P3p Making Your Site Compliant
Posted on 01 Feb 2002
by Dean Bloomfield (digitalghost)
Rated 3.89 (Ratings: 9)
- More articles in site development
What is P3P?
P3P is the Platform for Privacy Preferences Project. It was developed by the W3C, (World Wide Web Consortium) as a protocol for providing automated privacy information to the end user, giving them more control over their own personal information at the web sites they visit.P3P websites offer privacy information in a machine readable format and P3P enabled browsers can read this and compare it to their own privacy standards. This protocol provides a standardization of privacy statements and presents it in a format that allows surfers to act on the information they are provided with.
How do I implement P3P on my site?First, you need a privacy statement for your site that surfers can read, or you can use the HTML privacy statement that is generated with the P3P editor we're going to download. Download P3P Editor. This link will take you to the alphaWorks site, simply click on the download button in the upper right-hand corner and follow the instructions.
The P3P EditorIf the editor installed the first time, great. If you got an error stating that the JVM could not be found, you need to download the Java Environment Runtime file which is located here: JER Download. Follow the link and scroll down to the download button. The P3P editor and the JER file total about 11 megs so if you are on a slow connection get a cup of coffee.After installation of both downloads you're ready to begin making your website P3P compliant.The P3P Editor will create four files, a policy file, written in XML, a reference file, written in XML, a compact policy* and an HTML version of the privacy statement that you can use on your site as your privacy statement if you don't wish to reference your site's current privacy statement, or if your site doesn't have one.In addition to the four files already mentioned, I recommend creating two additional HTML files, an opt_out.htm and a dispute.htm. Before opening the editor, create a w3c directory and a privacy directory on your server. If you don't have access to create your own directories you can still make your site P3P compliant, I'll address that at the end of this tutorial. For now let's get on to actually creating the files you need.The editor comes with instructions, lots of them. What you need to know is quite simple though. Open the editor and after a few seconds a screen will appear presenting four options, Create A Blank Policy, Create A Policy From a Template, Edit an Existing Policy or View The Getting Started Guide. For now, choose Create a Policy From a Template. You will be presented with 6 more options. If you understand XML completely, and wish to wander off on your own from here, please feel free. If you aren't comfortable with XML I suggest selecting Access Logging and User Tracking. Nearly all websites do this in one form or another. Select Okay, and the screen will change to one with 5 tabs on the bottom section, the Error Tab may be highlighted. Don't worry about those tabs yet.
The Reference FileClick File, then select Create Reference File. If you have one policy, select the One Policy Radio button and click next. You then need to fill in the URL information. It's important if you can to upload this file, which you will save as p3p.xml, to the w3c directory you created. This keeps you from having to add a link to every page, or using HTTP headers to allow for validation and compliance. Your URL should look like this: w3c/policy/#p3p.xml. The hash mark is required and the editor will display an error message if it isn't in the path. Click okay and it will create the reference file, then click Finish, save the file as p3p.xml, type that into the box, and save it where you can find it. I saved it to desktop.
Your Policy FileRepeat the process for your policy file, saving it as policy1.xml.
Your HTML FileThere's an option to save HTML File in the same menu you saved your other files in. This CAN be your human readable privacy statement. Simply save it as privacy.htm and upload it to the directory referenced in your XML policy.
Uploading the FilesUpload your p3p.xml file to the w3c directory. Upload your policy1.xml file to the privacy directory. Upload the other files, HTML privacy statement, dispute.htm, and opt_out.htm to the directory you referenced while creating your p3p policy. Using privacy as the default directory makes this quite simple.
Now you're ready to validateGo to http://www.w3.org/P3P/validator/20010928/ and type in your URI. If you validate, and you should, you can send your URL to the list of P3P compliant sites for inclusion that is listed at the validation site.If you uploaded your reference file to the w3c directory, you can ignore the NO Link and NO HTTP header errors the validator produces. If you can't create your own directories, you need to append <link rel="P3Pv1" href="http://www.yourdomain.com/w3c/p3p.xml"> to every page on your site. Congratulations. You are now P3P Compliant.
A note about the compact policyI get more questions about the compact policy than any other issue associated with P3P. First, the FACTS.Compact Policies are optional*. The following is from the W3C:
Compact policies are summarized P3P policies that provide hints to user agents to enable the user agent to make quick, synchronous decisions about applying policy. Compact policies are a performance optimization that is OPTIONAL for either user agents or servers. User agents that are unable to obtain enough information from a compact policy to make a decision according to a user's preferences SHOULD fetch the full policy. http://www.w3c.org/TR/P3P/
* Important UpdateRegardless of what the W3C states regarding compact policies, this is what Microsoft has to say:
Q: The W3C states that a compact policy header is optional, but cookies do not seem to work without it. Is a compact policy header required?