p3ptoolbox.org

Implementation Guide
Implementer tools & User agents
Events
News & Media
FAQ
More Information
Sponsors
About IEF

Preparing for the P3P Implementation

Table of Contents
A.Implement a Human Readable Privacy Policy
B.Assemble the P3P Project Team
C.Audit the Web Site for the P3P Implementation
D.Decide How Many P3P Policies to Create
E.Do Your P3P Homework
     i.Describing Data Collected on the Site
     ii.Categorize the "Purposes" for which Your Organization Collects and Uses Information
     iii.Categorize the "Recipients" of Information You Collect
     iv.Clarify "opt-in" and "opt-out" Options Available to Your Web Site Visitors
     v. Clarify Dispute Resolution, Data Retention and Access Policies

Preparing for the P3P Implementation

Each Web site´s experience with implementing P3P is unique. The P3P Implementation Guide, and particularly Sections 3 and 4, are designed to provide suggested guide posts or best practices for companies and organizations preparing to implement P3P. This is especially true once you have assembled your P3P implementation team and begin with the assessment of your Web site´ data collection practices and the mapping out of your site´ P3P policy or policies.

For extremely detailed information on the specification itself, it is always best to use P3P Toolbox, at http://www.p3ptoolbox.org, as a reference. It contains lists of outside resources that can provide assistance with P3P implementation and can guide you to the best place to get any tough, site or implementation-specific questions answered.

Implementing P3P will usually require preparation by several people in an organization, a review of the information practices of the organization, and an in-depth discussion of plans for the future. Implementing P3P on your Web site may be more or less complex, depending on the size of your site, how much personal information is collected or processed, types of personal information collected or processed, the consistency of data handling practices, and your level of integration with third parties. Although some simple informational sites may be able to create and deploy P3P policies quickly, complex sites that attempt to jump straight to generating P3P policies without preparation may be asking for trouble.

This section highlights the following steps that a typical commercial Web site should take before creating and deploying P3P policies.

  1. Implement a Human Readable Privacy Policy
  2. Assemble the P3P Project Team
  3. Audit the Web Site for the P3P Implementation
  4. Decide How Many P3P Policies to Create
  5. Do Your P3P Homework
    1. Describing Data Collected on the Site
    2. Categorize the Purposes for which Your Organization Collects and Uses Information
    3. Categorize the Recipients of Information You Collect
    4. Clarify opt-in and opt-out Options Available to Your Web Site Visitors

A. Implement a Human Readable Privacy Policy

Most commercial Web sites have already gone through the process of creating a human-readable privacy policy and a detailed analysis of that process is outside the scope of this guide. The P3PToolbox provides links to several helpful sources such as the Online Privacy Alliance, BBBOnline, and TRUSTe. See http://www.p3ptoolbox.org for more information about privacy-related organizations and resources.

The investment of time and effort to create an accurate human readable policy is time well spent and that work will ease the implementation of P3P. Typical steps involved in creating a human readable privacy policy may include:

  • Designate a privacy manager with appropriate authority to lead the privacy effort and get upper management support and approval.
  • Investigate the personal information data management practices in the company, taking appropriate corrective actions if there are any inconsistencies between your company´s actual practices and the desired state.

    What are the sources of consumer personal data? Who has access to it? What is it used for? Who is it shared with? How long is it kept? How is it kept secure? What controls are in place to ensure polices are followed?

  • Evaluate long term business plans for the use of consumer personal information.

    Will the same practices be followed for both online (i.e., web, email) and offline (i.e., paper) records?

  • Develop an internal privacy policy and get agreement to the policy from all parts of the company that interact with consumers or consumer data.

    Marketing; information technology group; Web site content management; business development; product development; public relations; legal; finance; customer support; etc.

  • Develop a public privacy policy for posting on the Web site and other consumer touchpoints (e.g. printed forms).
  • Establish a vendor policy to clarify data management rules for working with suppliers and 3rd parties.

    Differentiate between 3rd parties which are acting as agents of your company and those acting independently. Consider your relationships with shipping companies; ISPs; marketing partners; consultants etc.

  • Educate your employees, contractors, and agents about your company´s privacy policies.
  • Consider a third party review of your policy.

    Consider having an outside organization review your actual privacy practices against the assertions made in your privacy policy.

    Consider seeking a 3rd party issued privacy seal or trust mark for your privacy policy.

  • Publish the privacy policy and request input from your customers.
  • Evaluate, monitor and refine your data management practices and privacy policies...

B. Assemble the P3P Project Team

Similar to the development of the human readable policy, your P3P Implementation process requires a wide range of skills and human resources and input from legal, technical and marketing perspectives. While these roles may be performed by a single individual in the case of a small company, they will likely require a broader team of resources in a larger or more complex implementation.

The common roles and responsibilities needed for a P3P implementation are:

Executive Sponsor or Champion

This is the executive lead of your P3P team; and will provide a conduit between executive management and the P3P implementation. The senior management representative will be called upon to approve the human-readable privacy policy and provide strategic direction and lead a change in company policy if problem areas are identified. This individual provides oversight to your technical and other resources and will interact with external resources such as attorneys and security consultants.

Business Experts

The P3P team may also need engagement from Marketing, Support, and other key collectors or users of personal information. These people are critical to provide background information on the actual business uses for personal information (as the technical aspects of applications and databases may not tell the whys behind the business).

Technical Personnel

The P3P team will need some technical resources with knowledge of the company´s Web site, Web server systems and network configuration. The CIO or IT manager should designate the appropriate resources and the manager should probably stay involved at a supervisory level. These resources will perform the bulk of the site-level research required to implement P3P and will be responsible for the technical mechanics of publishing the various P3P policy files in appropriate directories on the appropriate systems. Internal technical resources will work with any other required external technical resources such as privacy and security architecture consultants.

Outside Consultants

Outside consultants may be required to assist the internal technical resources or to provide expert advice on an as-needed basis. If all or part of your Web site is externally developed and maintained, then external assistance will likely be required with the audit phase and the deployment phase. In addition specialized legal or marketing expertise may be utilized in the preparation of the P3P policies.

Legal Counsel

If your company has in-house legal counsel, make sure they are an active part of the P3P team. If your company does not have in-house legal counsel, then make sure that appropriate outside legal counsel is sought. P3P policies are important legal representations of a company´s data practices and if they are inaccurate or misleading, they may trigger consumer complaints, lawsuits or regulatory investigations. The legal counsel on the P3P team will help ensure that the policies communicated using P3P are consistent with other outbound communications of the company, the internal data policies of the company, web seal programs that the company may take part in, and applicable law.

Other Management and Staff

Other personnel within the company may be called upon to provide answers to specific questions and may be involved in positioning the privacy issue internally and externally. Data commissioners can also be a vital resource to helping a company answer any questions concerning P3P implementation. If there is a data commissioner in your company´s jurisdiction, you can also ask a data commissioner for assistance.

C. Audit the Web Site for the P3P Implementation

Why You May Want to Consider an Audit before Implementing P3P

Although a vast majority of Web sites have human-readable privacy policies, the level of detail reflected in the policies varies widely from site to site. Gaining an accurate and detailed understanding of the consumer data flowing into and out of a Web site, is critical to implementing P3P on that site.

Human-readable privacy policies communicate a different level of detail than a site´ P3P policies. A human readable policy might state something like: We may share information collected from our contest area with third parties for marketing purposes, but information collected in the shopping cart and order process will not be shared unless you opt-in to one of our special marketing programs. The author of the statement, perhaps the organization´s attorney, just needed to know that part of the site was related to contest information and that the contest information was kept separate from the information collected in the ordering process.

By contrast, when implementing P3P, the site may want to have one P3P policy for those pages related to contests (that disclose that data is shared with third parties) and another P3P policy for the pages related to shopping (which states that data is only shared with third parties if the user opts-in to such sharing) and perhaps a third P3P policy for areas of the site where no data was collected from the user. In that case, the person creating the P3P policies will need to know exactly which web pages, group of web pages (e.g. pages in the ~.../contest.HTML directory), or other web-based resources to associate with each policy.

In order to obtain this level of detail, the P3P implementer should do a site audit to capture information about how data is collected on the Web site and how that information is used and managed within the company.

If, like many organizations, you do not have a very good understanding of what information is collected on the Web site, where it goes once it is collected, and what it is used for, then take the time to perform a Web site audit. If you already have a thorough understanding of the data collection occurring on your Web site and how that information is used and stored within your organization, you may elect to just take some time to document what you already know about the information flow on your Web site and move on to the next steps. See Decide How Many P3P Policies to Create below.

Decide on the Scope of the Audit

The scope of your site audit will depend on the size and complexity of your organization, Web site, and your online partner relationships. Although it seems straight-forward, it may actually be difficult to determine the scope of your organization´s Web site. Various organizations within a company may operate independently to create Web pages and there may not be any centralized tracking of the various sites. You may or may not want to include international subsidiaries, co-branded sites, or other extensions. Your company may set cookies on Web sites operated by other organizations. Take the time necessary to define the scope of your organization´s Web presence and determine which aspects should be part of the P3P implementation and the site audit.

Decide on the Level of Detail for the Audit

P3P can be applied at a granular level to each Web page or other action or resource that is triggered using a Uniform Resource Identifier (URI) while a visitor is interacting with your Web site. For example, assume that Jane is going to sign up for an email newsletter and her browser requests the registration Web page. That request itself does not automatically collect any personal information from Jane, so the P3P Policy for that Web page could be very simple and might not address the collection of information. But then, as an example of an action, Jane can enter her email address to sign-up for the newsletter and hit an I Accept button to trigger the transfer of the information. The I Accept action should be associated with a separate P3P Policy that addresses the use of the email address.

Rather than perform a site audit at this granular action level, most sites will be comfortable associating privacy policies to Web pages or groups of Web pages. (See the section entitled Decide How Many P3P Policies to Create below for an overview of the various approaches.) So, for example, even if a particular web page requires explicit user action (such as an I Accept button) before it will collect information from the visitor, the P3P Policy for the visitor´s initial request for the Web page can disclose all collections of information that may be triggered from that page.

As a result, before beginning your site audit, it will be helpful to make a team decision about the level of detail that you want to use.

Document the Audit

The documentation of the site audit should be done in a standard form that can be stored, shared, and referenced by the various parties involved. It should be a living document that can be updated when changes are made to the Web site from month to month.

For some teams a spreadsheet may be the correct format to use. Assuming an audit at the Web page, directory and cookie level, the spreadsheet may have columns such as the following:

Column Heading Example Entry
Directory/File Identifierwww.CatalogShop.com/contest-entry/*
Short DescriptionContest entry pages
Data Collected?Yes
PII or Pseudo or Anon?PII
Cookies? (names)CatalogShopGlobal, Contest1
For whom?Special promotions department ­ Contact Mary Smith
Data is Stored Where?Marketing database on ABC server
Used for what purposes?Current; Individual-analysis; Contact; Telemarketing; Other
(See Do your P3P Homework section below for a discussion of P3P´s PURPOSE element.)
Shared with?Third party marketing companies; Subsidiaries;
Can user opt-in or opt-out?User can not opt-out of 3rd party sharing except by not entering the contest.
Etc. 

This set of columns can easily be expanded to analyze in further detail each action that may be initiated from the Web site rather than merely analyzing at the page or directory level. Other columns can be added to capture information about user access options, security, etc.

A similar approach to recording information about each cookie used on the site might use the following columns:

Column HeadingExample Entry
Cookie NameCatalogShopGlobal
Short DescriptionCatalogShop company global cookie
Session or Persistent?Persistent cookie.
1st or 3rd party cookie?1st party cookie
(See Appendix XXX for discussion of how Microsoft uses this distinction.)
PII or Pseudo or Anon?Pseudonymous
Is the data ever tied to PII?Yes, when user buys something or enters contest and enters their contact info.
For whom?Web marketing and personalization department ­ Contact Joe Adams.
Used for what purposes?Admin; Pseudo-analysis; Pseudo-decision; Indiv-decision; Indiv-analysis; Develop
(See Do your P3P Homework section below for a discussion of P3P´s PURPOSE element.)
Shared with?Other marketing groups in the company to enhance customer profile.
Can user opt-in or opt-out?Neither at this time.
Etc.

Are there tools to help automate the site audit?
Some product vendors and various consulting companies have developed tools to help complete a site audit. Typically these tools will crawl the site pages and record the data fields, cookies, and other factors that will be helpful in preparing a comprehensive Web site audit. See www.p3ptoolbox.org for more information about organizations offering tools and services related to site audits.

What elements of a Web site can have a P3P policy?

Anything that has a Uniform Resource Indicator can have a P3P policy. This includes SSL pages and java elements. Javascript, which is embedded in a Web page, shares the Web page´s URI and, therefore is covered by the Web page´s P3P policy. Furthermore, downloadable programs that the user takes obvious steps to run are not covered by P3P policies. More information on specific elements that are or are not included in P3P can be found at the P3P specification Web site, at http://www.w3.org/TR/P3P/#Introduction .

In addition, cookies can have P3P policies, which are discussed in detail in the W3C´s specification of P3P, at http://www.w3.org/TR/P3P/#compact_policies.

Some Advanced Questions:
What if our Web site uses lots of re-directs that transfer visitors from our brand name URL to the true Web site?
If your Web site has content that is hosted on a computer with a different name, you will need to P3P enable that computer as well.

Correct problems identified during the site audit.

Undoubtedly, if you have done a good site audit, you will discover problem areas or questions about how information is collected or used within your organization. Take the time to correct problems you unearth and communicate with your legal counsel if you think the problems are a sign that the organization has not been complying with its current privacy policy. The entire P3P team should take part in reviewing the audit results and providing input on changes that may need to be made on the Web site, elsewhere in the data management process, or to the human-readable and P3P policies.

D. Decide How Many P3P Policies to Create

As the site audit proceeded, natural groupings of your organization´s information management approaches likely emerged. These groupings will help you decide how many different P3P policies you should implement on the Web site, but there is a balancing act involved in this decision. A site can use a small number of P3P policies by overstating what it does with information gathered from all but the most information-use intensive areas or can use many P3P policies with the goal of being as accurate as possible about the handling of visitor information for each page on the site. Each Web site will strike its own balance, but some trends may emerge. Below is more discussion about this decision process with advantages and disadvantages to the various approaches.

Lowest Common Denominator Approach:

With this approach a Web site will have only one P3P policy associated with all the Web pages and cookies operating on the site. In order for this approach to work from a legal standpoint, the P3P policy will overstate the use of data gathered on the site to take into account all the information collected on the site. In other words, the policy will be crafted assuming all the information collected from various portions of the Web site are collected from every visitor to the site and that all the data is compiled together and used for all the purposes that may be applicable to any one type of data and shared with all the third parties applicable to any one type of data, etc.

For example, if a site lets users opt-out of sharing registration data with third parties but doesn´t let users opt-out of sharing contest entry data with third parties, the Lowest Common Denominator approach requires that the P3P policy state the rule applicable to the contest data ­ that any data collected on the site may be shared with third parties. Although the P3P policy may set a low standard for the company´s privacy practices, the company may still offer a human-readable policy that spells out the more privacy-sensitive approach the company has actually taken.

Advantages: The Lowest Common Denominator approach limits legal risk because the company is less likely to mistakenly apply an insufficiently-stringent P3P policy to a portion of the Web site. Also, this approach may save some time in the development and maintenance of the P3P policies.
Disadvantages: The Lowest Common Denominator approach may scare some P3P sensitive consumers away from the site and, depending on the operation of P3P browsers, may cause excessive privacy warnings to appear or even impede the operation of some of the site´ features.

P3P Perfectionist Approach:

At the other extreme is the P3P Perfectionist. With this approach, a Web site would have a P3P policy uniquely tailored to each page and feature of the Web site. In order for this approach to work, the P3P implementer needs to track the data collection and use information for every page of the site. While this granular approach could provide the most accurate level of notice to users, it is also likely to be excessively costly to maintain. Although there may be hundreds of P3P policies under this approach, the company could still offer a human readable policy using more general terms.

Advantages: The P3P Perfectionist approach has the advantage of offering the visitor a very detailed look at the company´s privacy policy as it may shift from page to page or service to service.
Disadvantages: As a practical matter, the P3P Perfectionist approach is probably only possible for really small Web sites or larger Web sites with a robust ability to track and maintain web pages and action requests at an individual level.

P3P Pragmatist Approach:

Of course, most sites will implement P3P somewhere in between the Lowest Common Denominator and P3P Perfectionist approaches. The level of granularity appropriate to a particular site will depend on the range and types of data collection on the site, the audience of the site, the company resources available for the project, and probably, the temperament of the Web master.

As an example of a P3P Pragmatist approach, a company may decide to group the site into data collection hot spots and then divide those hot spots into three groups based on similar data types and use practices (e.g. Heavy Use [GREEN]; Medium Use [YELLOW]; Light Use [RED]). Using the Lowest Common Denominator approach on each of the three groups, the company can develop three different P3P policies. Using the same approach the company could create two or three different P3P compact policies for cookies used on the site. Equipped with this set of three to six P3P policies, the P3P implementer can quickly address updates to the Web site.

The Legalist Approach:

In some jurisdictions, legal requirements, such as the European Union Data Protection, concerning information privacy may provide an additional motivation for implementation. Directive, implementation of P3P can serve as a show and tell to display that your company is already compliant with such laws.

HINT:The Privacy Officer may want to incorporate the P3P policy category labels back into the company´s data storage and use and in the employee education process. Doing this may help build a more intuitive approach to data management within the company. E.g. Red Data (data collected under the RED P3P policy) ­ can only be used for very limited purposes; Yellow ­ means all internal use ok; Green ­ means ok to share with third parties).

E. Do Your P3P Homework

You are almost ready to start generating P3P policies! At this point you should have a deep understanding of the information gathered on your Web site and your organization´s data practices. You should also have a good sense for the overall approach for your P3P implementation. Now you should start translating some of that information into P3P terminology in preparation for creating the actual P3P policies. Section 4 of this Guide walks through the process of creating those files. This section presents some of the key P3P concepts, including some XML elements specific to P3P, that you will want to understand before taking that step.

At this point both non-technical and technical team members should be involved. Several team members can benefit by learning the basics of the P3P terminology, but as you move onto creating the P3P policies in Section 4, a technical team member will likely take the lead.

In addition to the information you gathered during the Web site audit, you will need to prepare information about internal policies and procedures, such as data access and retention policies, to enable you to answer the data handling questions addressed by P3P (See the P3P Preparation Checklist at the beginning of Section 4 for the set of questions that will need to be answered). If you are lucky, your human readable privacy policy already addresses many of these issues.

Topics Addressed by P3P Policies

At this point it is helpful to understand the basic structure of a P3P policy and what types of disclosures are included in a P3P policy. A P3P policy addresses the following data management issues:

  • Identity and Contact information for the Organization
  • Location of P3P files
  • Access Policy
  • Disputes Policy
  • Remedies Available for Problems
  • Types of Data Collected
  • Purpose(s) of Data Collection
  • Recipient(s) of the Data
  • Retention Policy for the Data

In order to be prepared to identify your organization´s data management policies in the P3P implementation, you should probe each of these issues. Below is a set of steps that may help you to compile this additional information and learn more about P3P. Most of the steps involve clarifying your organization´s approach regarding key elements of your data management practices. Other steps involve categorizing what you´ve learned from the site audit and other internal investigations into P3P categories. By taking the time to do this non-technical prep work, you can streamline the technical process of generating the P3P policies.

  1. Describe Data Collected on the Site using the P3P Base Data Schema and/or P3P data categories
  2. Categorize the Purposes for which Your Organization Collects and Uses Information
  3. Categorize the Recipients of Information You Collect
  4. Clarify opt-in and opt-out Options Available to Your Web Site Visitors
  5. Clarify Dispute Resolution, Data Retention and Access Policies

1. Describe Data Collected on the Site

P3P will facilitate communication between your organization and your Web site´ visitors regarding your data management practices. But it is up to each organization to decide how detailed to be about the types of data collected. P3P offers Web sites a great deal of flexibility to describe the types of data they collect. There are several levels of detail that can be used. Below is a general description of the levels of detail available and their advantages and disadvantages. For a detailed discussion of this issue, see the P3P Specification Part 5.6 Using Data Elements.

  • Category Level.Sites can specify the types of data they collect using the P3P standard categories without having to enumerate every individual data element. This may be convenient for sites that collect a lot of data or sites belonging to large organizations that want to offer a single P3P policy covering the entire organization. However, the disadvantage of this approach is that user agents will have to assume that the site might collect any data element belonging to the categories referenced by the site. So, for example, if a site´s policy states that it collects dynamic.miscdata of the physical contact information category, but the only physical contact information are business addresses, user agents will nonetheless assume that the site might also collect telephone numbers and home addresses.
  • Data Element Level Using Base Data Schema. Sites may describe data specifically using the data elements defined in the P3P base data schema. In this way, using the example above, although the site states that it collects information of the physical contact category, it can go a step further and clarify that it does not collect telephone numbers or any other physical contact information other than business address. As user agents are developed with automatic form-filling capabilities, there will be another advantage of more detailed disclosure. It is likely that sites that enumerate the data they collect will be able to better integrate with these tools. The Base Data Schema is included in Appendix B of this Guide.
  • Data Element Level Using Custom Data Schema.Sites may describe data specifically by creating new data elements in custom data schemas. The P3P specification describes how sites may define new data sets and elements to enable them to disclose collection of data that is not included in the base data schema. For example, a clothing site may create a data schema to reference when collecting physical characteristics such as height, weight, sleeve length, shoe size etc.
  • Combination. You do not need to pick only one level of data disclosure. You may combine these various methods within a single P3P policy. Most sites will use a combination of categories and data elements from the Base Data Schema. (See Appendix B for the Base Data Schema).

Categorize the Purposes for which Your Organization Collects and Uses Information

Each P3P Policy must give notice to the Web site´ visitors about why information is being collected about them and how it will be used. This notice is given using the purpose element. Familiarize yourself with the following definitions of the various purposes drawn from the P3P v1.0 specification.

<current/>

Completion and Support of Activity For Which Data Was Provided: Information may be used by the service provider to complete the activity for which it was provided, whether a one-time activity such as returning the results from a Web search, forwarding an email message, or placing an order; or a recurring activity such as providing a subscription service, or allowing access to an online address book or electronic wallet.

<admin/>

Web Site and System Administration: Information may be used for the technical support of the Web site and its computer system. This would include processing computer account information, information used in the course of securing and maintaining the site, and verification of Web site activity by the site or its agents.

<develop/>

Research and Development: Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market. This does not include personal information used to tailor or modify the content to the specific individual nor information used to evaluate, target, profile or contact the individual.

<tailoring/>

One-time Tailoring: Information may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization. For example, an online store that suggests other items a visitor may wish to purchase based on the items he has already placed in his shopping basket.

<pseudo-analysis/>

Pseudonymous Analysis: Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals. For example, a marketer may wish to understand the interests of visitors to different portions of a Web site.

<pseudo-decision/>

Pseudonymous Decision: Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals. For example, a marketer may tailor or modify content displayed to the browser based on pages viewed during previous visits.

<individual-analysis/>

Individual Analysis: Information may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data for the purpose of research, analysis and reporting. For example, an online Web site for a physical store may wish to analyze how online shoppers make offline purchases.

<individual-decision/>

Individual Decision: Information may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data to make a decision that directly affects that individual. For example, an online store suggests items a visitor may wish to purchase based on items he has purchased during previous visits to the Web site.

<contact/>

Contacting Visitors for Marketing of Services or Products: Information may be used to contact the individual, through a communications channel other than voice telephone, for the promotion of a product or service. This includes notifying visitors about updates to the Web site. This does not include a direct reply to a question or comment or customer service for a single transaction -- in those cases, <current/> would be used. In addition, this does not include marketing via customized Web content or banner advertisements embedded in sites the user is visiting -- these cases would be covered by the <tailoring/>, <pseudo-analysis/> and <pseudo-decision/>, or <individual-analysis/> and <individual-decision/> purposes.

<historical/>

Historical Preservation: Information may be archived or stored for the purpose of preserving social history as governed by an existing law or policy. This law or policy MUST be referenced in the element and MUST include a specific definition of the type of qualified researcher who can access the information, where this information will be stored and specifically how this collection advances the preservation of history.

<telemarketing/>

Contacting Visitors for Marketing of Services or Products Via Telephone: Information may be used to contact the individual via a voice telephone call for promotion of a product or service. This does not include a direct reply to a question or comment or customer service for a single transaction -- in those cases, would be used.

<other-purpose> string </other-purpose>

Other Uses: Information may be used in other ways not captured by the above definitions. (A human readable explanation should be provided in these instances).

About the Purpose Element

Take time to make sure that your P3P team understands these various purposes and how they may or may not be relevant to your organization´s operations and the various groupings of information collected from your web site. Then, use these labels to update your site audit information and ensure that all data that is collected on the site is tied to appropriate purposes. The legal counsel on the P3P team will want to make sure that the purposes disclosed in your P3P policies are sufficiently broad to accurately reflect the organization´s data practices.

3. Categorize the Recipients of Information You Collect

Each P3P Policy must give notice to visitors about who has access to the information collected about them. In haste, most organizations will assert that they never share the personal information they collect with any third parties. This is usually wrong. There is generally a range of third parties with limited access to information collected from a Web site. For example, the shipping company that delivers a customer´s order, a co-branded service provider providing free email to the site´ visitors, technical consultants who work for the organization, the company hosting and maintaining the organization´s Web site, marketing partners, etc.

This notice about how who has access to or receives information is given using the recipient element in the P3P syntax. Familiarize yourself with the following definitions of the various recipients drawn from the P3P v1.0 specification.

<ours>

Ourselves and/or our entities acting as our agents or entities for whom we are acting as an agent: An agent in this instance is defined as a third party that processes data only on behalf of the service provider for the completion of the stated purposes. (e.g., the service provider and its printing bureau which prints address labels and does nothing further with the information.)

<delivery>

Delivery services possibly following different practices: Legal entities performing delivery services that may use data for purposes other than completion of the stated purpose. This should also be used for delivery services whose data practices are unknown.

<same>

Legal entities following our practices: Legal entities who use the data on their own behalf under equable practices. (e.g., consider a service provider that grants the user access to collected personal information, and also provides it to a partner who uses it once but discards it. Since the recipient, who has otherwise similar practices, cannot grant the user access to information that it discarded, they are considered to have equable practices.)

<other-recipient>

Legal entities following different practices: Legal entities that are constrained by and accountable to the original service provider, but may use the data in a way not specified in the service provider´s practices (e.g., the service provider collects data that is shared with a partner who may use it for other purposes. However, it is in the service provider´s interest to ensure that the data is not used in a way that would be considered abusive to the users´ and its own interests.)

<unrelated>

Unrelated third parties: Legal entities whose data usage practices are not known by the original service provider.

<public>

Public fora

4. Clarify opt-in and opt-out Options Available to Your Web site visitors

Many sites offer visitors the opportunity to opt-out of or opt-in to having their information used for certain purposes or shared with certain other parties. Investigate with your P3P team what options are available to your visitors and what a visitor must do to take advantage of those options. Within your P3P policies you will be able to signal to your site visitors that there are opt-outs available, so you want to be sure what those options are.

5. Clarify Dispute Resolution, Data Retention and Access Policies

Other issues that need to be addressed when you create your P3P policies include (a) your organization´s approach to dispute resolution and the remedies for harm done (b) your data retention policies, and (c) the level of access that you will provide to Web site visitors to the information that you have collected about them to, for example, enable them to correct errors. Take some time to confirm your organization´s base line policy on these issues and then identify exceptions that may apply to certain types of data collected from the Web site.

Gathering Input from your Human-Readable Privacy Policy.

As discussed in Section 2, creating a P3P policy often requires information that is not contained in your organization´s human readable policy. But the human readable policy is a great place to start collecting information that you will need. For example, here is a sample privacy policy and some elements of a P3P policy that can be drawn from it. (We are not presenting this privacy policy as a sample of a good or sufficient policy but merely as an example of how key P3P-related information may be weaved through a privacy policy.)

Privacy Policy for CatalogShopExample.com
Last updated: February 10, 2002
The following is the privacy policy for the CatalogShopExample.com Web site. In this policy, we describe what personal information we collect on our site, how we use it, and your options regarding information we may collect about you. If you have questions about this policy, please feel free to contact us at:

CatalogShopExample
4000 Lincoln Ave.
Birmingham, MI 48009
USA
privacy@catalogshopexample.com
+1 (248) 555-1212


Information collected from all visitors.
While you are browsing the CatalogShopExample.com Web site, anonymous information will be gathered in our computer system log files. We use this information to administer our site and learn, for example, which areas of our Site are the most popular and which may be having performance problems.

In addition, we use a cookie called CatalogShopGlobal (click HERE to learn more about cookies) to log your path through our site and present hints and other types of personalization based on your activities on the site. This cookie does not store any personally identifiable information about you and may only be associated with personal information if you make a purchase or enter a contest on our site. You may reject or delete the CatalogShopGlobal cookie at any time. To learn how to do this on your system, read your browser software's Help file.

Information collected while you shop.
While shopping through our catalog pages we use a cookie called CatalogShopCart to keep track of which items you have placed in your virtual shopping cart. This cookie only stores information related to products that you might want to purchase and the cookie is deleted when you end your browser session.

When you purchase something on our site, we collect personal information from you including your shipping address, credit card number and the email address to use for order confirmation. This information is collected on Web pages using encryption technology to help prevent any third party from intercepting the information. Your credit card information is only used for completing the purchase transaction and is retained only as necessary for administration purposes. We use the information provided by our customers to analyze product trends based on, for example, geographic and demographic factors. This analysis helps us improve the quality of our Web site and product mix.

In addition, we may use your shipping address or email address to send you personalized coupons and other offers unless you opt-out of these uses by checking the box at the bottom of the order entry screen. Be assured that we will not share your personal information with other companies except those who are involved with fulfilling or shipping your order, unless you opt-in to our special Partner Marketing Program.

Information collected in contests.
If you enter one of our contests, the data we collect will be handled according to the rules of that particular contest and those rules may differ based on where you live. We provide a privacy policy specific to each contest that you should review prior to entering the contest.

Accessing your information.
Customers may access their contact information through email or customer service center in order to correct discrepancies and update records with new address information. See contact information at the beginning of this policy.

Updates to this policy.
As our Web site evolves over time or our data handling policies change, we will update this privacy policy. Changes made to this policy will be effective ten days following the posting of the new policy on the Web site. If we make significant changes to our data handling practices, we will make efforts to notify our active customers in other reasonable ways that may include an administrative email or other notice. This privacy policy will be governed by the laws of the United States and the State of California.

What´s Next?

Now that you have prepared by (a) auditing the data practices related to your organization´s Web site, (b) deciding how many P3P policies to create, and (c) learning key P3P terminology and categories, it is time to generate P3P policies. The next Section addresses, at a more technical level, the process of creating and deploying P3P files.

P3P Implementation Guide

Table of Contents
Introduction
Section I
Section II
Section III
Section IV
Appendix

Please note that this document is a working draft for review and reference purposes only. Any questions or comments should be e-mailed to info@p3ptoolbox.org.