Report: Many Failures: A Brief History of Privacy Self-Regulation | Section: Combination Self-Regulatory Efforts
You are reading section IV., Combination Self-Regulatory Efforts, of the report Many Failures: A Brief History of Privacy Self-Regulation.
Jump to other sections of the report: I. Introduction and Summary | II. Industry-Supported Self-Regulatory Programs for Privacy | III. Government Privacy Self-Regulatory Activities |IV. Combination Self-Regulatory Efforts | V. Conclusion
IV. Combination Self-Regulatory Efforts
The self-regulatory efforts in this category include projects that have many components, including input from government, industry, academia, and civil society.
Platform for Privacy Preferences Project (P3P)
The Center for Democracy and Technology (CDT) supported the early work that eventually resulted in P3P.  CDT convened an Internet Privacy Working Group that drafted a mission statement, with companies, trade associations, and consumer groups participating. A presentation of a prototype was presented at an FTC Workshop in 1997. 
Later in the same year, P3P became a project of the World Wide Web Consortium (W3C), the main international standards organization for the World Wide Web. The working group included representatives of companies, academia, and government.  The work of drafting the formal specification took some time, and version 1.0 was finally published at the end of 2000.  A later specification was published in 2006. 
Microsoft included some support for P3P in its browser, Internet Explorer.  The Firefox browser from Mozilla also provides some support.  The E-Government Act of 2002  included a requirement that federal agency websites translate privacy policies into a standardized machine- readable format,  and P3P is the only specification that meets the requirements.  It was a promising start.
However, the extent to which commercial websites and even government websites attempted to implement P3P or succeeded in doing so in the long term is highly uncertain. A 2008 published review of P3P by Professor Lorrie Faith Cranor found P3P adoption increasing overall but that P3P adoption rates greatly vary across industries. Other findings are that P3P had been deployed on 10% of the sites returned in the top-20 results of typical searches, and on 21% of the sites in the top-20 results of e-commerce searches. Review of over 5,000 web sites in both 2003 and 2006 found that P3P deployment increased over that period, although there were decreases in some sectors. The review also found high rates of syntax errors among P3P policies, but much lower rates of critical errors that prevent a P3P user agent from interpreting them. Privacy policies of P3P-enabled popular websites were found to be similar to the privacy policies of popular websites that do not use P3P. 
An analysis published two years later by the CyLab at Carnegie Mellon University looked at over 33,000 websites using P3P compact policies and “detected errors on 11,176 of them, including 134 TRUSTe-certified websites and 21 of the top 100 most-visited sites.”  The study also found thousands of sites using identical invalid compact policies (CP) that had been recommended as workarounds for Internet Explorer cookie blocking. Other sites had CPs with typos in their tokens, or other errors. Fully 98% of invalid CPs resulted in cookies remaining unblocked by Internet Explorer under its default cookie settings. The analysis concluded that it “appears that large numbers of websites that use [compact policies] are misrepresenting their privacy practices, thus misleading users and rendering privacy protection tools ineffective.”  The study concluded that companies do not have sufficient incentives to provide accurate machine-readable privacy policies. 
In other words, the self-regulatory aspects of P3P do not appear to be working, with the CyLab study suggesting that lack of enforcement by regulators is a problem.  Neither P3P nor any industry trade association offers a P3P enforcement method.
P3P has some of the indicia of industry self-regulation in that it was inspired in part by FTC interest and motivated in part by an industry interest in avoiding legislation or regulation.  The involvement in P3P’s development and promotion by consumer groups and the White House together with industry representatives differentiates P3P from the other industry efforts discussed earlier in this report. Another differentiator is the legislative requirement that federal agencies use P3P or similar technology. P3P shares sufficient characteristics with the self-regulatory programs discussed in this report to warrant its inclusion here.
Some privacy groups opposed P3P from the beginning, largely because of concerns that it would prevent privacy legislation from passing. Company views of the project also varied.  It is not clear how much attention P3P has received in recent years from companies or privacy groups.
Unlike some of the self-regulatory activities discussed in Part II of this analysis, P3P remains in use. However, given the findings of the 2010 study of widespread misrepresentation of privacy policies by those using P3P, it is hard to call P3P any kind of success. Further, the study provides strong evidence of deliberate deception in implementation of P3P at some websites. Internet users appear to have little knowledge of P3P, although public awareness may not be essential since the controls are built into browsers and users appear to be concerned about the privacy policies that P3P is designed to convey.  Like the Commerce Department’s Safe Harbor Framework, P3P continues to exist, but both programs are so lacking in rigor and compliance that neither is fulfilling its original purpose.
 For a fuller history of P3P and details on the actual technical standard, see Lorrie Faith Cranor, Web Privacy with P3P (2002).
 Id. at 45.
 Id. at 46.
 Id. at 53.
 http://www.w3.org/TR/P3P11 (last visited 9/20/11).
 See http://msdn.microsoft.com/en-us/library/ms537343%28VS.85%29.aspx (last visited 9/20/11).
 See http://www-archive.mozilla.org/projects/p3p (last visited 9/20/11).
 Public Law 107-347.
 See Office of Management and Budget, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (2003) (M-03-22), http://www.whitehouse.gov/omb/memoranda_m03-22 (last visited 9/20/11).
 See, e.g., Department of Health and Human Services, HHS-OCIO Policy for Machine-Readable Privacy Policies at 4.2 (Policy 2010-0001, 2010), http://www.hhs.gov/ocio/policy/hhs-ocio-2010_0001_policy_for_machine- readable_privacy_policies.html (last visited 9/20/11).
 Lorrie Faith Cranor et al., P3P Deployment on Websites, 7 Electronic Commerce Research and Applications 274- 293 (2008).
 Pedro Giovanni Leon et al, Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens (CMU-CyLab-10-014 2010), http://www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab10014.pdf (last visited 9/20/11).
 Id. at 9.
 See, e.g., Simson Garfinkel, Can a labeling system protect your privacy?, Salon (July 11, 2000), http://www.salon.com/technology/col/garf/2000/07/11/p3p (last visited 9/20/11) (“But P3P isn’t technology, it’s politics. The Clinton administration and companies such as Microsoft are all set to use P3P as the latest excuse to promote their campaign of “industry self-regulation” and delay meaningful legislation on Internet privacy.”).
 Lorrie Faith Cranor, Web Privacy with P3P 56 (2002).
 See Serge Egelman et al., Timing Is Everything? The Effects of Timing and Placement of Online Privacy Indicators (2009), http://www.guanotronic.com/~serge/papers/chi09a.pdf (last visited 9/20/11).
Roadmap: Many Failures – A Brief History of Privacy Self-Regulation in the United States: IV. Discussion: Combination Self-Regulatory Efforts