What P3P says about Conduct
Numerous studies over the past ten years have shown that concern for personal privacy is a
major impediment to the growth of e-commerce. These concerns are so serious that most if not
all consumer watchdog groups have called for some form of privacy protection for Internet users.
In response, many nations around the world, including all European Union nations, Canada,
Japan and Australia, have enacted national legislation establishing mandatory safeguards for
personal privacy. However, recent evidence indicates that Web sites might not be adhering to the
requirements of this legislation. The goal of this study is to examine the posted privacy policies
of Web sites, and compare these statements to the legal mandates under which the Web sites
operate. We survey the 100,000 most popular Web sites, and harvest P3P (Platform for Privacy
Preferences Protocol) documents posted on these sites. This allows us to undertake an automated
analysis of adherence to legal mandates on the Web sites that most impact the average Internet
user. Our findings show that Web sites generally do not even claim to follow all the privacyprotection
mandates in their legal jurisdiction (we do not examine actual practice, only posted
policies). Furthermore, this general statement appears to be true for every jurisdiction with
privacy laws and any significant number of P3P policies, including European Union nations,
Canada, Australia, and Web sites in the USA Safe Harbor program.