P3P Components, Deployment, Policy Creation - Part 1 of Chapter 5 from Web Privacy with P3P (3/6)

To page 1To page 2current pageTo page 4To page 5To page 6
[previous] [next]

Web Privacy with P3P, Chapter 5: Overview and Options

  1. Create a policy reference file for your site. Most policy-generator tools will help you create a policy reference file. This file lists all of the P3P policies on your site and the parts of your site to which they apply. In most circumstances, you will have just one policy reference file for your entire site. However, if you have a very large number of policies on your site, or if you don't want to provide information that would reveal the structure of your site (perhaps due to security considerations, if parts of your site are password-protected), you may want to have multiple policy reference files.

  2. Configure your server for P3P. On most sites, this can be done by simply placing the P3P policy and policy reference files on the web server in the proper locations. However, because of how they are set up, some sites may find it advantageous to configure their servers to send a special P3P header with every HTTP response. Some sites may find it useful to add special P3P LINK tags to their HTML content. Some sites also send compact versions of P3P policies with HTTP Set-Cookie responses (this is especially important for sites that serve third-party cookies).

  3. Test your site to make sure it is properly P3P-enabled. You can use the W3C P3P Validator to test your site and report back a list of any problems it finds. Of course, this tool cannot verify that your P3P policy matches your privacy policy or that either policy conforms with your actual practices. However, it can make sure that your policy and policy reference files are syntactically correct and that you've configured everything properly. You can try the W3C P3P Validator at http://www.w3.org/P3P/validator/.

Developing a Privacy Statement

The following is an excerpt from Roger Clarke's Privacy Statements web page (http://www.xamax.com.au/DV/PStatemts.html), used with permission.

It is advisable that your organization first develops a Privacy Statement within the context of a broad strategy relating to privacy and other consumer matters. The following steps then need to be taken:

  • Determine the scope you want your Privacy Statement to have. In particular, the statement might be a complete customer charter covering terms and conditions, and addressing transactions undertaken over the counter, and by telephone and mail; or it might be restricted to privacy, and to the specific context of Internet communications.

  • Consult relevant laws, Codes of Conduct, and corporate policies that affect your organization's dealings with its customers.

  • Consider current Government policies, emergent privacy principles, and draft legislation.

  • Determine your organization's intentions in relation to data collection, data storage, data usage, and data disclosure.

  • Define the approach your organization takes, or intends to take, in relation to privacy-related questions and complaints from the public, from public interest representatives and advocates, from industry associations, and from regulatory bodies.

  • Express your organization's intentions in a draft Privacy Statement.

  • Undertake consultation with representatives of the organization's clientele, privacy advocates and regulatory bodies.

  • Promulgate your organization's Privacy Statement, on your web-site, and through other channels.

A well-designed Privacy Statement is of course a significant opportunity to gain coverage through appropriate media, in order to project the organization's desired image to its clientele, and to project an image of corporate responsibility to regulatory bodies.

To page 1To page 2current pageTo page 4To page 5To page 6
[previous] [next]

Created: December 23, 2002
Revised: December 23, 2002

URL: http://webreference.com/authoring/p3p/chap5/1/3.html