Angelique Carson writes:
The Platform for Privacy Preferences (P3P) was created in 2002 as a tool to protect users’ privacy as they navigate the Internet. The voluntary platform was adopted by Internet Explorer, the only browser to make meaningful use of it, but since its inception, has faced a number of challenges to its intended success.
[…]
Ari Schwartz of the National Institute of Science and Technology chaired the outreach subcommittee that formed in 1998 to work on P3P’s specs. He says the group’s focus was to get a policy built into Web browsers that would make automated decisions, knowing that privacy policies would be complex.
Jules Polonetsky, CIPP, of the Future of Privacy Forum says P3P faced major problems from the beginning. One such problem was that not all of the P3P standard was adopted but only the part that dealt with how cookies would be handled. That meant that the only professionals paying attention to the P3P platform from its inception were those who realized their cookies were no longer being sent online. When that happened, a Web master generally stepped in and looked at the problem as a technical one: the written code wasn’t working, so an alternative code was used to allow the cookie to go through. This was done without a full appreciation that in fixing only the code, the Web master had essentially just written a new privacy policy for the company.
“In reality, that code is a dramatically important privacy statement that legal departments should be writing,” Polonetsky says.
Second, privacy policies are so detailed with disclaimers and disclosures that they are very difficult to fit to a specification such as P3P, making it nearly impossible to write a highly accurate statement, he says. Cranor agrees that policies are lacking because of the existing difficulty in trying to write a CP that is both completely transparent and also adheres to this coding system.
“One of the ways companies are getting around this is that they have a policy that is basically empty, because if you don’t say anything, then you don’t say something unsatisfactory,” Cranor says, adding that this results in incomplete policies that allow the cookie through but ignore user preferences.
Read more on IAPP.
Earlier coverage on PogoWasRight.org of the P3P study as well as TRUSTe’s and Microsoft’s response.