Companies moving slowly on P3P adoption

WASHINGTON -- Companies are gradually implementing the Internet privacy specification Platform for Privacy Preferences (P3P) without knowing if it will succeed as a standard and uncertain whether consumers will embrace the spec.

P3P, developed by the World Wide Web Consortium, is largely being implemented at companies that have already taken leadership roles on privacy, such as Procter & Gamble Co. (P&G) in Cincinnati. For its part, P&G has adopted a worldwide privacy policy for all of its customers that meets the restrictive privacy rules of European Union nations.

P&G has implemented P3P at its main Web site and will test consumer interest before adopting it at 500 other related Web sites, said Mel Peterson, chief privacy officer at the consumer products giant.

While it cost P&G about $10,000 to adopt and integrate P3P, "it wasn't an insurmountable investment," said Peterson. "We really didn't see a big downside."

With P&G's development work completed, Peterson estimates that P3P can be deployed at the company's other Web sites for roughly the same cost of the initial development.

Companies that implement the P3P standard convert their privacy policy to a question-and-answer, machine-readable XML-based format. A P3P-enabled browser can "read" this policy and compare it with a consumer's own set of privacy preferences. The consumer, for instance, may be automatically warned that a particular Web site doesn't allow them to access their own personal data.

What has some companies betting on the future of P3P is Microsoft's inclusion of the emerging standard in its Internet Explorer 6 browser.

Internet Explorer 6 "is a huge driver" for P3P adoption, said Christopher Fisher, IS director at Royal Appliance Manufacturing Co. in Glenwillow, Ohio. The maker of Dirt Devil vacuum cleaners has begun making its Web sites P3P-enabled.

"Some consumers will adopt this technology, and given that, we want to make our Web site available to the broadest array of potential customers," said Fisher.

The most difficult aspect of P3P implementation is the legal issues it raises, said corporate managers and experts. Translating a company's detailed privacy policy into a machine-readable format can be complicated and legally risky if the P3P version of a privacy policy doesn't match up to the actual corporate policy. Experts said P3P implementation isn't something that should be handled by IT departments alone.

The codes used in P3P to automate the privacy process "are legal promises," said Benjamin Wright, a Dallas attorney and electronic law expert. "It's like a contract."

Indeed, some experts believe that P3P will never get widespread adoption because companies will balk at simplifying legally dense privacy policies into the standard.

"Companies are not rushing to translate their incomprehensible, loophole-ridden English-language privacy policies into incomprehensible, loophole-ridden computer-readable privacy policies," said Jason Catlett, president of Junkbusters Corp., a Green Brook, N.J.-based privacy watchdog group.

While it's difficult to determine how many firms are using P3P, it's probably not a large number relative to the potential. Some firms, such as eBay Inc., are waiting for the specification to be finalized. That may not happen until early next year.

"We have not come to any conclusions yet" about P3P, said Kevin Pursglove, a spokesman for eBay. But the San Jose-based company is evaluating it, he said.

Despite the lack of a final standard, P3P has been in use at some firms since last year. Lorrie Cranor, the chair of the P3P working group and a principal technical staff member at AT&T Labs in Florham Park, N.J., said any spec changes would be backward-compatible. "At this point, we're not going to make major changes because it's already in the browser," she said.

Of P3P's future, Cranor said, "There have definitely been a lot of proposed standards that have been developed, and some of them make it and some of them don't." But, citing Sunnyvale, Calif.-based Yahoo Inc.'s use of P3P on its Web page and some other adoptions, Cranor said she believes "it does stand a very good chance of getting widespread adoption."

Related stories:

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon