P3P Components, Deployment, Policy Creation - Part 1 of Chapter 5 from Web Privacy with P3P (2/6) | WebReference

P3P Components, Deployment, Policy Creation - Part 1 of Chapter 5 from Web Privacy with P3P (2/6)

To page 1current pageTo page 3To page 4To page 5To page 6
[previous] [next]

Web Privacy with P3P, Chapter 5: Overview and Options

P3P Deployment Steps

Some of the first questions webmasters ask when they are considering deploying P3P on their sites are "How long is this going to take?" and "How difficult is this going to be?" The answers to these questions, of course, depend on the details of the web site. A small company that already has a privacy policy posted on its site should be able to deploy P3P in a few hours. Large companies may need to have their attorneys spend time reviewing their P3P policies, and they may need to figure out the best way to deploy P3P on a large number of servers around the world. Companies that provide third-party web services, such as advertising agencies and content distribution networks, may have some more complicated decisions to make as well.

I have seen P3P deployed on an active commercial web site in as little as 10 minutes. The webmaster for that site was visiting my office and was able to start with one of my example policy and policy reference file sets, make the necessary changes for his site, remotely log in to his live server, publish the files, and use the W3C P3P Validator to verify that everything worked.

To help you estimate how much work is required for P3P deployment on your web site, here is an outline of the basic steps involved. These will be discussed in more detail in the rest of this chapter and in the following three chapters.

  1. Create a privacy policy. The privacy policy needs to include enough details to be useful for creating a P3P policy. If you have already created a detailed policy for your site, you've done most of the difficult work. However, as you create your P3P policy, you may discover some issues in your privacy policy that you need to revisit. If you don't yet have a privacy policy or your policy does not go into much detail about the kinds of data your site collects or how this data is used, you will probably have to get your company's lawyers or policymakers involved in articulating your company's privacy policy.
  2. Analyze the use of cookies and third-party content on your site. Privacy policies describe the kinds of data a company may collect, but they generally do not go into much detail about the ways in which cookies are used. Cookies can enable otherwise unidentifiable data to be linked to identifiable data, sometimes unintentionally. They may also enable data to be shared in unanticipated ways. It is important to analyze how cookies are used on your web site and how they interact with other cookies and with HTML forms. It is also important to identify any content or cookies on your web site that web browsers may treat as third-party content (because it is served from a different domain than the page in which it is embedded).
  3. Determine whether you want to have one P3P policy for your entire site or different P3P policies for different parts of your site. If you already have multiple privacy policies for your site, you will probably want to have multiple P3P policies as well. For example, some sites have different policies associated with different types of services they offer. Even if you have a single, comprehensive policy for your entire site, you may want to have multiple P3P policies. For example, your site's privacy policy might include a statement like "We do not collect personally identifiable information from visitors except when they fill out a form to order a product from us." You may wish to create two P3P policies--one for use on part of your site where there are no forms and the other for use on the parts of the site where visitors fill out forms to order products.
  4. Create a P3P policy (or policies) for your site. You can use one of the P3P policy generator tools (described later in this chapter) to easily create a P3P policy without having to learn XML. You will need a detailed understanding about the kinds of data your site collects and how it is used, but most of this should be documented in your site's privacy policy.

To page 1current pageTo page 3To page 4To page 5To page 6
[previous] [next]

Created: December 23, 2002
Revised: December 23, 2002

URL: http://webreference.com/authoring/p3p/chap5/1/2.html