Platform for Privacy Preferences
Users regularly do not read privacy policies, as they are too verbose, complex, and repetitive amongst the sites they visit.
- Users typically do not want to read walls of texts, often needing to be persuaded to inform themselves
- Controllers want to ensure that users are not surprised and or upset about what is done with their data
- A number of users want to really understand what risks they are taking regarding their privacy
- Controllers want to be legally compliant, and minimize the costs involved in catering to data protection
Controllers may use the P3P standardization of terms and data elements to construct their privacy policies, allowing users to instead immediately see the policy distinctions which matter before using the service. The policies they share with other controllers the user is subject to will already have been reviewed, or are separated such that minimal time is spent reviewing policy.
By removing redundancies, there is far less to read. By standardizing, comprehension is strengthened.
P3P uses eXtensible Markup Language (XML) to hold a variety of information concerning each web resource listed in a policy reference file. The XML includes the data elements or types collected, its recipients, and explanations of how each set of data is used (purposes and means). It also features important information about the controller and its general policies and practices, such as contact information, a link to the human readable policy, and dispute resolution. It does not contain information about what the controller does not do.
The controller must publish the P3P syntax files and policy reference file to their live site. The files may be generated by automated tools. It is encouraged that the policy reference file be published in the well-known location,
link tag or HTTP Headers may also be used. The policies used may also cover the entire site, or specific areas.
Further information is available at https://www.w3.org/TR/P3P/
The following example is taken from the P3P1.0 specification:
Claudia has decided to check out a store called CatalogExample, located at http://www.catalog.example.com/. Let us assume that CatalogExample has placed P3P policies on all their pages, and that Claudia is using a Web browser with P3P built in.
The checkout page of CatalogExample requires some additional information: Claudia's name, address, credit card number, and telephone number. Another P3P policy is available that describes the data that is collected here and states that her data will be used only for completing the current transaction, her order.
Claudia's browser examines this P3P policy. Imagine that Claudia has told her browser that she wants to be warned whenever a site asks for her telephone number. In this case, the browser will pop up a message saying that this Web site is asking for her telephone number, and explaining the contents of the P3P statement. Claudia can then decide if this is acceptable to her. If it is acceptable, she can continue with her order; otherwise she can cancel the transaction.
Alternatively, Claudia could have told her browser that she wanted to be warned only if a site is asking for her telephone number and was going to give it to third parties and/or use it for uses other than completing the current transaction. In that case, she would have received no prompts from her browser at all, and she could proceed with completing her order.
This pattern uses Policy Matching Display and Privacy-Aware Network Client. For both of these, context and problem are overlapping and the latter is a part of the solution's implementation described in the former. Policy Matching Display in particular adds very useful improvements while including this pattern.
L. Cranor, M. Langheinrich, M. Marchiori, and J. Reagle, “The Platform for Privacy Preferences 1.0 (P3P1.0) Specification,” W3C, 2002. [Online]. Available: https://www.w3.org/TR/P3P/. [Accessed: 10-Oct-2017].
O. Drozd, “privacypatterns.wu.ac.at - Privacy Patterns Catalog,” privacypatterns.wu.ac.at, 2016. [Online]. Available: http://privacypatterns.wu.ac.at:8080/catalog/. [Accessed: 25-Jan-2017].