Platform for Privacy Preferences
[Also Known As]
P3P
Context
Users are frequently intimidated or discouraged by the size and complexity of legal texts. Privacy policies are an example of such texts, which are in the user's best interest to understand. As these policies are also written for the sake of legal compliance, balancing or reconciling comprehensiveness with comprehensibility is nontrivial. Different users will have varying thresholds to the amount of detail they will readily look through. The controller in this case wants to make their privacy policy more accessible to their users.
Problem
Users regularly do not read privacy policies, as they are too verbose, complex, and repetitive amongst the sites they visit.
Forces and Concerns
- Users typically do not want to read walls of texts, often needing to be persuaded to inform themselves
- Controllers want to ensure that users are not surprised and or upset about what is done with their data
- A number of users want to really understand what risks they are taking regarding their privacy
- Controllers want to be legally compliant, and minimize the costs involved in catering to data protection
Solution
Controllers may use the P3P standardization of terms and data elements to construct their privacy policies, allowing users to instead immediately see the policy distinctions which matter before using the service. The policies they share with other controllers the user is subject to will already have been reviewed, or are separated such that minimal time is spent reviewing policy.
Rationale
By removing redundancies, there is far less to read. By standardizing, comprehension is strengthened.
[Structure]
P3P uses eXtensible Markup Language (XML) to hold a variety of information concerning each web resource listed in a policy reference file. The XML includes the data elements or types collected, its recipients, and explanations of how each set of data is used (purposes and means). It also features important information about the controller and its general policies and practices, such as contact information, a link to the human readable policy, and dispute resolution. It does not contain information about what the controller does not do.
[Implementation]
The controller must publish the P3P syntax files and policy reference file to their live site. The files may be generated by automated tools. It is encouraged that the policy reference file be published in the well-known location, /w3c/p3p.xml
. A link
tag or HTTP Headers may also be used. The policies used may also cover the entire site, or specific areas.
Further information is available at https://www.w3.org/TR/P3P/
Consequences
Users will be able to construct preferences for a privacy standard (risk appetite) which they personally can accept. This template will allow them to quickly review the privacy policy of the controller while avoiding repetition, and understanding distinctions. They may additionally choose to have site-specific preferences which point out what is most relevant to them.
[Constraints]
The human readable privacy policy should be compatible with what can also be expressed using the P3P standardization. While extensions can be made to the specification, there is a limit to this. Careful consideration will need to be used when constructing the policy to ensure full coverage. This may require additional explanation beyond what the P3P specification can provide, which needs to be clearly indicated and explained to users.
Examples
The following example is taken from the P3P1.0 specification:
Claudia has decided to check out a store called CatalogExample, located at http://www.catalog.example.com/. Let us assume that CatalogExample has placed P3P policies on all their pages, and that Claudia is using a Web browser with P3P built in.
Claudia types the address for CatalogExample into her Web browser. Her browser is able to automatically fetch the P3P policy for that page. The policy states that the only data the site collects on its home page is the data found in standard HTTP access logs. Now Claudia's Web browser checks this policy against the preferences Claudia has given it. Is this policy acceptable to her, or should she be notified? Let's assume that Claudia has told her browser that this is acceptable. In this case, the homepage is displayed normally, with no pop-up messages appearing. Perhaps her browser displays a small icon somewhere along the edge of its window to tell her that a privacy policy was given by the site, and that it matched her preferences.
Next, Claudia clicks on a link to the site's online catalog. The catalog section of the site has some more complex software behind it. This software uses cookies to implement a "shopping cart" feature. Since more information is being gathered in this section of the Web site, the Web server provides a separate P3P policy to cover this section of the site. Again, let's assume that this policy matches Claudia's preferences, so she gets no pop-up messages. Claudia continues and selects a few items she wishes to purchase. Then she proceeds to the checkout page.
The checkout page of CatalogExample requires some additional information: Claudia's name, address, credit card number, and telephone number. Another P3P policy is available that describes the data that is collected here and states that her data will be used only for completing the current transaction, her order.
Claudia's browser examines this P3P policy. Imagine that Claudia has told her browser that she wants to be warned whenever a site asks for her telephone number. In this case, the browser will pop up a message saying that this Web site is asking for her telephone number, and explaining the contents of the P3P statement. Claudia can then decide if this is acceptable to her. If it is acceptable, she can continue with her order; otherwise she can cancel the transaction.
Alternatively, Claudia could have told her browser that she wanted to be warned only if a site is asking for her telephone number and was going to give it to third parties and/or use it for uses other than completing the current transaction. In that case, she would have received no prompts from her browser at all, and she could proceed with completing her order.
See Also
[Related Patterns]
This pattern complements Dynamic Privacy Policy Display. The solutions are different, but are within the same context. These patterns may work together to show the user the privacy policy and how it compares to the user preferences. Dynamic Privacy Policy Display uses Privacy Policy Display. This pattern also implicitly complements that pattern.
This pattern uses Policy Matching Display and Privacy-Aware Network Client. For both of these, context and problem are overlapping and the latter is a part of the solution's implementation described in the former. Policy Matching Display in particular adds very useful improvements while including this pattern.
[Sources]
L. Cranor, M. Langheinrich, M. Marchiori, and J. Reagle, “The Platform for Privacy Preferences 1.0 (P3P1.0) Specification,” W3C, 2002. [Online]. Available: https://www.w3.org/TR/P3P/. [Accessed: 10-Oct-2017].
O. Drozd, “privacypatterns.wu.ac.at - Privacy Patterns Catalog,” privacypatterns.wu.ac.at, 2016. [Online]. Available: http://privacypatterns.wu.ac.at:8080/catalog/. [Accessed: 25-Jan-2017].
Corrections or additions? Contribute on GitHub.