The P3P basics

This fall, Microsoft Corp. is expected to release Internet Explorer 6.0, the latest version of its Web browser. IE 6.0 will contain features designed to give users more control over cookies and more information about the privacy practices of the Web sites they visit.

The browser will look for machine-readable privacy policies on sites that use a new standard known as P3P, developed by the World Wide Web Consortium (W3C) through its Platform for Privacy Preferences Project. For the first time, millions of Web site visitors will be looking for P3P statements. Fortunately, it is easy for agencies that already have privacy policies to create a P3P statement. All it takes is an understanding of P3P, knowledge of your privacy practices, and a technical person or team that knows how your site is structured and a little bit about the new Web standards.

Basically, P3P is a set of multiple-choice questions covering the major elements of a Web site's privacy practices. The answers present a picture of how a site handles personal information about its users. P3P-enabled Web sites make this information available in a standard Extensible Markup Language format, which P3P-enabled Web browsers automatically "read" and compare with the user's privacy preferences.

Think of the security "lock" feature that has been built into most browsers. The lock is engaged when a Web page transmits data, such as credit-card information, through an encrypted server; otherwise, the site is unlocked. This gives consumers an easy way to understand the security features on the site. P3P browser designers are trying to build similar interfaces for privacy.

IBM Corp. and others already have working P3P policy generators. Depending on the size and complexity of a Web site, it should only take a few hours for a Webmaster and a Privacy Act officer to complete the policy.

Here's how to convert a policy in five steps (a more detailed version with helpful links is available from W3C at

    * Review your current policy with its authors to ensure that you understand all the types of data being collected on the site.

    * Decide which policies apply to which pages. Many sites have more than one policy depending on how many data collection techniques are used on various pages. Most agencies probably only need two policies: one that covers all of the forms on a site and one for pages where users do not manually input information.

n Select a P3P policy generator. IBM, Invisible Hand Software LLC and YOU.powered Inc. offer generators.

n Enter the necessary information into the P3P generator.

n Use the generator to create a policy reference file. This file will instruct Web browsers where to look for the P3P policy on any given page. You should then upload the P3P policy files and the policy reference file to your server's root directory.

The W3C site offers a P3P validator that will alert you to errors on a page.

Schwartz is a policy analyst at the Center for Democracy and Technology in Wash.ington, D.C.


  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.