragent”/>




<PURPOSE><pseudo-analysis required=”opt-in”/></PURPOSE>



<DATA ref=”#user.home-info.postal.postalcode”>

Creating Compact Policies for Cookies from the Full P3P Privacy Policy

Once a full P3P policy is written, compact policies can be created. A compact policy is created by aggregating compact token representations of the full P3P privacy policy content. Compact policies are used to indicate the privacy practices of a Web service that uses cookies. The following example shows a compact policy derived from the full P3P privacy policy in the preceding example.


The three-letter compact policy tokens map to element values in the full P3P policy. For example, the ACCESS element value, <nonident/>, and CATEGORIES element value, <demographic/>, in the preceding full P3P policy appear as the tokens NOI and DEM in the compact policy. DATA elements defined in the P3P Base Data have corresponding CATEGORIES where the compact token form is used in the compact policy. For example, the DATA element value <DATA ref=”#dynamic.http.useragent”/> maps to the P3P CATEGORIES element <computer/> whose corresponding compact token is COM. These representative CATEGORIES might not be included in the full P3P policy, but they are required for the compact policy.

Deploying P3P on a Web Site

Once full P3P policies and compact polices are defined, they can be deployed on the Web site using the following methods.

The Policy-Reference File

The policy-reference file is an XML file that defines the location of a Web service’s privacy policies, the Web pages, and any corresponding cookies for which a privacy policy applies. This file should be located at /w3c/p3p.xml which is referred to as “the well-known location” in the P3P spec. Alternatively, the URL of the policy-reference file can be included in the P3P HTTP header. The following example shows a policy reference file that points to a single privacy policy that also covers a Web site’s cookies.



    <POLICY-REF about=”Full_P3P_Policy.xml”>


       <COOKIE-INCLUDE name=”*” value=”*” domain=”*” path=”*”/>




Compact Policies and the HTTP Header

Compact policies are added to HTTP headers associated with cookie operations. Microsoft Internet Explorer 6 uses these compact policies to filter cookies based on a user’s privacy preferences. The following example shows the syntax for the P3P header using the preceding compact policy example.


Deployment Summary

The following list summarizes the common steps to deployment.

  • Name the policy-reference file p3p.xml and deploy it at /w3c/p3p.xml.
  • Deploy full P3P policy files within the same directory, for example, /w3c/full_p3p_policy.xml.
  • Set compact policies for all cookies in the HTTP header.


Comments are closed.