only for RuBoard - do not distribute or recompile |
Some of the first questions webmasters ask when they are considering deploying P3P on their sites are "How long is this going to take?" and "How difficult is this going to be?" The answers to these questions, of course, depend on the details of each particular web site. A small company that already has a privacy policy posted on its site should be able to deploy P3P in a few hours the technical work may even take less than 15 minutes. A large company may need to have their attorneys spend time reviewing their P3P policy, and they may need to figure out the best way to deploy P3P on a large number of servers around the world. Companies that provide "third-party" web services, such as advertising agencies and content distribution networks, may have some more complicated decisions to make as well.
To help you estimate how much work it will be for you to deploy P3P on your web site, here is an outline of the basic steps involved.
The privacy policy needs to include enough details to be able to use it to create a P3P policy. If you have already created a detailed policy for your site, you may still have a few questions that you have to revisit when you create your P3P policy, but you will have already done most of the difficult work. If you don't yet have a privacy policy or your policy does not go into much detail about the kinds of data your site collects or how this data is used, you will probably have to get your company's lawyers or policy makers involved in figuring out what your company's privacy policy is.
If you already have multiple privacy policies for your site, then you will probably want to have multiple P3P policies as well. For example, some sites have different policies associated with different types of services they offer. Even if you have a single, comprehensive policy for your entire site, you may want to have multiple P3P policies. For example, your site's privacy policy might include a statement like "We do not collect personally identifiable information from visitors except when they fill out a form to order a product from us." You might wish to create two P3P policies: one for use on most of your site where there are no forms, and the other for use specifically on the parts of the site where visitors fill out forms to order products.
You can use one of the P3P policy generator tools to easily create a P3P policy without having to learn XML. You will need to have a detailed understanding about the kinds of data your site collects and how they are used but most of this should be documented in your site's privacy policy.
Most of the policy generator tools will help you create a policy reference file for your site too. This file lists all of the P3P policies on your site and the parts of your site to which they apply. In most circumstances you will have just one policy reference file for your entire site. However, if you have a very large number of policies on your site or if you don't wish to provide information that would reveal the structure of your site (perhaps due to security considerations if parts of your site are password protected), you may wish to have multiple policy reference files.
On most sites this can be done by simply placing the P3P policy and policy reference files on the web server in the proper locations. However, some sites will want to configure their servers to send a special P3P header with every HTTP response, and some will want to add <LINK> tags to their HTML content. Some sites will also want to send compact versions of P3P policies with SET_COOKIE requests.
The W3C P3P Validator tool can be used to test your site and report back a list of any problems it finds. Of course, this tool cannot verify that your P3P policy matches your privacy policy or that either policy conforms to your actual practices. But it can make sure that your policy and policy reference files are syntactically correct and that you've configured everything properly. You can try the W3C P3P Validator at http://www.w3.org/P3P/validator/.
Your policy should include enough detail to answer the questions you will have to answer to create a P3P policy. Here's a basic outline of the points that you should cover:
The name and contact information for your company or organization.
A statement about the kind of access you provide (do you let people find out what information you hold about them, and if so, how can they get this access?).
A statement about what privacy laws you comply with, what privacy seal programs you participate in, and other mechanisms available to your customers for resolving privacy disputes. This statement may also describe what remedies you offer should a privacy policy breach occur.
A description of the kinds of data you collect. If your web site uses cookies, be sure to mention this too and explain how the cookies are used.
A description of how collected data is used, and whether individuals can opt-in or opt-out of any of these uses.
Information about whether data may be shared with other companies, and if so, under what conditions and whether or not consumers can opt-in or opt-out of this.
Information about your site's data retention policy, if any.
Information about how consumers can take advantage of opt-in or opt-out opportunities.
P3P doesn't cover web site security practices, but most privacy policies also include a statement about the site's commitment to security. And web sites with content aimed at children often describe their policy with respect to children's data.
If your privacy policy is fairly simple (or if you happen to enjoy writing XML), you may want to write your P3P policy and policy reference file by hand in XML, perhaps cutting and pasting from one of our examples. However, most people will probably opt to use a P3P policy generator program.
One good P3P policy generator you may want to try is the P3P Policy Editor from IBM. This tool features a drag-and-drop interface, shown in Figure C-2, that lets you edit P3P policies by dragging icons representing P3P data elements and data categories into an editing window. The tool also has pop-up windows that let you set the properties associated with each data element (purpose, recipient, etc.) and also fill out general information about the site's privacy practices. You can view the XML that has been created as you add each data element, as well as a corresponding human-readable version of the policy. There is also a useful errors tab that indicates problems with your policy, such as leaving out information in required fields. The tool comes with good documentation and a set of templates for typical web sites. This tool can also create policy reference files. It is available for free download from the IBM Alphaworks web site at http://www.alphaworks.ibm.com/tech/p3peditor.
The P3P specification has designated /w3c/p3p.xml as the "well-known location" for policy reference files. P3P user agents will check this location automatically for a policy reference file at every site they visit. If they can't find a policy reference file at a site, they will keep rechecking once every 24 hours if the user returns to that site.
Most web sites should be able to place their policy reference file at the well-known location without a problem. However, for sites that do not wish to do this, two alternatives are offered: sites can be configured to send a special P3P header with every HTTP response, or <LINK> tags can be embedded in HTML documents that give the location of the policy reference file.
The HTTP header alternative is most useful for sites that have decided to use multiple policy reference files. It allows sites to send a pointer to the policy reference file applicable to each request. The downside of using the HTTP header instead of the well-known location is that there is no way for a user agent to know a site's policy before requesting a resource. Thus, some user agents may suppress cookies, referer headers, or other information until they receive the P3P response header.
The HTML <LINK> tag alternative was designed primarily for sites in which content providers have access only to a designated area of the web server (which does not include the /w3c directory) and do not have the ability to configure the server to send extra HTTP response headers. For example, students who wish to provide a privacy policy on a personal home page hosted on a university server, or individuals or organizations with sites that do not have their own domain, may wish to use this alternative. This alternative has the same drawbacks as the HTTP header. In addition, sites that wish to use this alternative must add a <LINK> tag to every HTML document that is covered by the P3P policy, which may be a time-consuming task. Also, if visitors request non-HTML documents (images, PostScript, or PDF files, etc.) directly without following a link from an HTML document on that site, their user agents may be unable to find the policy reference file when <LINK> tags are used.
P3P-enabled web sites have the option of providing short summaries of their policies with respect to cookies in HTTP response headers that accompany SET_COOKIE headers. These compact policies are designed as an optimization to allow for cookie processing to proceed at the same time that a full P3P policy is being evaluated. Sites can only use compact policies if they set cookies, and if their cookie-related statements in their full P3P policy do not include mandatory extensions. While the compact policy is entirely optional for P3P-enabled web sites, note that some of the early P3P user agent implementations rely heavily on the compact policy for example, the Microsoft Internet Explorer 6 P3P user agent.
A site that uses compact policies would have a policy reference file and a full P3P policy just like any other P3P-enabled web site. In addition, the site would configure its web server to include a P3P header with all of its responses that contain SET_COOKIE requests (or with every response). Here is an example of what such a server response might look like:
HTTP/1.1 200 OK P3P: policyref="http://cookie.example.com/w3c/p3p.xml", CP="NON DSP ADM DEV PSD CUSo OUR IND STP PRE NAV UNI" Content-Type: text/html Content-Length: 8934 Server: CC-Galaxy/1.3.19
Most of the P3P policy generator tools will also generate compact policies.
only for RuBoard - do not distribute or recompile |