P3P policies can be deployed using your existing Web server software. However, there are four requirements: You must publish a human-readable privacy policy, translate it using P3P, create a policy reference file, and enable UAs to locate the policy reference file.

Deploying a P3P policy on your site requires a privacy policy that details the information you collect from users and the means by which you collect it. The policy also should cover how long you retain the information and how you use it and share it. Deploying one general policy for the entire site is simplest, but it may not cover all your needs. Using different policies linked to different URLs allows each policy to be more specific as the site collects information.

P3P policy statements are a quick payload for browsers and weigh in at about 10 KB. Because they contain links pointing to a human-readable version of the privacy policy, that policy must be published with the machine-readable, XML version. A human-readable privacy policy at syr-real-world.com/privacy.htm might include the information in Sample Human-Readable Privacy Policy."

To translate this abbreviated, human-readable policy into a machine-readable policy, the information needs to be mapped to corresponding data elements according to P3P (see "Sample Machine-Readable Privacy Policy"). Coding the elements in XML using syr-real-world.com's information produces the policy in "Sample P3P Policy" (below right).

Once the P3P policy file is encoded and saved to /P3P/privacy.xml, a policy reference defines the scope of a P3P policy and enables UAs to locate it. A policy reference file for the entire syr-real-world.com site would look like Sample Policy Reference File."

Policy reference files use the same syntax as that of P3P policies. They are placed in conspicuous locations (as specified by P3P), such as /w3c/p3p.xml, for browsers to find. Otherwise, you can add an extra HTTP header to each reply giving the location of the reference file or place a link to the reference file in the source code of each HTML page.

If a site uses cookies, a P3P policy needs to disclose that as well as how the cookies are used. Typically, a site can disclose all cookies being sent to browsers with a single policy; this can be done by putting one <COOKIE-INCLUDE> element in the policy reference file. Cookie use is also disclosed in the P3P policy using Base Data Schema. And because cookies can collect different types of data, data categories are used to distinguish them. The following may appear in a P3P policy describing cookies that collect demographic data capable of identifying an individual online or in the physical world:

<DATA-GROUP>
<DATA ref="#dynamic.
cookies">
<CATEGORIES><demographic/><online/><physical/></CATEGORIES>
</DATA>
</DATA-GROUP>

A site also may assign separate policies to individual cookies where they have different data-collection practices. This, however, requires one policy for each cookie, and the policy reference file must specify each cookie by name.

P3P Prospects

The P3P Specification Workgroup, consisting of representatives from the computer industry, government organizations and educational institutions, has advanced P3P to the W3C's candidate-recommendation stage (see www.w3.org/Consortium/Process/Process-19991111/). The members include representatives from AT&T, DoubleClick, IBM, Microsoft, Netscape and Nokia, as well as American Express, Citigroup, MIT and the University of California at Irvine.

Sample P3P Policy Click here to enlarge

At this stage, the W3C considers P3P stable, solicits comments and encourages implementations. From here, the W3C will advance P3P as a proposed recommendation or return it to working-draft status. To advance, certain milestones -- including developing a tool to generate P3P policies and policy reference files, a browser supporting all the functionality required by P3P, and at least 10 P3P-enabled production sites -- must be reached.

IBM and Youpowered are advancing the P3P agenda by supplying tools to generate and update P3P policies. Youpowered's Orby Privacy Plus software can parse P3P policies. IDcide says it plans to incorporate P3P in its Privacy Companion. But the next iterations of Netscape Navigator and Microsoft Internet Explorer will not be fully compliant, and the list of sites sporting P3P policies lacks brand names (see www.w3.org/ P3P/compliant_sites). If P3P is to succeed, popular browsers and large ISPs need to get on board.