Skip to page content or Skip to Accesskey List.

Work

Main Page Content

P3p Making Your Site Compliant

Rated 3.89 (Ratings: 9)

Want more?

 

Dean Bloomfield

Member info

User since: 11 Aug 2001

Articles written: 3

What is P3P?

P3P is the Platform for Privacy Preferences Project. It was developed by the W3C, (World Wide Web Consortium) as a protocol for providing automated privacy information to the end user, giving them more control over their own personal information at the web sites they visit.

P3P websites offer privacy information in a machine readable format and P3P enabled browsers can read this and compare it to their own privacy standards. This protocol provides a standardization of privacy statements and presents it in a format that allows surfers to act on the information they are provided with.

How do I implement P3P on my site?

First, you need a privacy statement for your site that surfers can read, or you can use the HTML privacy statement that is generated with the P3P editor we're going to download. Download P3P Editor. This link will take you to the alphaWorks site, simply click on the download button in the upper right-hand corner and follow the instructions.

The P3P Editor

If the editor installed the first time, great. If you got an error stating that the JVM could not be found, you need to download the Java Environment Runtime file which is located here: JER Download. Follow the link and scroll down to the download button. The P3P editor and the JER file total about 11 megs so if you are on a slow connection get a cup of coffee.

After installation of both downloads you're ready to begin making your website P3P compliant.

The P3P Editor will create four files, a policy file, written in XML, a reference file, written in XML, a compact policy* and an HTML version of the privacy statement that you can use on your site as your privacy statement if you don't wish to reference your site's current privacy statement, or if your site doesn't have one.

In addition to the four files already mentioned, I recommend creating two additional HTML files, an opt_out.htm and a dispute.htm. Before opening the editor, create a w3c directory and a privacy directory on your server. If you don't have access to create your own directories you can still make your site P3P compliant, I'll address that at the end of this tutorial. For now let's get on to actually creating the files you need.

The editor comes with instructions, lots of them. What you need to know is quite simple though. Open the editor and after a few seconds a screen will appear presenting four options, Create A Blank Policy, Create A Policy From a Template, Edit an Existing Policy or View The Getting Started Guide. For now, choose Create a Policy From a Template. You will be presented with 6 more options. If you understand XML completely, and wish to wander off on your own from here, please feel free. If you aren't comfortable with XML I suggest selecting Access Logging and User Tracking. Nearly all websites do this in one form or another. Select Okay, and the screen will change to one with 5 tabs on the bottom section, the Error Tab may be highlighted. Don't worry about those tabs yet.

Creating Your P3P Policy

At the right-hand side of the application, there's an icon of a hand holding a page. Click that. A screen will appear presenting Privacy Policy Properties. The Organization Tab will be selected by default. Fill in the information fields, and please note that allinformation is required. After supplying the required information move on to the Websites tab. For Policy Name, I suggest using policy1.xml. This allows for more than one privacy statement later and uses the proper syntax required by XML. Remember that Opt_out.htm file I mentioned earlier? This is where you enter that URL information. It's important to keep track of this as you will need to name the files correctly and upload them into the proper directory in order to validate your site later. Move on to the URL of human readable privacy policy and enter the URL. Click Okay and move on to the Access tab. The Access field presents 6 options, read them all and decide which one is correct for your site. I allow user access to all identifiable information so I chose All Information on the User.

After clicking Okay, it's on to the Assurances field. A screen will appear with a blank section and an Add button. Click Add and a new screen will appear with three new tabs. General, Remedies and Image. General is selected by default and asks for a name and a URL and type. Choose whatever name you like, keeping in mind that this is the page users will be sent to if they have a dispute regarding your privacy policy. This is also the field where your enter the URL of your dispute.htm file you created earlier. You did create that file right? If you didn't it's okay, but you need to remember the name of the file and the URL in order to make sure that you get the files in the right place. For Type I chose customer service. You can leave the description field blank for the moment and click Okay. Click the Remedies tab and you will presented with three options, I chose the first one, but you are free to choose the remedy you prefer. The images tab is for your Certifications image if you have one. Enter the information for your certification, don't worry about it if you don't have one and click Okay. The last field is Expiry, simply enter the date you wish your policy to expire on. Click Okay.

You should return to the New Policy screen, and the Errors tab should no longer be highlighted. A message should appear in the bottom text window stating that No errors have been detected in this policy. Your policy files have been created, now they just need to be saved.

The Reference File

Click File, then select Create Reference File. If you have one policy, select the One Policy Radio button and click next. You then need to fill in the URL information. It's important if you can to upload this file, which you will save as p3p.xml, to the w3c directory you created. This keeps you from having to add a link to every page, or using HTTP headers to allow for validation and compliance. Your URL should look like this: w3c/policy/#p3p.xml. The hash mark is required and the editor will display an error message if it isn't in the path. Click okay and it will create the reference file, then click Finish, save the file as p3p.xml, type that into the box, and save it where you can find it. I saved it to desktop.

Your Policy File

Repeat the process for your policy file, saving it as policy1.xml.

Your HTML File

There's an option to save HTML File in the same menu you saved your other files in. This CAN be your human readable privacy statement. Simply save it as privacy.htm and upload it to the directory referenced in your XML policy.

Uploading the Files

Upload your p3p.xml file to the w3c directory. Upload your policy1.xml file to the privacy directory. Upload the other files, HTML privacy statement, dispute.htm, and opt_out.htm to the directory you referenced while creating your p3p policy. Using privacy as the default directory makes this quite simple.

Now you're ready to validate

Go to http://www.w3.org/P3P/validator/20010928/ and type in your URI. If you validate, and you should, you can send your URL to the list of P3P compliant sites for inclusion that is listed at the validation site.

If you uploaded your reference file to the w3c directory, you can ignore the NO Link and NO HTTP header errors the validator produces. If you can't create your own directories, you need to append <link rel="P3Pv1" href="http://www.yourdomain.com/w3c/p3p.xml"> to every page on your site. Congratulations. You are now P3P Compliant.

A note about the compact policy

I get more questions about the compact policy than any other issue associated with P3P. First, the FACTS.

Compact Policies are optional*. The following is from the W3C:

Compact policies are summarized P3P policies that provide hints to user agents to enable the user agent to make quick, synchronous decisions about applying policy. Compact policies are a performance optimization that is OPTIONAL for either user agents or servers. User agents that are unable to obtain enough information from a compact policy to make a decision according to a user's preferences SHOULD fetch the full policy. http://www.w3c.org/TR/P3P/

* Important Update

Regardless of what the W3C states regarding compact policies, this is what Microsoft has to say:

Q: The W3C states that a compact policy header is optional, but cookies do not seem to work without it. Is a compact policy header required?

Answer: Although compact policies are optional for P3P compliance, they are required by Microsoft® Internet Explorer to determine the Web site's privacy practices concerning cookies.

I'm still being told by the W3C that compact policies aren't needed at all in order for a site to be compliant with P3P. However, to satisfy Microsoft if your sites uses cookies, you must create and upload the compact policy and reference it with HTTP headers.

DigitalGhost is a search engine optimization specialist that focuses on content development and stresses the importance of optimizing sites for the user and not just for the search engines.

A voracious reader, (a book a day, every day, sometimes two or three) you're more apt to find him with a book in his hand than without.

When he's not reading or writing web copy, he's probably working on his poetry or short stories.

In his spare time he moderates two discussion forums, fora? for Spider-Food.net, J.K. Bowman's excellent search engine optimization resource and is currently developing another website devoted to technology information.

sapere aude

The access keys for this page are: ALT (Control on a Mac) plus:

evolt.org Evolt.org is an all-volunteer resource for web developers made up of a discussion list, a browser archive, and member-submitted articles. This article is the property of its author, please do not redistribute or use elsewhere without checking with the author.