|
Overview of P3P |
How to implement P3P HTTP headers |
Additional Information
P3P (Platform for Privacy Preferences Project) v1.0
requires that a web site have a Privacy Policy, a Policy Reference File, and a
human readable Privacy Policy. (http://www.w3c.org/p3p)
These statements can apply to the entire site or a portion of the site and describe how data is collected and how the site uses it. The P3P privacy policy is written in XML format. A statement will include:
- vocabulary to identify the legal entity making the representation of the privacy practices in the policy,
- enumerate the types of data or data elements collected and explain how the data will be used,
- identify the data recipients,
- make disclosures about information for dispute resolution,
- and indicate the address of the human readable Privacy Policy.
The P3P Privacy Policy will be located by:
- Publishing it to predefined location that is /p3p/policy1.xml (preferred location but this would only work for an organization that owns the entire site),
- indicated its presence by sending a HTTP response header (detailed below) which points to its location (this header should be including on all requests including HEAD and OPTIONS),
- or included by using a element in the HTML (slowest performance)
This statement points the browser to the applicable P3P Privacy Policy. This statement includes:
- a URL for the site’s P3P Privacy Policy,
- specific directories or files are covered by the P3P Privacy Policy,
- a general policy for all cookies or sets parameters for each cookie,
- an expiration for the Policy
- /w3c/p3p.xml
- or referenced in HTML content using the element (not recommended),
- or indicated by server via a HTTP header (P3P).
This is a human readable document outlining the privacy practices of the site. The P3P Privacy Policy contains a link to this document.
The current P3P standard utilizes Compact Policies to summarize the portion of the P3P Privacy Policy applicable to cookies set by all objects on the site. These policies can only be sent as part of the HTTP header of the object that is setting the cookies. This allows the browser to process the cookies with the policy and make decisions. The policies set in the Compact Policy must be consistent with the full Privacy Policy in order to comply to the W3C standard. A P3P Compact Policy consists of tokens that indicate the function of the cookie. For additional information on Compact Policies and their implementation in Internet Explorer 6.0 go to Microsoft.com.
|
