Compact Policy - Page 4

Andrew Starling

August 12, 2002

That's the easy bit over. Now comes the tricky part. You need to condense the information from the XML P3P file into a Compact Policy. This should be attached to HTTP headers that contain a cookie element such as Set-Cookie.

If you don't create cookies then you don't need a compact policy, and in practice most sites that don't set cookies haven't taken much interest in P3P - at least so far. At the time of writing (August 2002) the main practical implication of P3P is that IE6 looks for a Compact Policy and if it doesn't find one, or finds an unsuitable one, it may refuse to set a cookie, depending on the preferences the user has set.

Let's launch straight into an example of a compact policy:

P3P: CP="CAO CNT COM CUR DEV DSP NAV OUR PSA PSD SAM STA TAI UNI"

All these abbreviations correspond to policy descriptions on the W3C site, also available in a fuller and more convenient form at securityspace.com (look for the latest version of their P3P survey). This is a fine survey and a recommended link.

The abbreviations don't have to be in any particular order. In the example above, which is again based on a real site's compact policy, they've been sorted alphabetically.

Clearly there is some work involved in identifying the abbreviations that correspond to the details of your site's policy, but fortunately there are software agents available to help you, and these are linked at the end of the page. But as the final item in this introduction, here are explanations of the abbreviations listed above (often in original W3C wording, or very close to it).

CAO is the single Access element. The Access element indicates whether the site provides users with access to information collected by the site.

CAO: identified Contact Information and Other Identified Data: access is given to identified online and physical contact information as well as to certain other identified data.

CNT is a Categories element. These provide hints to users and user agents as to the intended use of the data. There are four other Categories elements in our list, and they're all dealt with immediately below.

CNT: The words and expressions contained in the body of a communication -- such as the text of email, bulletin board postings, or chat room communications.

COM: Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.

NAV: Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.

STA: Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously -- such as HTTP cookies.

UNI: Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.

OUR is a Recipient element. Each statement in a privacy policy must contain a Recipient element that contains one or more recipient of the collected data. There are two in our list - OUR and SAM

OUR: Ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.

SAM: Legal entities following our practices. Users cannot opt-in or opt-out of this usage.

CUR is a Purpose element. Each statement in a privacy policy must contain a Purpose element that contains one or more purposes of data collection or uses of data. There are five in our list, as defined below.

CUR: Information is used to complete the activity for which it was provided.

DEV: Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market. Users cannot opt-in or opt-out of this usage.

PSA: Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals. Users cannot opt-in or opt-out of this usage.

PSD Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals. Users cannot opt-in or opt-out of this usage.

TAI Information may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization. Users cannot opt-in or opt-out of this usage. This is the same as tag TAIa below.

DSP is a Disputes elements. These elements describe dispute resolution procedures that may be followed for disputes about a services' privacy practices. If a privacy policy contains one or more DISPUTES elements, then the P3P-compact policy field should contain the DSP token, as it does here.