magazine resources subscribe about advertising




 CD Home < Web Techniques < 2001 < August  

Privacy Policy

By Bill Pitzer

Almost every site has a privacy policy, but until recently, most policies went unnoticed except by the most diligent Web surfers. Privacy policies have led to a firestorm of debate recently because some companies have been accused of breaching their commitments to site visitors. A privacy policy is a document that site builders must ensure is adequately spelled out, but unfortunately, one that most sites are ill-equipped to maintain.

Help is on the way in the form of the W3C specification named P3P, which stands for the Platform for Privacy Preferences Project. This is an automated way for Web sites to post privacy policies. With P3P, different user agents, such as browsers and proxy servers, can automatically interpret the privacy policy of each site you visit. The user agent determines whether this is a site to which visitors would be comfortable transferring data.

IBM alphaWorks' P3P Policy Editor 1.4 is not only a visual tool for creating the P3P version of your site's privacy policy, but it also lets you simultaneously work on the HTML version that should be posted on your site. The tool is currently under development pending finalization of the P3P specification and is written in Java. I easily installed it on my system running the Java 1.2.2 Runtime Environment. However, Java 1.3.0 users should note that a few issues have been discovered running in this environment. If you'd like to follow the development of P3P, you can find more information at

P3P Policy Editor 1.4
IBM alphaWorks
cost: free download
Pros: Quick entry to P3P. Drag-and-drop makes manipulating policies easy. Cons: The HTML security policy that's created may need some tweaking.

Using Templates

When you start up the P3P Policy Editor, you have several choices about how to begin your session. You can start with a completely blank policy, or use templates. The templates—six in this release—cover some common privacy policies that a site is likely to implement. They provide templates for typical online shopping sites and other sites that use cookies in some form or another. For example, using the template for an online shopping experience clearly defined fields that would be required for such a site—physical contact information, demographics information, and actual purchase information. P3P Policy Editor does a great job of defining the initial tags and most of the other elements, and arranges all the tags nicely by indenting them appropriately.

An Intuitive Interface

The interface creates policies with its intuitive drag-and-drop method. All data elements that are on the left side of the screen can be dragged to the group tree on the right. Tabs at the bottom of the screen let you easily switch from different views of the same data. Initially, all policy elements are displayed in a spreadsheet for a quick overview. Clicking on the HTML Policy tab reveals the HTML document that has been created from your current policy definition. If you add a new data element to the policy, the HTML dynamically changes to reflect the addition. When you click on the XML policy tab, it shows you which XML has been generated from your definition in the interface. It creates nicely formatted XML without requiring you to write a single line of code. If you click on the Compact Policy tab, you can preview a summarized version of the current policy, designed to help user agents quickly examine a policy. Lastly, the Errors tab indicates any errors found in the current policy. This tab turns red if an error is present. For instance, in my example for this article I didn't define a dispute policy, so I was greeted by the red error text and a stern warning inside. Figure 1 shows the data elements and group sections in the upper portion and the generated XML in the bottom section of the screen.

Although it's easy to do in the interface, if you need to modify your XML by hand, be sure to run it through the P3P validator provided at

Some Tweaking Required

The HTML copy of your policy is slick, but it's not intended to be the version displayed on your site. Using a standard HTML editor, you should use this copy as a model. Unfortunately, changes to the HTML document won't be viewable in the Policy Editor. Although it requires some fine-tuning, this document gives you a head start on developing a human readable version of your policy.

Educational Tool

The P3P Editor, if nothing else, is a great way to learn about the P3P specification. Written in Java, its portability makes it an attractive choice for organizations running a variety of platforms. Be aware that while the tool can get you up and running quickly, a privacy policy is something you should adequately plan beforehand. While this application isn't quite ready for prime time, it's a great way to learn P3P as you consider implementing these types of privacy policies on your Web site.

Bill is a manager in the advanced Web technologies group of divine/Whittman-Hart's Cincinnati, OH office. Email him at

Copyright © 2003 CMP Media LLC