Users want to know what data is being collected when they visit Web sites, and how that data might be used. Learn how to use the P3P standard to create Web site privacy policies, which outline a site's data collection practices.
- 1. What information does CNET Networks collect?
- 2. What is CNET Networks' practice regarding cookies?
- 3. How does CNET Networks use the information?
- 4. How does CNET Networks share the information?
- 5. What are my options?
- 6. How can I review and update my personally identifiable information?
- 8. Privacy of children
The page provides information on what data is collected by the sites and how it may be used, as well as shared within the network. An interesting detail is the information on how site traffic is collected via Web bugs. Cookies are an important data collection tool on the Web and their usage is detailed within the policy. This is just one example of a real-world policy; other privacy policies you might want to look at for further guidance are Google and Amazon.
The Platform for Privacy Preferences Project (P3P) provides a standard format for creating Web site privacy policies. It uses XML to provide a format that is readable by both machines and humans. Using the standard is called using a P3P Policy. The specification defines the following:
- A standard schema for data a Web site may wish to collect, known as the "P3P base data schema."
- A standard set of uses, recipients, data categories, and other privacy disclosures.
- A means of associating privacy policies with Web pages or sites and cookies.
- A mechanism for transporting P3P policies over HTTP.
User agents may process the P3P XML to interpret a site's policy. A good example of a user agent is the Microsoft Internet Explorer 6.0 (IE6) browser. IE6 and Windows XP contain new privacy features based on the specifications of P3P. Privacy settings are accessed via the Privacy tab of the Tools | Internet Options dialog box. If you are interested in which sites are P3P compliant, the World Wide Web Consortium maintains a list of such sites.While it may be easy to code a P3P document by hand for a small site, it can be a complicated process for a larger site. This is especially true when the legal department gets involved. Thankfully, there are plenty of tools available to streamline the P3P creation process. You can utilize the P3P Toolbox, P3PEdit, or IBM's freely available P3P Policy Editor, which I used it to create a sample P3P XML file in Listing A.
The example includes the DATA-GROUP element that includes contact information for the organization. Also, you'll notice an expiration date at the top of the document, as well as the POLICY element that includes an attribute (discuri) for a link to a human-readable version of the policy. So, if you utilize P3P you should have a human-readable version (HTML) as well as the XML. The IBM P3P Policy Editor tool creates an HTML version of the policy automatically.
- 1. Use the P3P standard file location. This involves naming the policy reference file p3p.xml and deploying it at /w3c/p3p.xml.
- 2. You may deploy full P3P policy files within the same directory, for example, /w3c/full_p3p_policy.xml.
- 3. Set compact policies for all cookies in the HTTP header.
You can review the P3P specification (and your Web server documentation) for more information on deployment scenarios.
Tony Patton began his professional career as an application developer earning Java, VB, Lotus, and XML certifications to bolster his knowledge.