Since Web site visitors are (understandably) wary of
providing personal data, a common practice for Internet sites is to provide a
privacy policy. In addition, an Internet standard for such policies has
developed as well. Let’s take a closer look at providing a privacy policy on
your site.

Collecting data

The basic premise of a Web site privacy policy is to tell
the user community what data you collect and how (if at all) you may use it. In
addition, the policy tells the users how they may access the data or have it
removed. A final point is how the site protects the data collected.

Check out CNET Networks’
privacy policy, which includes the following sections:

  1. What
    information does CNET Networks collect?
  2. What
    is CNET Networks’ practice regarding cookies?
  3. How
    does CNET Networks use the information?
  4. How
    does CNET Networks share the information?
  5. What
    are my options?
  6. How
    can I review and update my personally identifiable information?
  7. How
    will I know if the privacy policy is changed?
  8. Privacy
    of children

Weekly development tips in your inbox

Keep your developer skills sharp by signing up for TechRepublic’s free Web Development Zone newsletter, delivered each Tuesday.

Automatically sign up today!

The page provides information on what data is collected by
the sites and how it may be used, as well as shared within the network. An
interesting detail is the information on how site traffic is collected via Web bugs. Cookies
are an important data collection tool on the Web and their usage is detailed
within the policy. This is just one example of a real-world policy; other
privacy policies you might want to look at for further guidance are Google
and Amazon.

The steps involved with developing a privacy policy can vary
according to a Web site’s size. For example, the legal and public relations
departments are always involved with the document’s creation for large sites
like CNET or Google, but a small site may involve
only the owner and developer. While you can assemble a privacy policy using any
approach, the World Wide Web Consortium provides a standard.

P3P

The Platform for
Privacy Preferences Project (P3P) provides a standard format for creating
Web site privacy policies. It uses XML to provide a format that is readable by
both machines and humans. Using the standard is called using a P3P Policy. The
specification defines the following:

  • A
    standard schema for data a Web site may wish to collect, known as the
    “P3P base data schema.”
  • A
    standard set of uses, recipients, data categories, and other privacy
    disclosures.
  • An
    XML format for expressing a privacy policy.
  • A
    means of associating privacy policies with Web pages or sites and cookies.
  • A
    mechanism for transporting P3P policies over HTTP.

User agents may process the P3P XML to interpret a site’s
policy. A good example of a user agent is the Microsoft Internet Explorer 6.0
(IE6) browser. IE6 and Windows XP contain new privacy features based on the
specifications of P3P. Privacy settings are accessed via the Privacy tab of the
Tools | Internet Options dialog box. If you are interested in which sites are
P3P compliant, the World Wide
Web Consortium maintains a list of such sites.

While it may be easy to code a P3P document by hand for a
small site, it can be a complicated process for a larger site. This is
especially true when the legal department gets involved. Thankfully, there are
plenty of tools available to streamline the P3P creation process. You can
utilize the P3P Toolbox, P3PEdit, or IBM’s freely available P3P
Policy Editor, which I used it to create a sample P3P XML file in Listing A.

The example includes the DATA-GROUP element that includes
contact information for the organization. Also, you’ll notice an expiration
date at the top of the document, as well as the POLICY element that includes an
attribute (discuri) for a link to a human-readable
version of the policy. So, if you utilize P3P you should have a human-readable
version (HTML) as well as the XML. The IBM P3P Policy Editor tool creates an
HTML version of the policy automatically.

Once you generate the necessary P3P files, you must deploy
them on your Web server. A policy reference file is an XML file that defines privacy
policy location as well as Web pages and any cookies affected by the policy. The
default location for a P3P file is defined in the P3P standard as /w3c/p3p.xmlj.
This is called “the well-known location” in the P3P specification.
Another approach is including the policy reference file URL in the P3P HTTP
header or in a Web page’s LINK tag. The following example shows a policy
reference file that points to a single privacy policy, which also covers a Web
site’s cookies. The following list outlines steps for deploying P3P.

  1. Use
    the P3P standard file location. This involves naming the policy reference
    file p3p.xml and deploying it at /w3c/p3p.xml.
  2. You
    may deploy full P3P policy files within the same directory, for example,
    /w3c/full_p3p_policy.xml.
  3. Set
    compact policies for all cookies in the HTTP header.

You can review the P3P specification (and your Web server
documentation) for more information on deployment scenarios.

Rest easy

Providing a privacy policy can mitigate visitor concerns
about data usage, as well as circumvent any complaints or problems since
everything is spelled out on the site. The common approach to providing access
to a site’s privacy policy is providing a simple link at the bottom of every
page within a site. The policy contains the ins and outs of what data is
collected and how the site uses this data.

Tony Patton began his professional career as an application developer earning Java, VB, Lotus, and XML certifications to bolster his knowledge.

Miss a column?

Check out the Web Development Zone archive, and catch up on the most recent editions of Tony Patton’s column.