Although it seems complicated it is rather simple to put one of these in place. Just follow the steps below!
STEP 1: Selecting a P3P Generator
1.1 P3P GENERATORS
The P3P specification for declaring the types of data collected at a site can become complicated, requiring much time to develop and test and leaving us susceptible to errors.
I have always used a P3P generator, like the ones below:
A P3P generator takes, of course, the complexity out of creating a machine-readable policy. I recommend using the IBM one (1MB download, 90 days trial version), as it provides a graphical tree-based interface, with error checking, and allows to save the policy on your system and load it for any eventual correction later.
Now that you have installed the P3PEditor, you will see something like the image below:
We can now proceed to the creation of the policy.
We will assume that:
STEP 2: CREATING THE P3P POLICY
2.1. Policy Properties:
- Go to Policy > Policy Properties;
- Fill in the applicable fields:
-- Tab Organization:
--- Organization Name: Awards 'R Us
--- Email address: email@example.com
--- Web homepage: http://www.awardsrus.org
--- Name: John Doe
--- City: London
--- Country: England
-- Tab Web Sites:
--- Policy name: awardsprivacy
--- Optin/Optout URL: http://www.awardsrus.org/legal.htm
--- Policy language: English:
-- Tab Access
--- Data the user can view or update: None (just in this example, of course)
-- Tab Assurances
(List privacy legislation that applies to your website and/or any kind of Privacy Seal you have. In this example I will use the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data)
--- Tab General
---- Name: Directive 95/46/EC
---- URL: http://europa.eu.int/comm/internal_market/privacy/law_en.htm#directive
---- Type: Applicable Law
---- Description: Published in Official Journal L 281 , 23/11/1995 P. 0031 - 0050: "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data."
---- Remedies: Governing laws specifies remedies
Additional info: visit the "Directive 95/46/EC" Implementation in Europe to check which countries have already implemented this directive.
--- Tab Images
(If you have any kind of seal of approval from an independent organization, like the TRUSTe Privacy Seals, you may add here the URL for the Seal, the URL of the verification page and an ALT text describing the seal.)
(Select the expiry date. It can be either valid within a give period, like one week, or until a given date.)
--- Expiry date: 1/Jan/2005
This procedure is finished, close the Policy Properties now, by clicking in OK.
In the next procedures we will add "Groups" and associate "Data Elements" to these groups to your policy.
2.2 Groups and Data Elements
Consider Groups as User Generic Profiles. For instance, most of us have access to our server logs or we have some sort of trackers (counters) installed in our pages. This kind of logs gives us access to information about the visits to our website, detailing information such as type and version of browser, screen resolution, country of origin, etc. This information does not identify personally the visitor. So we can consider one generic profile, the anonymous visitor, not personally identifiable.
This is going to be our first Group: the Anonymous Visitors group.
Lets add then a New Group, in the Groups panel, in the right. Just double-click the existing "New Group" and the Group Properties will be displayed. You can then change it to suit your needs.
- Double-Click (or right-click > Properties) in the in the Group's panel item named "New Group":
-- Tab General
--- Group name: Anonymous Visitors
--- Explanation: "This data, available through standard web server logs, is collected for statistical purposes. This allow us to optimize the content delivery by customizing our pages to best serve the majority of our visitors."
--- Data in this group cannot be linked to visitor's identity: CHECK this box
-- Tab Purpose
(Indicates what use will be made of the data collected)
---  Current request, Site administration and R&D > Check all the boxes in "Details"
---  Anonymous user tracking > Check also all the boxes in "Details"
- Completion and support of the current activity -
Information may be used by the service provider to complete the activity for which it was provided, whether a one-time activity such as returning the results from a Web search, forwarding an email message, or placing an order; or a recurring activity such as providing a subscription service, or allowing access to an online address book or electronic wallet.
- Web site and system administration -
Information may be used for the technical support of the Web site and its computer system. This would include processing computer account information, information used in the course of securing and maintaining the site, and verification of Web site activity by the site or its agents.
- Research and development -
Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market. This does not include personal information used to tailor or modify the content to the specific individual nor information used to evaluate, target, profile or contact the individual.
- Pseudonymous analysis of user behavior -
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals. For example, a marketer may wish to understand the interests of visitors to different portions of a Web site.
- Pseudonymous decision-making -
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals. For example, a marketer may tailor or modify content displayed to the browser based on pages viewed during previous visits.
-- Tab Recipient
(Who will be allowed to have access to this information?)
---  Ourselves and/or our agents
- Ourselves and/or our agents -
An agent in this instance is defined as a third party that processes data only on behalf of the service provider for the completion of the stated purposes. (e.g., the service provider and its printing bureau which prints address labels and does nothing further with the information.)
-- Tab Retention
(Use this panel to indicate how long the information is maintained by the organization. Retention provides descriptive explanations of how long information is kept rather than exact time periods.)
In our example we will check:
---  For the stated collection purposes only
Be aware that if you select the first option here, "For the current request or session only", this type of retention policy would apply, for example, only to services for which the following are true:
Web server access logs are not kept; Cookies are set only for a single session; Information is collected to perform a search but is not saved in search logs.
All set, close the Group Properties now, by clicking in OK.
2.3 Associate Data Elements.
A Data Element is an individual data entity, such as last name or telephone number. For interoperability, P3P specifies a base set of data elements. The basic data elements and some additional data elements defined in the current policy, are shown in the left panel of the policy editor.
Data elements are displayed when you expand the data set to which it belongs. The editor provides the data sets and data elements from the P3P base data schema and categories. You can declare any of these elements as necessary, but they cannot be modified. You can, however, copy a base data element and modify it according to your needs. You can also create your own data elements and data sets in the left pane. None of the elements displayed in the left pane are declared in your policy until you move them into a data group in the right pane.
When a data element or data set is moved into a data group, it is declared as part of the policy and known as a policy element. To declare a data element, drag the element from the left pane into a data group in the right pane. You can put any data element into more than one group.
- Expand (+) "Broad categories"
Drag to group "Anonymous Visitors":
-- Navigation and Click-Stream data (Navigation and click-stream data is defined as data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.)
-- Computer information (Computer information is defined as information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.)
-- Interactive data (Interactive data is defined as data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.)
- Expand (+) "Dynamic data"
Drag to group "Anonymous Visitors":
-- Other access log fields (Other data elements found in standard Web server access logs.)
-- Expand (+) "Click-stream data"
--- Expand (+) "Request timestamp"
Drag to group "Anonymous Visitors":
---- Request Date (Date of visit)
---- Request Time (Time of visit)
-- Expand (+) "HTTP Protocol elements"
Drag to group "Anonymous Visitors":
--- User Agent Information (The client description string sent by most Web browsers, giving the type, version, and platform type of the user's Web browser. This is sent by clients as the "User-Agent:" HTTP header.)
You have now a Group, Anonymous Visitors, and the associated Data Elements. It is time to save the policy.
STEP 3: DEPLOYING THE POLICY
3.1. Saving the Policy
- Go to File > Save Policy
- Name the file, for instance, as "mypolicy.p3p"
3.2. Create the reference file
Lets assume that later you are going to upload the file mypolicy.p3p to a folder named w3c in your server. The URL for your policy file will be then http://www.awardsrus.org/w3c/mypolicy.p3p
- Go to File > Create Reference File
-- Check "One Policy"
-- Click Next
--- Enter the URL of the policy file: http://www.awardsrus.org/w3c/mypolicy.p3p#privacyawards
This step is very important: the URL must include a harsh (#) followed by the name of the policy being referenced. This name is the name you have defined in step 2.1 above (Policy properties), under the Tab "Web Sites", item "Policy name".
--- Click Next
---- Click Finish
---- Name the file as "p3p.xml"
3.3 Uploading the files
- Create the folder "w3c" in your server's root folder
- Upload "mypolicy.p3p" to the folder "w3c"
- Upload the file "p3p.xml" to your root folder
- Add the following line to the <head> section of your "index" file:
<link rel="P3Pv1" href="http://www.awardsrus.org/p3p.xml">
- Upload the index file
- Run the P3P Validator to check if the page is P3P-Compliant: http://www.w3.org/p3p/validator.html
If it shows no error, then www.awardsrus.org is P3P compliant. You may want to add the <link rel="P3Pv1" href="http://www.awardsrus.org/p3p.xml"> to every page in your site.
This policy is a Satisfactory policy: this compact policy is considered satisfactory according to the rules defined by Internet Explorer 6. IE6 will accept cookies accompanied by this policy under the High, Medium High, Medium, Low, and Accept All Cookies settings.
APPENDIX: The files
Human-Readable version of this policy:
We invite you to contact us if you have questions about this policy. You may contact us by mail at the following address:
You may contact us by e-mail at firstname.lastname@example.org.
Dispute Resolution and Privacy Seals
Directive 95/46/EC : Published in Official Journal L 281 , 23/11/1995 P. 0031 - 0050: "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data."
This policy is valid until 1 Jan, 2005 at 12:00:00 GMT.
P3P policies declare the data they collect in groups (also referred to as "statements"). This policy contains 1 data group.
Group "Anonymous Visitors"
We collect the following information:
Navigation and click-stream data
Other access log fields
User agent information
This data will be used for the following purposes:
Completion and support of the current activity.
Web site and system administration.
Research and development.
Anonymous user analysis.
Anonymous user profiling and decision-making.
This data will be used by ourselves and our agents.
The data in this group has been marked as non-identifiable. This means that there is no reasonable way for the site to identify the individual person this data was collected from.
The following explanation is provided for why this data is collected:
This data, available through standard web server logs, is collected for statistical purposes. This allow us to improve our information delivery by customizing our pages to best serve the majority of our visitors.
Cookies are a technology which can be used to provide you with tailored information from a Web site. A cookie is an element of data that a Web site can send to your browser, which may then store it on your system. You can set your browser to notify you when you receive a cookie, giving you the chance to decide whether to accept it.
We do not make use of HTTP cookies.
<!-- Generated by IBM P3P Policy Editor version Beta 1.12 built 2/27/04 1:19 PM -->
<!-- Expiry information for this policy -->
<EXPIRY date="Sat, 01 Jan 2005 12:00:00 GMT"/>
<!-- Description of the entity making this policy statement. -->
<DATA ref="#business.name">Awards 'R Us</DATA>
<DATA ref="#business.contact-info.postal.organization">John Doe</DATA>
<!-- Disclosure -->
<!-- Disputes -->
<DISPUTES resolution-type="law" service="http://europa.eu.int/comm/internal_market/privacy/law_en.htm#directive" short-description="Directive 95/46/EC ">
<LONG-DESCRIPTION>Published in Official Journal L 281 , 23/11/1995 P. 0031 - 0050: "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data."
<!-- Statement for group "Anonymous Visitors" -->
<GROUP-INFO xmlns="http://www.software.ibm.com/P3P/editor/extension-1.0.html" name="Anonymous Visitors"/>
<!-- Consequence -->
This data, available through standard web server logs, is collected for statistical purposes. This allow us to improve our information delivery by customizing our pages to best serve the majority of our visitors.</CONSEQUENCE>
<!-- Data in this statement is marked as being non-identifiable -->
<!-- Use (purpose) -->
<!-- Recipients -->
<!-- Retention -->
<!-- Base dataschema elements. -->
<!-- End of policy -->
I sincerely hope this can help you! For more information about P3P and the latest specification, visit the W3C Web site at http://www.w3.org/P3P/. The version of the P3P editor used is based on the September 28, 2001 draft of the P3P specification.
Trademarks or registered trademarks
P3P is a registered trademark of the World Wide Web Consortium (W3C).
IBM is a registered trademark of International Business Machines Corp. in the U.S. IBM P3P Editor is a product name of International Business Machines Corp.