P3P Components, Deployment, Policy Creation - Part 1 of Chapter 5 from Web Privacy with P3P (1/6) | WebReference

P3P Components, Deployment, Policy Creation - Part 1 of Chapter 5 from Web Privacy with P3P (1/6)

current pageTo page 2To page 3To page 4To page 5To page 6

Web Privacy with P3P, Chapter 5: Overview and Options

P3P-Enabled Web Site Components

P3P-enabling a web site primarily involves creating and deploying P3P XML files and optionally configuring web servers to issue P3P response headers. Here is an overview of the files and HTTP responses involved in P3P-enabling a web site. Each of these components is discussed in more detail later in this book.

P3P policy
A P3P policy is an XML document that describes a web site's privacy practices. Every P3P-enabled web site must have at least one P3P policy, either in a stand-alone file or included in a policy reference file.

Policy reference file
A P3P policy reference file is an XML file that tells user agents which P3P policy applies to which URLs and cookies on a web site. Policy reference files may also contain P3P policies and data schema. Every P3P-enabled web site must have at least one policy reference file.

Data schema
A P3P data schema defines data elements that may be referenced by a P3P policy. It may also define data structures that can be used to define data elements. The P3P specification defines a P3P Base Data Schema that includes elements that represent data such as the user's name, the user's business address, and HTTP protocol information. P3P-enabled web sites need to include data schema files only if their policies reference new data elements not already defined in the P3P Base Data Schema or elsewhere.

Human-readable privacy policy
A human-readable privacy policy is a privacy policy written in a natural language (English, French, German, Chinese, etc.). Every P3P-enabled web site must have a human-readable privacy policy that is consistent with the P3P policy that references it. In addition, some disclosures in a P3P policy place further requirements on the human-readable privacy policy. For example, a site that uses the NON-IDENTIFIABLE element must explain how it anonymizes data, and a site that use the stated-purpose, legal-requirement, or business-practices retention elements must explain its retention policy. Sites that provide individuals with access to their own data must also explain how that access is provided.

Opt-in or opt-out policy
An opt-in or opt-out policy is a natural-language statement about how an individual can exercise opt-in or opt-out options offered by the web site. Every P3P-enabled web site that offers opt-in or opt-out options must have an opt-in or opt-out policy. This policy might provide instructions for opting in or opting out, contact information, or a web form that individuals can use to opt-in or opt-out. The opt-in or opt-out policy may be included in the human-readable privacy policy.

Compact policy
A compact policy is an abbreviated version of a P3P policy that describes the privacy practices associated with cookies. Compact policies are added to the HTTP response headers served with cookies. They are optional for P3P-enabled web sites, but some P3P user agents use them extensively.

P3P header
P3P-enabled web sites may serve HTTP response headers that include the URL of a P3P policy reference file. These headers may also include a compact policy.

Some of the files mentioned here can be combined on a web site. For example, a P3P policy file can contain one or more policies. In addition, it can contain P3P data schema. Alternatively, a P3P policy may be included in a policy reference file rather than in its own file. In addition, an opt-in or opt-out policy may be included in a human-readable privacy policy.

Web sites that include multiple hosts (for example, www1.example.com, www2.example.com, etc.) may place a single P3P policy and human-readable privacy policy in a central location. Generally, there will be one policy reference file on each host, although in some circumstances sites may have multiple policy reference files on each host or may have one policy reference file in a central location.

current pageTo page 2To page 3To page 4To page 5To page 6

Created: December 23, 2002
Revised: December 23, 2002

URL: http://webreference.com/authoring/p3p/chap5/1/