P3P- Making Your Site Compliant

Posted on January 31, 2002

in Site Development

by Dean Bloomfield (digitalghost)

Rated 3.89 (Ratings: 9) (Add your rating)

Want more?

More articles in Site Development
More articles by digitalghost

Dean Bloomfield

Member info | Full bio

User since: August 11, 2001

Last login: August 11, 2001

Articles written: 3

What is P3P?

P3P is the Platform for Privacy Preferences Project. It was developed by the W3C, (World Wide Web Consortium) as a protocol for providing automated privacy information to the end user, giving them more control over their own personal information at the web sites they visit.

P3P websites offer privacy information in a machine readable format and P3P enabled browsers can read this and compare it to their own privacy standards. This protocol provides a standardization of privacy statements and presents it in a format that allows surfers to act on the information they are provided with.

How do I implement P3P on my site?

First, you need a privacy statement for your site that surfers can read, or you can use the HTML privacy statement that is generated with the P3P editor we're going to download. Download P3P Editor. This link will take you to the alphaWorks site, simply click on the download button in the upper right-hand corner and follow the instructions.

The P3P Editor

If the editor installed the first time, great. If you got an error stating that the JVM could not be found, you need to download the Java Environment Runtime file which is located here: JER Download. Follow the link and scroll down to the download button. The P3P editor and the JER file total about 11 megs so if you are on a slow connection get a cup of coffee.

After installation of both downloads you're ready to begin making your website P3P compliant.

The P3P Editor will create four files, a policy file, written in XML, a reference file, written in XML, a compact policy* and an HTML version of the privacy statement that you can use on your site as your privacy statement if you don't wish to reference your site's current privacy statement, or if your site doesn't have one.

In addition to the four files already mentioned, I recommend creating two additional HTML files, an opt_out.htm and a dispute.htm. Before opening the editor, create a w3c directory and a privacy directory on your server. If you don't have access to create your own directories you can still make your site P3P compliant, I'll address that at the end of this tutorial. For now let's get on to actually creating the files you need.

The editor comes with instructions, lots of them. What you need to know is quite simple though. Open the editor and after a few seconds a screen will appear presenting four options, Create A Blank Policy, Create A Policy From a Template, Edit an Existing Policy or View The Getting Started Guide. For now, choose Create a Policy From a Template. You will be presented with 6 more options. If you understand XML completely, and wish to wander off on your own from here, please feel free. If you aren't comfortable with XML I suggest selecting Access Logging and User Tracking. Nearly all websites do this in one form or another. Select Okay, and the screen will change to one with 5 tabs on the bottom section, the Error Tab may be highlighted. Don't worry about those tabs yet.

Creating Your P3P Policy

At the right-hand side of the application, there's an icon of a hand holding a page. Click that. A screen will appear presenting Privacy Policy Properties. The Organization Tab will be selected by default. Fill in the information fields, and please note that allinformation is required. After supplying the required information move on to the Websites tab. For Policy Name, I suggest using policy1.xml. This allows for more than one privacy statement later and uses the proper syntax required by XML. Remember that Opt_out.htm file I mentioned earlier? This is where you enter that URL information. It's important to keep track of this as you will need to name the files correctly and upload them into the proper directory in order to validate your site later. Move on to the URL of human readable privacy policy and enter the URL. Click Okay and move on to the Access tab. The Access field presents 6 options, read them all and decide which one is correct for your site. I allow user access to all identifiable information so I chose All Information on the User.

After clicking Okay, it's on to the Assurances field. A screen will appear with a blank section and an Add button. Click Add and a new screen will appear with three new tabs. General, Remedies and Image. General is selected by default and asks for a name and a URL and type. Choose whatever name you like, keeping in mind that this is the page users will be sent to if they have a dispute regarding your privacy policy. This is also the field where your enter the URL of your dispute.htm file you created earlier. You did create that file right? If you didn't it's okay, but you need to remember the name of the file and the URL in order to make sure that you get the files in the right place. For Type I chose customer service. You can leave the description field blank for the moment and click Okay. Click the Remedies tab and you will presented with three options, I chose the first one, but you are free to choose the remedy you prefer. The images tab is for your Certifications image if you have one. Enter the information for your certification, don't worry about it if you don't have one and click Okay. The last field is Expiry, simply enter the date you wish your policy to expire on. Click Okay.

You should return to the New Policy screen, and the Errors tab should no longer be highlighted. A message should appear in the bottom text window stating that No errors have been detected in this policy. Your policy files have been created, now they just need to be saved.

The Reference File

Click File, then select Create Reference File. If you have one policy, select the One Policy Radio button and click next. You then need to fill in the URL information. It's important if you can to upload this file, which you will save as p3p.xml, to the w3c directory you created. This keeps you from having to add a link to every page, or using HTTP headers to allow for validation and compliance. Your URL should look like this: w3c/policy/#p3p.xml. The hash mark is required and the editor will display an error message if it isn't in the path. Click okay and it will create the reference file, then click Finish, save the file as p3p.xml, type that into the box, and save it where you can find it. I saved it to desktop.

Your Policy File

Repeat the process for your policy file, saving it as policy1.xml.

Your HTML File

There's an option to save HTML File in the same menu you saved your other files in. This CAN be your human readable privacy statement. Simply save it as privacy.htm and upload it to the directory referenced in your XML policy.

Uploading the Files

Upload your p3p.xml file to the w3c directory. Upload your policy1.xml file to the privacy directory. Upload the other files, HTML privacy statement, dispute.htm, and opt_out.htm to the directory you referenced while creating your p3p policy. Using privacy as the default directory makes this quite simple.

Now you're ready to validate

Go to http://www.w3.org/P3P/validator/20010928/ and type in your URI. If you validate, and you should, you can send your URL to the list of P3P compliant sites for inclusion that is listed at the validation site.

If you uploaded your reference file to the w3c directory, you can ignore the NO Link and NO HTTP header errors the validator produces. If you can't create your own directories, you need to append <link rel="P3Pv1" href="http://www.yourdomain.com/w3c/p3p.xml"> to every page on your site. Congratulations. You are now P3P Compliant.

A note about the compact policy

I get more questions about the compact policy than any other issue associated with P3P. First, the FACTS.

Compact Policies are optional*. The following is from the W3C:

Compact policies are summarized P3P policies that provide hints to user agents to enable the user agent to make quick, synchronous decisions about applying policy. Compact policies are a performance optimization that is OPTIONAL for either user agents or servers. User agents that are unable to obtain enough information from a compact policy to make a decision according to a user's preferences SHOULD fetch the full policy. http://www.w3c.org/TR/P3P/

* Important Update

Regardless of what the W3C states regarding compact policies, this is what Microsoft has to say:

Q: The W3C states that a compact policy header is optional, but cookies do not seem to work without it. Is a compact policy header required?

Answer: Although compact policies are optional for P3P compliance, they are required by Microsoft® Internet Explorer to determine the Web site's privacy practices concerning cookies.

I'm still being told by the W3C that compact policies aren't needed at all in order for a site to be compliant with P3P. However, to satisfy Microsoft if your sites uses cookies, you must create and upload the compact policy and reference it with HTTP headers.

DigitalGhost is a search engine optimization specialist that focuses on content development and stresses the importance of optimizing sites for the user and not just for the search engines.

A voracious reader, (a book a day, every day, sometimes two or three) you're more apt to find him with a book in his hand than without.

When he's not reading or writing web copy, he's probably working on his poetry or short stories.

In his spare time he moderates two discussion forums, fora? for Spider-Food.net, J.K. Bowman's excellent search engine optimization resource and is currently developing another website devoted to technology information.

sapere aude

16 comments on this article. Log in to add your comment | Rate this article:

Usability?

Submitted by digitalghost on February 2, 2002 - 07:49.

If you use this tutorial to become compliant, would you please drop me a line and let me know? Please feel free to make suggestions. I'm currently fielding about 40 questions a day regarding P3P and I would like to use this tutorial as a generic response to many of these emails. Usability feedback would help much in this endeavor.

I understand that P3P has shortcomings and that it isn't a total solution to the privacy issue, however many corporations feel compelled to become P3P compliant and on large or complex sites that have MANY privacy policies this is a complicated process and people need all the help they can get.

Thank you.

DigitalGhost

Errors

Submitted by JAvedikian on February 5, 2002 - 07:55.

I used the IBM editor and I keep getting an error. If I put the # in the link like you said, it can't find my file. If I take it out, the validation gets a bit further but I stll get this error: The specified policy does not exist. Validation aborted. I tried to validate IBM's and they have the same error but Mircosoft's works fine.

Error resolved

Submitted by hpoe on February 5, 2002 - 15:34.

Yep, got that same error.

If your policy file is called policy1.xml and it sits in w3c/policy/
instead try: w3c/policy/policy1.xml#policy1.xml

HTH

Cordially,
hpoe

Doesn't cover one of the most practical areas

Submitted by were on February 5, 2002 - 15:40.

While the article is very nice, it doesn't cover what I believe to be the area that may have the most impact in the first wide spread P3P compliant browser, IE6.

Because of IE6's implementation of P3P, site included from a 3rd party url (.e.g. ads.doubleclick.com if my domain is www.bigcompany.com) will not be able to set or get cookies. We were bit recently by this on an intranet project. Some code was run out of one app, other code included in a frame out of a second. We added testing for IE6 when it entered beta and suddenly the included app just stopped working. We figured out that it was IE6's P3P support, looked at the specs and noticed the 3 methods for being compliant:

add a p3p file in a well known location (as covered above)
add a link to a p3p file via tag
add a HTTP header with the compact policy

We were able to quickly take the first option. We generated the file, uploaded to the server and it still failed. Long story short, it turns out IE6 only honors the last of the 3 options.

P3P meta tag?

Submitted by hpoe on February 5, 2002 - 16:35.

So, is there anything like a meta http-equiv tag one might use?

Update Coming-

Submitted by digitalghost on February 5, 2002 - 21:42.

The hot topic on the W3C P3P mailing list is the apparent discrepancy between the W3C protocol, and Micro$oft's seeming disregard for the implementation procedures

I've asked a few of the W3C folks to join this thread and offer what they consider to be the "official resolution" regarding this issue. In several emails I have been told, " there is NO need for a Compact Policy implementation yet.." The following is from Yuichi Koike:

++Quote from User: Using the P3P validator at w3c.org, I receive the message, NO p3p header on step 2. Everything else validates. What is the proper syntax for this header?++End Quote

Sorry that the validator's output message is confusing. In order to be compatible with P3P, a web site need to specify the policy reference file by either one of /w3c/p3p.xml, HTTP header, or HTML tag.

Your site has /w3c/p3p.xml and HTML tag. So, you don't have to use HTTP header.

Just for your information, the syntax of the HTTP header is like below example:

P3P: policyref=http://www.yourdomain.com/p3p/w3c.xml

Regards,

Yuichi Koike ( koike@ay.jp.nec.com ) NEC Corporation Internet System Laboratory

End Of Reply

I expect more issues to surface regarding P3P and the implementation as more and more sites strive to become compliant.

Hopefully, with the help of the good people here we can keep this up to date and accurate. I sincerely appreciate the feedback. As I said at another forum, becoming P3P compliant was an internet odyssey and I hoped to take some of the hassle out of it for others that are trying to keep pace with the W3C. Once again, thanks for the heads up and I'll update this as soon as I have solid information regarding this. I believe in the original tutorial I was hesitant to offer much information on the compact policy because of the conflicting information. Hopefully, this will be resolved soon.

DigitalGhost ~sapere aude~

Syntax for Policy reference-

Submitted by digitalghost on February 6, 2002 - 12:17.

The following example shows a policy reference file that points to a single privacy policy that also covers a Web site's cookies.

&ltMETA xmlns="http://www.w3.org/2000/12/p3pv1"&gt

&ltPOLICY-REFERENCES&gt

&ltPOLICY-REF about="Full_P3P_Policy.xml"&gt

&ltINCLUDE>\*&lt/INCLUDE&gt

&ltCOOKIE-INCLUDE name="*" value="*" domain="*" path="*"/&gt

&lt/POLICY-REF&gt

&lt/POLICY-REFERENCES&gt

&lt/META&gt

HTTP headers...

Submitted by aardvark on February 10, 2002 - 12:49.

While debugging a site for a friend, I gathered the HTTP headers from the Geocities account on which she hosts. I was surprised to see this in the headers:

P3P: policyref="http://www.yahoo.com/w3c/p3p.xml", CP="ALL DSP COR CUR ADM DEV CUSo PSA PSD IVAo IVDo CONo TELo OUR SAMo OTRo PUBo IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA HEA PRE GOV"

Is that was IE6 looks for, or would the URL be adequte in the headers?

<http equiv> and Compact Policy (update)

Submitted by hpoe on February 21, 2002 - 05:29.

Answering (part of) my own question regarding meta http-equiv tags:

Using the info provided in this very helpful(!) article I was able to make my site P3P compliant (and get it added to the list of P3P compliant sites at w3.org).

I was wondering about the error concerning P3P headers the P3P validator gave me, though. Also, reading were's remark that IE6 disregards P3P specifications in that it won't accept 3rd party cookies unless a compact policy is present, I was wondering how to supply the correct header info.

Summary:
I found three ways to supply P3P Compact Policy headers that validate with w3.org's P3P validator (w3.org/P3P/validator/20010928/).

using a <meta http-equiv> tag
using mod_headers on my Unix Apache server
using PHP (or rather: adding it to phpCMS)

1. <meta http-equiv> tag
Before I started investigating this in more detail I thought I wasn't able to access the innards of my server, and have it send P3P headers by default. That's why I was hoping to figure out how to use a <meta http-equiv> tag to do this for me.

Using the then current version of the P3P validator (w3.org/P3P/validator/20010928/) at the time this article was first published, I found the following Compact Policy <meta http-equiv> validated as P3P compliant header:

<meta http-equiv="P3P" content='CP="CAO DSP AND SO ON" policyref="/w3c/p3p.xml"' />
(Note this is on a single line)

NOTE: While the above is still true as per the P3P specs, the latest version of the P3P validator (w3.org/P3P/validator/20020128/) throws an error that is explained thus:

2002/02/14 [Bug 01] The validator recognizes http-equiv headers in HTML documents. This is not a bug. However, almost all HTML user agents do not recognize http-equiv headers. Therefore, I will make the validator not to recognize them. Details about this issue is here.

2. Specifying P3P CP header using mod_headers
Since I found my server does not send the <meta http-equiv> tag's content as regular header I looked into this further, and found I could make this work server side after all. In an .htaccess file in my document root I now have the following mod_headers directive:

Header append P3P "CP=\"CAO DSP AND SO ON\" policyref=\"/w3c/p3p.xml\""
(Note this is on a single line)

The header directive can be used in a number of places: server config, virtual host, access.conf, and .htaccess. It lets Apache append the Compact Policy header to every document it serves — you don't need the <meta http-equiv> tag in this case. Again, this makes your headers validate in w3.org's P3P validator.

3. Adding Compact Policy headers in PHP
Since I'm using phpCMS on my site, method 2 only works for regular html documents. Any pages that are being parsed and served via PHP don't get the P3P header added through the mod_headers directive in the .htaccess file.

So I added the following to the list of headers sent by php(CMS):

Header("P3P: CP=\"CAO DSP AND SO ON\" policyref=\"/w3c/p3p.xml\"");
(Note this is on a single line)

IBM P3P Policy Editor updated

Submitted by hpoe on February 23, 2002 - 18:56.

FYI:

Update: February 21, 2002
Bug fix for compact policy generation; files generated are now compatible with the P3P Proposed Recommendation.

alphaworks.ibm.com/tech/p3peditor

htaccess used ~ but policy not found xp pro IE6

Submitted by rip on April 2, 2003 - 23:14.

Thank you so far for this info. In my htaccess file I have:
header append P3P 'CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR BUS IND UNI COM NAV INT" policyref="/w3c/p3p.xml"'
When I check by going to IE6 > view > privacy report
I get a message that report not found.
I checked it at the validator and it seemed to work well, is there some info you could put here to help?

Thanks in advance Tammy

http headers

Submitted by PeterEkberg on March 22, 2004 - 03:53.

Hello all I am new in this forum and felt a need to join because I having trouble with maiking my site p3p compliant. I have created a policy as described by all of you here, but still I got the sign that tells cookies are blocked. I suppose it has to do with http headers. Can someone tell me exactly where I have to write this. I put a link tag in the default.asp file and when I check with the validator everything seems to be fine. I noticed someone mentioned the .htacces file....where is this file? Do I have to create it? Thanks in advance Peter

Re .htaccess BE CAREFUL

Submitted by monkeybreath on January 20, 2005 - 00:18.

.htaccess is invisible in most FTP programs. So, just because you can't see it listed on the remote server, this doesn't necessarily mean that the .htaccess file is not there! So, if you make your own .htaccess file and upload it over an existing one, it could lead to all sorts of other problems. 1. Get WSFTP Pro (It's the only FTP application that i know of that lets you see the .htaccess files on remote servers) 2. Read this forum snippet that i cut off a forum and pasted into my readme.txt of WSFTP Luckily I did this, the forum seems to have disappeared now: "tube - I DL'd WS_FTP and put -a in the Remote File Mask and it worked! I can see the .htaccess files now. Thanks." i took this off a thread at : http://www.sitepointforums.com/archive/index/t-26706 now about me I went to: http://www.w3.org/P3P/validator.html and I have just tried to validate my p3p policy and it tells me "HTML document has no P3P compliant link tags. Message: No valid P3P compliant 'link' element." What's that all about then??? Is that important? My multiple policies are showing up beautiful in AT & T Privacy Bird and IE 6 Do i need to care about this little element thingy? Oh and i've just noticed that the link tag gets removed from this forum post. Aaaaaaah, I see, I understand why i can't find any reference to it on any forums.

Compact Policy Generator

Submitted by sosh123 on March 16, 2005 - 10:20.

My company provides a free web based tool for generating compact policies. It does not generate the full XML policy, and is really intended for R&D purposes.

http://www.modelo.co.uk/index.asp?task=p3p

Hope some people might find it useful. You can link to it from the article if you wish.

Error Resolved

Submitted by andrew06 on February 16, 2006 - 22:10.

The previous solution to the error Policy file not found does not work any longer. If you would like to be able to validate your site then use this url instead when creating your reference file: www.yoursite.com/w3c/policy/policy1.xml#policy1.xml Where "yoursite" is the Url of you website you are trying to validate. Also as far as Compact privacy policys are concerned I spent several hours trying to get it to work and I was unsuccessful.Unless it is absolutely neccessary for you to have one, I do not recommend it. To have a proper Compact Policy in place you must have Http_mods installed on you web server . My server did not, so I have determined that most apache servers do not have the ability to install new HTTP headers without re-configuration. good luck on your p3p validation. I hope to see my site PaidSurveys4Free @ http://www.paidsurveys4free.com on the list of validated sites very soon.

Help!

Submitted by nateyork on February 7, 2007 - 22:51.

I am trying to get my site p3p ready and am having some issues I was hoping someone out there could help. When I run the validate routine I get an error back /w3c/p3p.xml has invalid namespace http://www.w3.org/2002/01/P3Pv1 When I try to just validate the policy (policy1.xml) I get the same message I have searched IBM and just googled it, but there is not a whole lot of information out there on this subject. Thanks for what is already here! Any help? Nate~

Start of page header

Other Fine Evolt.org Sites

Navigation Starts

Submit

Article Categories

Highest rated articles

Recent comments

Main Page Content