W3C unveils website privacy guidelines

The World Wide Web Consortium (W3C) has released its latest recommendations for privacy on websites following the approval of the Platform for Privacy Preferences (P3P), which it hopes sites will start to adopt.

P3P is aimed at site owners and administrators, and will let sites publish privacy policies in a machine-readable syntax, making privacy practices clear to users.

The W3C said that when sites deploy P3P the information is read by the visitor's web browser which analyses the information, compares it with user preferences and notifies them whether or not it meets their privacy stipulations.

The W3C said that deployment required no software changes or upgrades to be made to existing servers, but would require some administrative changes.

Policy statements

Deployment requires the creation of policy statements that describe the data that sites collect and how it is likely to be used, as well as mechanisms for telling users' web browsers how to locate the policy reference files.

P3P was designed by a working group of privacy advocates, ecommerce companies, web technology experts and data protection commissioners. The W3C site contains testimonials from many of these, including the UK's information commissioner Elizabeth France.

"Consumer privacy expectations continue to remain high, and P3P plays an important role in addressing some of those expectations," she said, adding that the Information Commission was committed to the development of P3P and other privacy tools.

David Smith, assistant commissioner at the Commission, has stressed that websites must post privacy policies to avoid falling foul of the Data Protection Act 1998.

Privacy terms

He maintained that it was important for companies to clearly display privacy terms and conditions and that, rather than just linking to them, they should "include some basic message on the page and then offer the opportunity to read more".

The W3C said that additions could be made to future versions of the P3P specification, depending on feedback from firms and users.

For example, future versions of P3P may include a mechanism to allow sites to offer a choice of P3P policies to visitors; a mechanism to let visitors explicitly agree to a P3P policy; and technology to allow for non-repudiation of agreements between visitors and firms running websites.

A European parliamentary committee was voting last week on legislation requiring sites to display privacy policies when users log on. Under the proposed law, a notice informing them of the use of cookies will pop up each time a new site is visited.