Who Should be Interested in This?

1. Any site that has a written privacy policy should have a W3C compliant P3P policy.
2. Sites updating policies to meet the latest requirements of the 2006 specification.
3. Sites that need to meet legal requirements for machine readable privacy policies.
4. Any site that uses an independent third-party dispute resolution or trust seals.

Unfortunately P3P policy files are not simple documents to create. The specification is fairly complex and ties together the technical, business, and social aspects of a website. The specification includes many elements that should rarely be used and some overlooked ones that should be used whenever possible. This makes it difficult to create and maintain current P3P documents that reflect current business practices.

The current analysis of the top sites on the Internet, 14.4% of the top 500 sites have a P3P policy file, but 34.7% of those policies have not been updated to the current 2002 specification, and 5.6% of the sites with policy files had no complete policies at all. Most of the policy files were minimal, only 5.6% had more than one policy for different parts of their site.55.6% had more than one statement defined.12.5% had more than one disputes record defined, while 9.7% had no disputes records at all. This data is live data based on the top 500 websites from Alexa, and is refreshed on a regular basis.

Below are several free P3P utilities and resouces to make it easier to create P3P policies.

P3P Policy Viewer Human readable P3P policies with a graphical tree layout that makes it easy to find and view parts of an online privacy policy. Policy reference information is included to help identify the scope of where each policy is valid. Web 2.0 P3P Policy Viewer A Web 2.0 policy viewer that displays the entire policy using a collapsible tree so that portions of interest can be expanded and viewed. This may be useful when viewing very large policies. P3P XML Policy Files Displays the XML policy files associated with a P3P policy. This provides an easy validation to make sure that all of the policy references in p3p.xml can be resolved to a valid policy file. Links are provided to view the XML source file or to validate the contents using the W3C P3P validator. P3P Policy Template Builder Builds a sample P3P template based on selecting several high-level but common web-site attributes. These template are meant for reference only and are not suitable for deployment without further editing and verifying correctness with respect to written policies. They still can provide good starting points for creating policies that are fully compliant with the latest specification. Third-Party P3P Cookie Test Tool Internet Explorer 6 and later require a compact privacy policy for any thid-party domain that may set/receive cookies. This tool generates an image that is loaded from a third-party domain with the specified privacy policy to check compliance against current privacy settings. Compact Policy Builder Generate compact policy strings from a P3P policy and test modifications. Includes a third-party test image for testing IE6 and later compatibility for third-party cookies. This is meant for testing completed policies since every compact policy is supposed to represent the contents of a full policy file. P3P Enabled Sites List of sites that we use to test our policy parser and viewer on. It also includes the top 500 web-sites as reported by Alexa so that we can produce reliable stats on P3P adoption. Any site that is entered into our policy viewer also gets added to this list for future reference and testing.

Sample Policy Files   The following samples are for reference only and should not be used without extensive modification and checking against your written privacy policy to assure that the policy you post is complete and accurate. Catalog P3P Sample Policy A much more complex sample for an e-commerce site that allows users to purchase products through the web-site that are shipped to the users address. A payment gateway is used to process transactions, and in some cases a third-party is used to drop-ship products. Trust seals are utilized on the site, and third party analytics tools are also. Community P3P Sample Policy A community site that does not do any e-commerce, but does include blogs or forums where users will be entering their e-mail address and posting content. Other than a valid e-mail address and private messaging between members, all other information posted by individuals is completely voluntary and publicly accessible. Basic P3P Sample Policy This policy adds standard tags for sites that maintain web-logs, but do not use any cookies. This would be the typical policy for a simple online presense site that does not allow for any user-input other than a contact-form. Minimal P3P Sample Policy Absolute minimal policy. This example does not have any real practical use unless you want to be explicit that absolutely no information is retained and have a written privacy policy. This minimal policy may also be appropriate for service oriented url's that bypass any logging or cookies.