Privacy Policy Statements


In addition to  a “human readable” Privacy Policy, all Web sites shall have a machine-readable privacy policy that alerts users automatically about whether site privacy practices match their personal privacy preferences.


All Department of Commerce Web sites, except intranet sites not available to the public.


To make it easier for users of public Web sites to protect their privacy while using U.S. Government Web sites. 



Deadline for Implementation:

December 15, 2003.


The Privacy Provisions of the E-Government Act of 2002 require both a “human readable” Privacy Policy and agency use of machine readable technology that alerts users automatically about whether site privacy practices match the user's personal privacy preferences.  Most Web site visitors do not see the text Privacy Policy until after they have visited one or more of the site’s pages.  Text privacy policies are sometimes difficult for users to locate and may be too lengthy or complex for some users to understand.  Also, they can change without notice.

The standard for machine-readable Privacy Policy is Platform for Privacy Preferences (P3P). P3P enables Web sites to translate their privacy practices into a standardized format (Extensible Markup Language, XML) that can be retrieved automatically and automatically interpreted by a user's browser or other user agent, such as a personal digital assistant (PDA), media player, document reader, Internet or e-commerce-capable cellular phone, etc..

P3P  uses machine-readable descriptions to describe the Web's sites practices concerning collection and use of user data.  

P3P does not monitor the content of "cookies" (files stored by a Web server on a user's computer), but does address the following:

    • Who is collecting data?
    • What data is collected?
    • For what purpose will data be used?
    • Is there an ability to opt-in or opt-out of  some data uses?
    • Who are the data recipients (anyone beyond the data collector)?
    • To what information does the data collector provide access?
    • What is the data retention policy?
    • How will disputes about the policy be resolved?
    • Where is the human-readable Privacy Policy?

When browser or other user agents encounters a cookie from a Web page that either does not have a machine-readable P3P policy, or that has a P3P policy that does not match the user’s privacy preferences, the user is alerted by, for example, an icon or audible alert.  However, P3P does not set minimum standards for privacy and cannot monitor compliance with stated policy.  It merely provides notification based on the contents of the machine-readable privacy statement.

Not all browsers support P3P equally and this support can change over time, so Web site visitors should always be aware of the capabilities of their particular browser and it is wise to review human-readable privacy policies.

Implementing the P3P machine-readable privacy statement

The machine-readable privacy statement can be implemented either on the individual Web site or on the Web server on which the Web site resides.  However, if implemented on the server, all Web sites using the server's machine-readable privacy statement must, obviously, have the same privacy policy, at least with regard to the elements covered by the machine-readable privacy statement.  If a Web site on the server does not conform to that statement, it must have its own separate machine-readable privacy statement.

Following is a link to a PowerPoint presentation on implementing the P3P machine -readable file on servers or on individual web pages.

    • Implementing P3P (Server): training presentation that can be used to instruct system administrators on what they must do to their servers (HTML) | (Powerpoint)


W3C Platform for Privacy Preferences (P3P) Project

The P3P Implementation Guide

Department of Commerce Web Advisory Council (WAC)
U.S. Department of Commerce

Send questions and comments about this page to
Page last updated September 29, 2011