P3P Components, Deployment, Policy Creation - Part 1 of Chapter 5 from Web Privacy with P3P (1/6)
Web Privacy with P3P, Chapter 5: Overview and Options
P3P-enabling a web site primarily involves creating and deploying P3P XML files and optionally configuring web servers to issue P3P response headers. Here is an overview of the files and HTTP responses involved in P3P-enabling a web site. Each of these components is discussed in more detail later in this book.
- P3P policy
- A P3P policy is an XML document that describes a web site's privacy practices. Every P3P-enabled web site must have at least one P3P policy, either in a stand-alone file or included in a policy reference file.
- Policy reference file
- A P3P policy reference file is an XML file that tells user agents which P3P policy applies to which URLs and cookies on a web site. Policy reference files may also contain P3P policies and data schema. Every P3P-enabled web site must have at least one policy reference file.
- Data schema
- A P3P data schema defines data elements that may be referenced by a P3P policy. It may also define data structures that can be used to define data elements. The P3P specification defines a P3P Base Data Schema that includes elements that represent data such as the user's name, the user's business address, and HTTP protocol information. P3P-enabled web sites need to include data schema files only if their policies reference new data elements not already defined in the P3P Base Data Schema or elsewhere.
NON-IDENTIFIABLEelement must explain how it anonymizes data, and a site that use the
business-practicesretention elements must explain its retention policy. Sites that provide individuals with access to their own data must also explain how that access is provided.
- Opt-in or opt-out policy
- Compact policy
- A compact policy is an abbreviated version of a P3P policy that describes the privacy practices associated with cookies. Compact policies are added to the HTTP response headers served with cookies. They are optional for P3P-enabled web sites, but some P3P user agents use them extensively.
- P3P header
- P3P-enabled web sites may serve HTTP response headers that include the URL of a P3P policy reference file. These headers may also include a compact policy.
Created: December 23, 2002
Revised: December 23, 2002