Award Sites!  ... "Bettering the Internet Experience!"

Home | Articles | Exemplary | Achievement | NovaSite
Resources |
Tutorials | Web Awards | Contact | CureNow
SEARCH | Assembly ||
USA Patriotism! | Poetry Galore

Approved Web Hosting Companies

Gold Stars of Excellence by Award Sites!

Compliance

W3C Tutorial

Creating a P3P Compliant Privacy Policy

Since 2003 the CPSnet Web Awards are P3P-Compliant and you can see how Internet Explorer accesses the privacy policy, just select in your browser's toolbar the "View > Privacy report" option. A pop-up box will be displayed, you may then double-click the www.excellentsite.org item (should be the first on the list) and just wait until the P3P Policy is loaded.

Using P3P, an organization posts on its Web site an XML-formatted (machine-readable) privacy policy describing its privacy practices, including the type of information collected, how the information is used, and who has access to the information.

Although it seems complicated it is rather simple to put one of these in place. Just follow the steps below!

STEP 1: Selecting a P3P Generator

1.1 P3P GENERATORS

The P3P specification for declaring the types of data collected at a site can become complicated, requiring much time to develop and test and leaving us susceptible to errors.

I have always used a P3P generator, like the ones below:

A P3P generator takes, of course, the complexity out of creating a machine-readable policy. I recommend using the IBM one (1MB download, 90 days trial version), as it provides a graphical tree-based interface, with error checking, and allows to save the policy on your system and load it for any eventual correction later.

Now that you have installed the P3PEditor, you will see something like the image below:

The IBM P3P Editor
 

We can now proceed to the creation of the policy.

We will assume that:

  • Your award program is named Awards 'R Us;
  • Your name is John Doe, from London, England;
  • Your email is admin@awardsrus.org
  • Your site is located at http://www.awardsrus.org
  • Your normal (human-readable) Privacy policy is located at: http://www.awardsrus.org/legal.htm

STEP 2: CREATING THE P3P POLICY

2.1. Policy Properties:

- Go to Policy > Policy Properties;
- Fill in the applicable fields:

-- Tab Organization:
--- Organization Name: Awards 'R Us
--- Email address: admin@awardsrus.org
--- Web homepage: http://www.awardsrus.org
--- Name: John Doe
--- City: London
--- Country: England

-- Tab Web Sites:
--- Policy name: awardsprivacy
--- Optin/Optout URL: http://www.awardsrus.org/legal.htm
--- Policy language: English:
--- URL of human-readable privacy policy: http://www.awardsrus.org/legal.htm

-- Tab Access
--- Data the user can view or update: None
(just in this example, of course)

-- Tab Assurances
(List privacy legislation that applies to your website and/or any kind of Privacy Seal you have. In this example I will use the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data)

...Click ADD...

--- Tab General
---- Name: Directive 95/46/EC
---- URL: http://europa.eu.int/comm/internal_market/privacy/law_en.htm#directive
---- Type: Applicable Law
---- Description: Published in Official Journal L 281 , 23/11/1995 P. 0031 - 0050: "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data."
---- Remedies: Governing laws specifies remedies

Additional info: visit the "Directive 95/46/EC" Implementation in Europe to check which countries have already implemented this directive.

--- Tab Images
(If you have any kind of seal of approval from an independent organization, like the TRUSTe Privacy Seals, you may add here the URL for the Seal, the URL of the verification page and an ALT text describing the seal.)

--Tab Expiry
(Select the expiry date. It can be either valid within a give period, like one week, or until a given date.)

--- Expiry date: 1/Jan/2005

This procedure is finished, close the Policy Properties now, by clicking in OK.

In the next procedures we will add "Groups" and associate "Data Elements" to these groups to your policy.

2.2 Groups and Data Elements

Consider Groups as User Generic Profiles. For instance, most of us have access to our server logs or we have some sort of trackers (counters) installed in our pages. This kind of logs gives us access to information about the visits to our website, detailing information such as type and version of browser, screen resolution, country of origin, etc. This information does not identify personally the visitor. So we can consider one generic profile, the anonymous visitor, not personally identifiable.

This is going to be our first Group: the Anonymous Visitors group.

Lets add then a New Group, in the Groups panel, in the right. Just double-click the existing "New Group" and the Group Properties will be displayed. You can then change it to suit your needs.

- Double-Click (or right-click > Properties) in the in the Group's panel item named "New Group":

-- Tab General

--- Group name: Anonymous Visitors
--- Explanation: "This data, available through standard web server logs, is collected for statistical purposes. This allow us to optimize the content delivery by customizing our pages to best serve the majority of our visitors."
--- Data in this group cannot be linked to visitor's identity: CHECK this box

-- Tab Purpose
(Indicates what use will be made of the data collected)

Check:

--- [1] Current request, Site administration and R&D > Check all the boxes in "Details"
--- [3] Anonymous user tracking > Check also all the boxes in "Details"

- Completion and support of the current activity -

Information may be used by the service provider to complete the activity for which it was provided, whether a one-time activity such as returning the results from a Web search, forwarding an email message, or placing an order; or a recurring activity such as providing a subscription service, or allowing access to an online address book or electronic wallet.

- Web site and system administration -

Information may be used for the technical support of the Web site and its computer system. This would include processing computer account information, information used in the course of securing and maintaining the site, and verification of Web site activity by the site or its agents.

- Research and development -

Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market. This does not include personal information used to tailor or modify the content to the specific individual nor information used to evaluate, target, profile or contact the individual.

- Pseudonymous analysis of user behavior -

Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals. For example, a marketer may wish to understand the interests of visitors to different portions of a Web site.

- Pseudonymous decision-making -

Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals. For example, a marketer may tailor or modify content displayed to the browser based on pages viewed during previous visits.

-- Tab Recipient
(Who will be allowed to have access to this information?)

Check:

--- [1] Ourselves and/or our agents

- Ourselves and/or our agents -

An agent in this instance is defined as a third party that processes data only on behalf of the service provider for the completion of the stated purposes. (e.g., the service provider and its printing bureau which prints address labels and does nothing further with the information.)

-- Tab Retention
(Use this panel to indicate how long the information is maintained by the organization. Retention provides descriptive explanations of how long information is kept rather than exact time periods.)

In our example we will check:

--- [2] For the stated collection purposes only

Data in this group is retained long enough to complete the purpose for which it is gathered and then discarded at the earliest time possible. If you select this option, your organization must have a retention policy stated within or linked from the human-readable privacy policy. The retention policy must indicate a destruction timetable. So you must state somewhere in your human-readable policy, for instance, "We will keep our server logs for a period of one year. After that period, the referred logs will be destroyed".

Be aware that if you select the first option here, "For the current request or session only", this type of retention policy would apply, for example, only to services for which the following are true:

Web server access logs are not kept; Cookies are set only for a single session; Information is collected to perform a search but is not saved in search logs.

All set, close the Group Properties now, by clicking in OK.

2.3 Associate Data Elements.

A Data Element is an individual data entity, such as last name or telephone number. For interoperability, P3P specifies a base set of data elements. The basic data elements and some additional data elements defined in the current policy, are shown in the left panel of the policy editor.

Data elements are displayed when you expand the data set to which it belongs. The editor provides the data sets and data elements from the P3P base data schema and categories. You can declare any of these elements as necessary, but they cannot be modified. You can, however, copy a base data element and modify it according to your needs. You can also create your own data elements and data sets in the left pane. None of the elements displayed in the left pane are declared in your policy until you move them into a data group in the right pane.

When a data element or data set is moved into a data group, it is declared as part of the policy and known as a policy element. To declare a data element, drag the element from the left pane into a data group in the right pane. You can put any data element into more than one group.

- Expand (+) "Broad categories"

Drag to group "Anonymous Visitors":

-- Navigation and Click-Stream data (Navigation and click-stream data is defined as data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.)

-- Computer information (Computer information is defined as information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.)

-- Interactive data (Interactive data is defined as data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.)


- Expand (+) "Dynamic data"

Drag to group "Anonymous Visitors":

-- Other access log fields (Other data elements found in standard Web server access logs.)

-- Expand (+) "Click-stream data"
--- Expand (+) "Request timestamp"

Drag to group "Anonymous Visitors":

---- Request Date (Date of visit)
---- Request Time (Time of visit)

-- Expand (+) "HTTP Protocol elements"

Drag to group "Anonymous Visitors":

--- User Agent Information (The client description string sent by most Web browsers, giving the type, version, and platform type of the user's Web browser. This is sent by clients as the "User-Agent:" HTTP header.)

With this data elements, you will cover up most of the data collected by standard server logs and most of the trackers/counters. It is mandatory that you check the privacy policy of any third-party providing you any tracking service and declare any additional data element in your policy, even if it is collected by the third-party service.

You have now a Group, Anonymous Visitors, and the associated Data Elements. It is time to save the policy.

STEP 3: DEPLOYING THE POLICY

3.1. Saving the Policy

- Go to File > Save Policy
- Name the file, for instance, as "mypolicy.p3p"

3.2. Create the reference file

Lets assume that later you are going to upload the file mypolicy.p3p to a folder named w3c in your server. The URL for your policy file will be then http://www.awardsrus.org/w3c/mypolicy.p3p

- Go to File > Create Reference File
-- Check "One Policy"
-- Click Next
--- Enter the URL of the policy file: http://www.awardsrus.org/w3c/mypolicy.p3p#privacyawards

This step is very important: the URL must include a harsh (#) followed by the name of the policy being referenced. This name is the name you have defined in step 2.1 above (Policy properties), under the Tab "Web Sites", item "Policy name".

--- Click Next
---- Click Finish
---- Name the file as "p3p.xml"

3.3 Uploading the files

- Create the folder "w3c" in your server's root folder
- Upload "mypolicy.p3p" to the folder "w3c"
- Upload the file "p3p.xml" to your root folder
- Add the following line to the <head> section of your "index" file:

<link rel="P3Pv1" href="http://www.awardsrus.org/p3p.xml">

- Upload the index file
- Run the P3P Validator to check if the page is P3P-Compliant:
http://www.w3.org/p3p/validator.html

If it shows no error, then www.awardsrus.org is P3P compliant. You may want to add the <link rel="P3Pv1" href="http://www.awardsrus.org/p3p.xml"> to every page in your site.

This policy is a Satisfactory policy: this compact policy is considered satisfactory according to the rules defined by Internet Explorer 6. IE6 will accept cookies accompanied by this policy under the High, Medium High, Medium, Low, and Accept All Cookies settings.

APPENDIX: The files

Human-Readable version of this policy:

Privacy Policy

About Us

This is a privacy policy for Awards 'R Us. Our homepage on the Web is located at http://www.awardsrus.org . The full text of our privacy policy is available on the Web at http://www.awardsrus.org/legal.htm Users may go to http://www.awardsrus.org/legal.htm for information on how to opt-in or opt-out of use of their information.

We invite you to contact us if you have questions about this policy. You may contact us by mail at the following address:

John Doe
London, England

You may contact us by e-mail at admin@awardsrus.org.

Dispute Resolution and Privacy Seals

We have the following privacy seals and/or dispute resolution mechanisms. If you think we have not followed our privacy policy in some way, they can help you resolve your concern.

Directive 95/46/EC : Published in Official Journal L 281 , 23/11/1995 P. 0031 - 0050: "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data."

Additional Information
This policy is valid until 1 Jan, 2005 at 12:00:00 GMT.

Data Collection
P3P policies declare the data they collect in groups (also referred to as "statements"). This policy contains 1 data group.

--------------------------------------------------------------------------------

Group "Anonymous Visitors"
We collect the following information:

Navigation and click-stream data
Computer information
Interactive data
Other access log fields
Request date
Request time
User agent information
This data will be used for the following purposes:

Completion and support of the current activity.
Web site and system administration.
Research and development.
Anonymous user analysis.
Anonymous user profiling and decision-making.
This data will be used by ourselves and our agents.

The data in this group has been marked as non-identifiable. This means that there is no reasonable way for the site to identify the individual person this data was collected from.

The following explanation is provided for why this data is collected:

This data, available through standard web server logs, is collected for statistical purposes. This allow us to improve our information delivery by customizing our pages to best serve the majority of our visitors.

--------------------------------------------------------------------------------

Cookies
Cookies are a technology which can be used to provide you with tailored information from a Web site. A cookie is an element of data that a Web site can send to your browser, which may then store it on your system. You can set your browser to notify you when you receive a cookie, giving you the chance to decide whether to accept it.

We do not make use of HTTP cookies.

XML Policy

<?xml version="1.0"?>
<POLICIES xmlns="http://www.w3.org/2002/01/P3Pv1">
<!-- Generated by IBM P3P Policy Editor version Beta 1.12 built 2/27/04 1:19 PM -->

<!-- Expiry information for this policy -->
<EXPIRY date="Sat, 01 Jan 2005 12:00:00 GMT"/>

<POLICY
name="awardsprivacy"
discuri="http://www.awardsrus.org/legal.htm"
opturi="http://www.awardsrus.org/legal.htm"
xml:lang="en">
<!-- Description of the entity making this policy statement. -->
<ENTITY>
<DATA-GROUP>
<DATA ref="#business.name">Awards 'R Us</DATA>
<DATA ref="#business.contact-info.online.email">admin@awardsrus.org</DATA>
<DATA ref="#business.contact-info.online.uri">http://www.awardsrus.org</DATA>
<DATA ref="#business.contact-info.postal.organization">John Doe</DATA>
<DATA ref="#business.contact-info.postal.city">London</DATA>
<DATA ref="#business.contact-info.postal.country">England</DATA>
</DATA-GROUP>
</ENTITY>

<!-- Disclosure -->
<ACCESS><none/></ACCESS>


<!-- Disputes -->
<DISPUTES-GROUP>
<DISPUTES resolution-type="law" service="http://europa.eu.int/comm/internal_market/privacy/law_en.htm#directive" short-description="Directive 95/46/EC ">
<LONG-DESCRIPTION>Published in Official Journal L 281 , 23/11/1995 P. 0031 - 0050: "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data."
</LONG-DESCRIPTION>
<REMEDIES><law/></REMEDIES>
</DISPUTES>
</DISPUTES-GROUP>

<!-- Statement for group "Anonymous Visitors" -->
<STATEMENT>
<EXTENSION optional="yes">
<GROUP-INFO xmlns="http://www.software.ibm.com/P3P/editor/extension-1.0.html" name="Anonymous Visitors"/>
</EXTENSION>

<!-- Consequence -->
<CONSEQUENCE>
This data, available through standard web server logs, is collected for statistical purposes. This allow us to improve our information delivery by customizing our pages to best serve the majority of our visitors.</CONSEQUENCE>

<!-- Data in this statement is marked as being non-identifiable -->
<NON-IDENTIFIABLE/>

<!-- Use (purpose) -->
<PURPOSE><admin/><current/><develop/><pseudo-analysis/><pseudo-decision/></PURPOSE>

<!-- Recipients -->
<RECIPIENT><ours/></RECIPIENT>

<!-- Retention -->
<RETENTION><stated-purpose/></RETENTION>

<!-- Base dataschema elements. -->
<DATA-GROUP>
<DATA ref="#dynamic.miscdata"><CATEGORIES><navigation/></CATEGORIES></DATA>
<DATA ref="#dynamic.miscdata"><CATEGORIES><computer/></CATEGORIES></DATA>
<DATA ref="#dynamic.miscdata"><CATEGORIES><interactive/></CATEGORIES></DATA>
<DATA ref="#dynamic.clickstream.other"/>
<DATA ref="#dynamic.clickstream.timestamp.ymd"/>
<DATA ref="#dynamic.clickstream.timestamp.hms"/>
<DATA ref="#dynamic.http.useragent"/>
</DATA-GROUP>
</STATEMENT>

<!-- End of policy -->
</POLICY>
</POLICIES>

Reference File

<META xmlns="http://www.w3.org/2002/01/P3Pv1">
<POLICY-REFERENCES>
<POLICY-REF about="http://www.awardsrus.org/w3c/mypolicy.p3p#awardsprivacy">
<INCLUDE>/*</INCLUDE>
<COOKIE-INCLUDE/>
</POLICY-REF>
</POLICY-REFERENCES>
</META>

I sincerely hope this can help you! For more information about P3P and the latest specification, visit the W3C Web site at http://www.w3.org/P3P/. The version of the P3P editor used is based on the September 28, 2001 draft of the P3P specification.

Trademarks or registered trademarks

P3P is a registered trademark of the World Wide Web Consortium (W3C).
IBM is a registered trademark of International Business Machines Corp. in the U.S. IBM P3P Editor is a product name of International Business Machines Corp.

About Contributor

Carlos Paula Simoes

Carlos Paula Simões was born in Portugal in 1966, and he works since 1992 as a full-time Environmental and Food Technologist in a Portuguese major food plant. He maintains a presence in the Web since 1997 and he is currently responsible for several personal websites like the CPSnet Web Awards and Cb2 Web Design Portugal, amongst others.

He holds also several positions at well renowned web organizations like APEX (Director of Web Development) and WebsAwards (Manager and Co-Owner). Other relevant participation's are with Mensa Portugal, Webmates and GAWDS as well as with some of the major Web Directories, like ODP (Open Directory Project) and Zeal.

"Approved" Web Hosting Companies