Canadian businesses should convert their Internet privacy policies into a new browser standard that can be understood by customers or risk losing business, privacy leaders told an IT audience this week.
The message came late Wednesday at a Toronto meeting convened by Ontario information and privacy commissioner Ann Cavoukian to publicize the recently released Platform for Privacy Preferences (P3P) developed by the World Wide Web Consortium.
“”Over time, if you don’t have P3P enabled, there will be an impact from your customers,”” Della Shea, manager of Web compliance for RBC Financial Services, said in an interview after describing to the audience how the bank is implementing the standard. So far it is one of the few Canadian companies with sites using the platform, which was launched in April.
Shea said the bank decided to P3P-enable its sites in part to show customers it is a leader in online privacy.
To impress the message on the roughly 200 people from a number of IT associations and governments who attended the presentation, Tim Berners-Lee, the founder of the World Wide Web and head of the consortium was brought in as cheerleader.
“”The time to implement it is now,”” he said.
P3P is a way of converting a privacy policy — which is usually written in confusing legalese, buried in most Web sites and seen by few — into extensible markup language (XML) that can be read by P3P-enabled browsers such as Internet Explorer 6.0 and Netscape 7.0.
These policies include what data is collected, the purposes for which it will be used, the ability to opt in or out, the data recipients and the data retention policy.
If a user has set the browser’s privacy preferences (found in IE 6.0 under Tools/Internet Options/Privacy), a P3P-enabled site will signal onscreen if it meets those limits. It would be up to the user to decide what to do if it doesn’t.
P3P policies can be set for different sections of a site — a shopping section, for example, could have a different policy than the home page.The idea is to increase the confidence of online shoppers to e-commerce with an easy-to-understand series of symbols.
However, P3P still has some gaps. It doesn’t yet cover Web-enabled mobile devices with their tiny screens, or sites with multiple partners linked by Web services, which could have multiple privacy policies. Nor does it ensure a site adheres to its privacy policies. And cookies are dealt with under a separate guideline.
Cavoukian, who helped develop the standard, admits P3P is a work in progress, but one online businesses must adopt as a first step. As for possible concerns by business that there’s already federal or provincial legislation with privacy demands, such as the draft Privacy of Personal Information Act written by the Ontario government, she’s dismissive.
“”It’s not about legislation,”” she said. “”The average person who goes to your Web site doesn’t know anything about what laws are out there. But if you want their business you want them to feel a sense of trust in the way they interrelate with your Web site, and they’re not going to have that unless they’re aware of your information-gathering practices.””
Surveys show 70 per cent of visitors leave sites when asked for what they believe is unjustified personal information, she noted.
For a free guide to setting up P3P, see www.p3ptoolbox.org.
Several companies, including IBM and Montreal’s Zero Knowledge Systems, have free tools to help automate the conversion.
Comment: [email protected]
