P3P, developed by the World Wide Web Consortium (W3C), gives Web site designers a means to express certain aspects of the site's privacy practices in a language that can be read by P3P-enabled Web browsers. To date, only Microsoft's Internet Explorer browser can read P3P statements.
A P3P-enabled browser can read this "snapshot" automatically and compare it to the privacy preferences the user has set.
On a P3P-enabled browser, the user sets his own privacy preferences. For example, on the "Tools" menu of Internet Explorer 6 a user would choose "Internet Options" and click on the "Privacy" tab. A slider appears and the user has the option of choosing any privacy preference ranging from blocking all cookies to accepting all cookies. In between these two extremes are settings of high, medium high, medium, and low privacy. According to Ruth Hill Bro, a senior associate for Information Technology/E-Commerce Law at Baker & McKenzie, Chicago, P3P gives companies an incentive to not have privacy policies that deviate from those of competitors. "I think P3P will force corporations to focus more specifically on what they are saying in their privacy policies," Bro said. "They will have to narrow their specific policy to match more standard criteria."
Bro said that many Web site privacy policies have similar concepts underlying them but a lot of variations among how the information sites gather is shared. The issues involve whether they gather personally identifiable information (PII) or non-PII and whether they share such information only with affiliates, with affiliates and third parties, or with no one.
The obstacle to companies making their Web sites P3P compliant is that they have to translate their current policies into the P3P language. "In some ways they are going to have to fit that square peg into the round hole," said Bro. It's going to be a challenge because there is a huge variety of privacy policies and because a lot of companies that may have merely copied their privacy policies from affiliates or other companies have not thought through the issues, she said. Medine said that if P3P does not enable companies to communicate percentages and variations, it may lead them to stop certain practices.
Francoise Gilbert, the partner in charge of the privacy practice at Gray Cary Ware & Freidenrich, Palo Alto, Calif., expressed a view similar to Bro's. She said that companies need to prepare for P3P so that they are in a position to provide P3P Web browsers what they are looking for. According to Gilbert, the platform works only if you have the information flowing two ways, from site to browser and from browser to site.
She sees it as a way for Web sites to communicate in a clearer manner what their privacy policy is and for users to decide whether it is a policy with which they feel comfortable. Gilbert said that privacy policies in use now are not very consumer friendly because they are lengthy and employ legalese and "gobbledygook." The regular user may be confused or may not understand such policies. What P3P may allow is for end users to be in a better position not necessarily to understand a privacy policy fully, but to know that it complies with what they are looking for, she said. According to Gilbert, the two most important issues to remember with respect to P3P are that: it does not assure the end user that the Web site will indeed abide by the privacy principles embodies in its policy. According to Medine, there is a good chance that an action under Section 5 of the Federal Trade Commission Act, 15 U.S.C. §45, which prohibits unfair or deceptive acts or practices in or affecting commerce, could be brought against a company if it misrepresents its privacy policy in P3P statements. Once the privacy policy is established, it must then be converted to P3P format, he said. The company also must install procedures that insure that it complies with its own privacy policy.
In order for companies to convert their privacy policies to P3P format, there are three P3P policy generators: IBM P3P Policy Editor, PrivacyBot.com, and YOUpowered's Consumer Trust.
Bro said that in order for P3P to work, it requires "critical mass and widespread support" as well as privacy laws to back it up. She cautioned, however, that P3P is not a substitute for regulation, although it may delay legislation by lulling consumers into a false sense of security.
For Medine, the question is how quickly Microsoft's Internet Explorer 6 and Windows XP (with which Internet Explorer 6 is bundled) are introduced into the market and whether they become the standard. If more consumers will be using Internet Explorer 6, then Web sites will have to adopt P3P because they will lose visitors otherwise. He said that the issue with P3P is that the P3P code looks like a technical problem so a company's techies try to solve the problem. However, these techies do not have the full appreciation that their company's legal liability is involved and fail to go to the legal department to get the right information with respect to the company's privacy policies.
The other part of the problem, according to Wright, goes back to a point Medine made, that P3P is inadequate to express the nuances that true legal documents can express. As an example, Wright said that P3P codes cannot say, "We big corporation usually will not share your data, but if there's a major terrorist attack, we will share all of our data with the FBI."
In other words, the P3P codes are too rigid to allow a company to express exceptions that privacy policies often require, he said.
Therefore, Wright has developed a method for companies to disclaim or disavow their P3P statements, which otherwise may cause the company unwanted liability. On his Web site, Wright has published a new P3P code called DSA, which means "disavow P3P and P3P liability." He said that DSA enables a company to put its privacy policy into P3P format, but then add DSA to the end of the code, effectively saying that the codes have no legal meaning and that users cannot take the company to court over what is expressed in the codes.
Wright said that his DSA code is no different from the very common practice of companies to write disclaimers of warranty or liability. In addition, since P3P has yet to become authoritative, custom in the industry, or adopted by government, this is a company's way of saying, "You can't shove [P3P] down my throat."
For more information on the platform for privacy preferences, visit the World Wide Web Consortium's P3P Web site at http://www.w3.org/P3P/.
Benjamin Wright's Web site is http://www.disavowp3p.com.
Microsoft Corp.'s Web site discussing the privacy protections of Internet Explorer 6 is located at http://www.microsoft.com/windows/ie/whatsnew/default.asp.
Volume 6 Number 38
Wednesday, October 3, 2001Privacy
P3P's Arrival Raises Concerns That Tool
May Create Liability, Drive Away Site TrafficWith the introduction of Microsoft Corp.'s Internet Explorer 6 and the new browser's implementation of the platform for privacy preferences (P3P) standard, helping clients' Web sites become P3P compliant is an important issue facing attorneys, privacy law experts told BNA. Topping the list of concerns are worries about unfair trade practices liability for misleading P3P programming and loss of Web site traffic due to poorly thought-out P3P adoptions.
Policies Must Be Converted to P3P Format
However, for P3P to work well it will have to achieve large-scale acceptance and large-scale acceptance requires companies to convert their Web site privacy policies to the P3P format.
P3P Can't Express Privacy Policies' Nuances
David Medine, a partner at Hogan & Hartson, Washington, D.C., and a former attorney with the Federal Trade Commission's Office of Consumer Protection, said that one of the challenges for companies attempting to translate their privacy policies into P3P is that their policies may have nuances that don't always apply and P3P cannot express. For example, he said that a Web site that shares information only 10 percent of the time with third parties, while not sharing information 90 percent of the time, may have to tell visitors merely that it shares information.
Doesn't Ensure Companies Comply With Policies
Gilbert warned, however, that P3P does not solve every privacy-related issue for companies and end users. "As someone who does 100 percent privacy law, this is a technology that allows an easier expression of a company policy," she said. "That in itself does not make company policy compliant with particular laws and it does not ensure the end user that the company is abiding by its policy."
it does not determine whether a Web site's privacy policy is compliant with privacy law requirements, and
These points demonstrate that P3P is neither a policing nor enforcement tool, but rather a communication tool.
Preparing for P3P
Medine said that if a client asked him how to make his Web site P3P compliant, he would first ask whether the site already has a privacy policy. If not, the company needs to create one, he said. In order to do that, Medine said that the company must assess its current and future information flow.
Lawyer Advocates Disavowing P3P
Benjamin Wright, a corporate and e-commerce lawyer in Dallas and author of The Law of Electronic Commerce, told BNA that he is "very concerned" about P3P, especially as implemented in Internet Explorer 6. He said that these P3P codes are used by a Web administrator as legal documents or legal promises to effectively say: "I will hereby use your data for this, etc."
By Mark Cutler
Copyright © 2001 by The Bureau of National Affairs, Inc., Washington D.C.