Understanding P3P - Data Overload
(Page 3 of 5 )

Here's an example of a simple policy:

<policies>
<policy name="feedback"
discuri="http://www.melonfire.com/w3c/feedback_policy.html">
<!-- who's collecting the information? -->
<entity>
<data-group>
<data ref="#corp.name">Melonfire</data>
<data ref="#corp.email">melonfire@mail.com</data>
</data-group>
</entity>
<!-- statement explaining the type of information collected, and why? -->
<statement>
<purpose><develop required="always" /></purpose>
<consequence>Melonfire uses your feedback to improve its content
quality. </consequence>
<recipient><ours/></recipient>
<retention><no-rentention /></retention>
<data-group>
<data ref="#visitor.name" optional="yes" />
<data ref="#visitor.email" optional="no"/>
</data-group>
</statement>
<!-- how much of it is shared with others? -->
<access><none /></access>
<!-- how are disputes resolved? -->
<disputes-group>
<disputes resolution-type="service"
service="http://www.melonfire.com/cs/" short-description="Melonfire
Customer Support">
<remedies><correct/></remedies>
</disputes>
</disputes-group>
</policy>
</policies>

This may look complicated, but it's actually pretty simple. The document is broken up into distinct sections, each one serving a particular purpose. Every policy begins and ends with <policy> tags; a single document may contain more than one policy, each one identified by a unique "name" attribute and a URL identifying the English-language version of the policy statement.

Within a policy, the <entity> section identifies the entity requesting the information (Melonfire), together with contact details. Next, the <statement> section explains why the information is being collected (in this case, for further development or improvement of the site), together with a list of the data elements collected (name and email address), how long they're stored for (not too long), and who uses it (the site owners only). The <access> element, which is mandatory, explains who has access to the data collected, while the <disputes-group> element provides information on the site's dispute resolution policy.

In case you're wondering where the element names and values come from, most of them are defined and explained in the P3P specification. I won't get into the details of all the options here - you should look at the P3P specification if you're interested - though I will tell you that the choices presented are quite exhaustive, enabling a Web service provider to describe a site's privacy policy in all relevant detail.

Next: Off Target >>
 

More Administration Articles
More By Vikram Vaswani, (c) Melonfire

Comments On: Understanding P3P

>>> Be the FIRST to comment on this article!