Part 4: Web Privacy Policy

I guess there are more ways than I had originally thought for a company to get information from their online visitors. Part four of the IAPP exam deals with web privacy and security. The lesson goes through the list of different mechanisms that would allow a company to identify a user visiting its website.

I felt that the information presented was an excellent introduction for individuals without any technical background. It lays out the fundamental internet protocols and how different privacy challenges that arise from the use of web surfing.

The part of the lesson that I found most interesting was learning about P3P. P3P stands for Platform for Privacy Preferences Project of the World Wide Web Consortium (W3C). This is a protocol which allows companies to declare on their website how they intend to use information they collect about online visitors. The lesson analyzed a sample P3P policy as an XML file and how it would appear to an end user reading a company’s privacy policy. The speaker stressed how important it was for the privacy people at a company to communicate with their IT departments to determine what PII was being collected. Only by understanding the technical aspects of how PII is collected, can privacy experts make sure that their companies are adhering to any privacy policy they set out.

P3P is a recommended industry standard that is meant to convey to the public what a company does with the information they collect. I had known that web browsers can be set by an end user to certain privacy options but seeing how it looks from the side of the server was interesting. The model given breaks the policy into a human-readable version when requested by a user. A P3P-compliant website promises to adhere to certain privacy provisions when tracking information of visitors. Critics have said that P3P is too difficult for the average person to understand and doesn’t do enough to protect privacy. Also, using P3P on such browers as Internet Explorer only extends to cookie blocking and not other tracking mechanisms pixel tags or clear .GIFs.

I had not heard of P3P until this lesson but some of the controls that the consortium attempts to give to end users should be applauded. Companies that chose to abide by the P3P are taking a public stand on how they treat information they collect. While end users need to be aware of privacy concerns, companies are in a better position to comply with basic privacy standards.

While the P3P is a standard for web sites to live up to, there are no laws or regulations that make it a criminal or civil offense when companies improperly use personal information. My guess is that the only recourse for a consumer would be to seek compensation by claiming unfair trade or deception business practices.

Overall, this lesson was one of my favorites. It taught me something new and enforced some older knowledge. As a technology enthusiast, it is always good to understand the basics and go from there. I think that the material covered is crucial for any privacy professional working in a digital environment.

About the Author Guest Blogger

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.