Web gains UK privacy standard

The W3C has released a guide to help businesses comply with the data protection laws governing their Web sites Businesses wanting their Web sites to comply with UK laws on data protection may benefit from a guide released late last month by the World Wide Web Consortium (W3C). The Platform for Privacy Preferences 1.

The W3C has released a guide to help businesses comply with the data protection laws governing their Web sites

Businesses wanting their Web sites to comply with UK laws on data protection may benefit from a guide released late last month by the World Wide Web Consortium (W3C).

The Platform for Privacy Preferences 1.0 Deployment Guide is designed to help Web site operators deploy Platform for Privacy Preferences (P3P), a W3C standard for automating privacy procedures and making privacy policies transparent to users. The guide explains what is involved in deploying P3P, how to develop and communicate privacy policies, and offers step-by-step instructions.

P3P lets firms publish Web site privacy policies in a machine-readable syntax, so privacy practices can be automatically checked by users' systems. The W3C said that when Web sites deploy P3P, site information can be read by a visitor's Web browser, which analyses this data and compares it against the browser user's privacy preferences. The user is then informed whether or not the site meets their privacy requirements.

The W3C said deployment requires no major software changes or server upgrades, but would call for some process alterations. The guide states that deployment requires the creation of 10KB policy statements, which describe the data the site collects and how it will be used. It also requires the creation of mechanisms for telling users' browsers how to locate the policy reference file.

The guide covers the use of cookies, privacy policy updates and server software, including the open-source Apache Web server.

David Smith, assistant commissioner at the government's Information Commission, last month stressed that firms should publish privacy policies on their Web sites to comply with the UK Data Protection Act 1998. Speaking at the E-Commerce Expo in London, Smith said that rather than just including a link to privacy terms, sites should "include some basic message on the page and then offer the opportunity to read more. The Internet allows companies to provide that information easily."

Smith added that the Data Protection Act applies to the holding of email addresses, personal data, and to the use of cookies as a means of tracking customers through Web sites. He warned that if firms used cookies, they should inform visitors as soon as they access the site. Ideally, companies should plan for privacy at the design stage rather than try to bolt it on subsequently.

Although comments on the Platform for Privacy Preferences 1.0 Deployment Guide are invited, the W3C stressed that it might not develop the guide further.