Survey Data Mining:   Home | FAQ | Archive | Glossary
Free Reports

You are viewing an outdated report. The latest version of this report was published on October 1st, 2024

P3P Compact Privacy Policy Report
July 1st, 2024

The Report
This report focuses on sites that have implemented compact privacy policies that deal with how the site and its organization use cookies. According to the P3P specification:

The Platform for Privacy Preferences Project (P3P) enables Web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit.

Part of the spec provides for what is termed "Compact Policies". These are summaries of the full privacy policy that relate to cookies, and provide browsers with policy information within HTTP header requests of pages that are retrieved, allowing for quick decisions by the browser on how to deal with content on that page.

This report details the usage of Compact Privacy Policies.

Web-Wide Penetration of Compact Privacy Policies
The following graph illustrates the rate of adoption and penetration rate of compact policies.

The July 1st, 2024 survey retrieved the home page of 5094736 different sites. Of these sites, a total of 64095 returned an HTTP header containing a compact privacy policy statement.

Compact Privacy Policy Tag Usage
Compact Privacy policies consist of a sequence of tags that define the policy in effect. A raw analysis of the tags and the frequency of occurrance of each of these tags is shown in the tables below.

The ACCESS element indicates whether the site provides access to users to the information that has been collected by the site, and address questions or concerns to the service provider. Sites deploying valid P3P policies must specify one of the ACCESS tags listed below.

NOIWeb Site does not collected identified data.34.74%
ALLAll Identified Data: Access is given to all identified data.7.45%
CAOIdentified Contact Information and Other Identified Data: access is given to identified online and physical contact information as well as to certain other identified data.10.67%
IDCIdentifiable Contact Information: access is given to identified online and physical contact information (e.g., users can access things such as a postal address) 28.41%
OTIOther Identified Data: access is given to certain other identified data (e.g., users can access things such as their online account charges).2.04%
NONNone: no access to identified data is given.5.77%

Privacy policies SHOULD contain disputes elements. These elements describe dispute resolution procedures that may be followed for disputes about a services' privacy practices. If a privacy policy contains one or more DISPUTES elements, then the P3P-compact policy field should contain the DSP token.

DSPThe privacy policy contains DISPUTES elements.43.30%

Each DISPUTES element SHOULD contain a REMEDIES element that specifies the possible remedies in case a policy breach occurs. If a remedies element exists, it MUST specify one of the 3 remedies shown below, which SHOULD be included in the P3P-compact policy.

CORErrors or wrongful actions arising in connection with the privacy policy will be remedied by the service.39.78%
MONIf the service provider violates its privacy policy it will pay the individual an amount specified in the human readable privacy policy or the amount of damages.0.07%
LAWRemedies for breaches of the policy statement will be determined based on the law referenced in the human readable description.1.25%

If each statement of a privacy policy contains the NON-IDENTIFIABLE element, then the compact privacy policy may specify the NID token.


Each statement in a privacy policy must contain a PURPOSE element that contains one or more purposes of data collection or uses of data. Sites MUST classify their data practices into specific purposes.

CURInformation is used to complete the activity for which it was provided.17.12%
ADMInformation may be used for the technical support of the Web site and its computer system. Users cannot opt-in or opt-out of this usage. This is the same as tag ADMa below41.81%
ADMaInformation may be used for the technical support of the Web site and its computer system. Users cannot opt-in or opt-out of this usage.31.93%
ADMiInformation may be used for the technical support of the Web site and its computer system. Opt-in requirements dictates prior consent must be provided by users.0.06%
ADMoInformation may be used for the technical support of the Web site and its computer system. Users may opt-out of the data being used for this purpose.0.41%
DEVInformation may be used to enhance, evaluate, or otherwise review the site, service, product, or market. Users cannot opt-in or opt-out of this usage. This is the same as tag DEVa below.33.48%
DEVaInformation may be used to enhance, evaluate, or otherwise review the site, service, product, or market. Users cannot opt-in or opt-out of this usage.14.41%
DEViInformation may be used to enhance, evaluate, or otherwise review the site, service, product, or market. Opt-in requirements dictates prior consent must be provided by users.4.60%
DEVoInformation may be used to enhance, evaluate, or otherwise review the site, service, product, or market. Users may opt-out of the data being used for this purpose.0.38%
TAIInformation may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization. Users cannot opt-in or opt-out of this usage. This is the same as tag TAIa below.0.34%
TAIaInformation may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization. Users cannot opt-in or opt-out of this usage.12.34%
TAIiInformation may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization. Opt-in requirements dictates prior consent must be provided by users.4.62%
TAIoInformation may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization. Users may opt-out of the data being used for this purpose.0.20%
PSAInformation may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals. Users cannot opt-in or opt-out of this usage. This is the same as tag PSAa below23.84%
PSAaInformation may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals. Users cannot opt-in or opt-out of this usage.2.75%
PSAiInformation may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals. Opt-in requirements dictates prior consent must be provided by users.27.42%
PSAoInformation may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals. Users may opt-out of the data being used for this purpose.1.40%
PSDInformation may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals. Users cannot opt-in or opt-out of this usage. This is the same as tag PSDa below10.07%
PSDaInformation may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals. Users cannot opt-in or opt-out of this usage.2.65%
PSDiInformation may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals. Opt-in requirements dictates prior consent must be provided by users.0.40%
PSDoInformation may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals. Users may opt-out of the data being used for this purpose.1.34%
IVAInformation may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data for the purpose of research, analysis and reporting. Users cannot opt-in or opt-out of this usage. This is the same as tag IVAa below0.79%
IVAaInformation may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data for the purpose of research, analysis and reporting. Users cannot opt-in or opt-out of this usage.0.44%
IVAiInformation may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data for the purpose of research, analysis and reporting. Opt-in requirements dictates prior consent must be provided by users.4.67%
IVAoInformation may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data for the purpose of research, analysis and reporting. Users may opt-out of the data being used for this purpose.0.16%
IVDInformation may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data to make a decision that directly affects that individual. Users cannot opt-in or opt-out of this usage. This is the same as tag IVDa below0.13%
IVDaInformation may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data to make a decision that directly affects that individual. Users cannot opt-in or opt-out of this usage.0.57%
IVDiInformation may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data to make a decision that directly affects that individual. Opt-in requirements dictates prior consent must be provided by users.5.23%
IVDoInformation may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data to make a decision that directly affects that individual. Users may opt-out of the data being used for this purpose.0.17%
CONInformation may be used to contact the individual, through a communications channel other than voice telephone, for the promotion of a product or service. This includes notifying visitors about updates to the Web site. Users cannot opt-in or opt-out of this usage. This is the same as tag CONa below0.11%
CONaInformation may be used to contact the individual, through a communications channel other than voice telephone, for the promotion of a product or service. This includes notifying visitors about updates to the Web site. Users cannot opt-in or opt-out of this usage.0.03%
CONiInformation may be used to contact the individual, through a communications channel other than voice telephone, for the promotion of a product or service. This includes notifying visitors about updates to the Web site. Opt-in requirements dictates prior consent must be provided by users.7.80%
CONoInformation may be used to contact the individual, through a communications channel other than voice telephone, for the promotion of a product or service. This includes notifying visitors about updates to the Web site. Users may opt-out of the data being used for this purpose.1.15%
HISInformation may be archived or stored for the purpose of preserving social history as governed by an existing law or policy. Users cannot opt-in or opt-out of this usage. This is the same as tag HISa below4.61%
HISaInformation may be archived or stored for the purpose of preserving social history as governed by an existing law or policy. Users cannot opt-in or opt-out of this usage.1.01%
HISiInformation may be archived or stored for the purpose of preserving social history as governed by an existing law or policy. Opt-in requirements dictates prior consent must be provided by users.0.00%
HISoInformation may be archived or stored for the purpose of preserving social history as governed by an existing law or policy. Users may opt-out of the data being used for this purpose.0.02%
TELInformation may be used to contact the individual via a voice telephone call for promotion of a product or service. Users cannot opt-in or opt-out of this usage. This is the same as tag TELa below0.09%
TELaInformation may be used to contact the individual via a voice telephone call for promotion of a product or service. Users cannot opt-in or opt-out of this usage.0.00%
TELiInformation may be used to contact the individual via a voice telephone call for promotion of a product or service. Opt-in requirements dictates prior consent must be provided by users.0.09%
TELoInformation may be used to contact the individual via a voice telephone call for promotion of a product or service. Users may opt-out of the data being used for this purpose.0.54%
OTPInformation may be used in other ways not captured by the above definitions. Users cannot opt-in or opt-out of this usage. This is the same as tag OTPa below0.03%
OTPaInformation may be used in other ways not captured by the above definitions. Users cannot opt-in or opt-out of this usage.1.00%
OTPiInformation may be used in other ways not captured by the above definitions. Opt-in requirements dictates prior consent must be provided by users.0.10%
OTPoInformation may be used in other ways not captured by the above definitions. Users may opt-out of the data being used for this purpose.0.02%

Each statement in a privacy policy must contain a RECIPIENT element that contains one or more recipient of the collected data. Sites MUST classify their recipients into one or more of the six recipients groupings below, with optional attributes describing opt-in/opt-out criteria.

OUROurselves and/or entities acting as our agents or entities for whom we are acting as an agent.96.46%
DELDelivery services possibly following different practices. Users cannot opt-in or opt-out of this usage. This is the same as tag DELa below0.07%
DELaDelivery services possibly following different practices. Users cannot opt-in or opt-out of this usage.2.64%
DELiDelivery services possibly following different practices. Opt-in requirements dictates prior consent must be provided by users.0.03%
DELoDelivery services possibly following different practices. Users may opt-out of the data being used for this purpose.0.01%
SAMLegal entities following our practices. Users cannot opt-in or opt-out of this usage. This is the same as tag SAMa below0.09%
SAMaLegal entities following our practices. Users cannot opt-in or opt-out of this usage.0.01%
SAMiLegal entities following our practices. Opt-in requirements dictates prior consent must be provided by users.0.08%
SAMoLegal entities following our practices. Users may opt-out of the data being used for this purpose.0.15%
UNRUnrelated third parties whose data usage practices are unknown by the original service provider. Users cannot opt-in or opt-out of this usage. This is the same as tag UNRa below4.74%
UNRaUnrelated third parties whose data usage practices are unknown by the original service provider. Users cannot opt-in or opt-out of this usage.0.34%
UNRiUnrelated third parties whose data usage practices are unknown by the original service provider. Opt-in requirements dictates prior consent must be provided by users.0.17%
UNRoUnrelated third parties whose data usage practices are unknown by the original service provider. Users may opt-out of the data being used for this purpose.0.56%
PUBPublic fora such as bulletin boards, public directories, or commercial CD-ROM directories. Users cannot opt-in or opt-out of this usage. This is the same as tag PUBa below0.00%
PUBaPublic fora such as bulletin boards, public directories, or commercial CD-ROM directories. Users cannot opt-in or opt-out of this usage.0.04%
PUBiPublic fora such as bulletin boards, public directories, or commercial CD-ROM directories. Opt-in requirements dictates prior consent must be provided by users.0.59%
PUBoPublic fora such as bulletin boards, public directories, or commercial CD-ROM directories. Users may opt-out of the data being used for this purpose.0.00%
OTRLegal entities following different practices. Users cannot opt-in or opt-out of this usage. This is the same as tag OTRa below2.73%
OTRaLegal entities following different practices. Users cannot opt-in or opt-out of this usage.0.37%
OTRiLegal entities following different practices. Opt-in requirements dictates prior consent must be provided by users.0.13%
OTRoLegal entities following different practices. Users may opt-out of the data being used for this purpose.26.91%

Each statement element in a privacy policy must contain a RETENTION element that indicates the kind of retention policy that applies to the data referenced in that statement.

NORInformation is not retained for more than a brief period of time necessary to make use of it during the course of a single online interaction. Information MUST be destroyed following this interaction and MUST NOT be logged, archived, or otherwise stored.11.30%
STPInformation is retained to meet the stated purpose. This requires information to be discarded at the earliest time possible. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy.29.41%
LEGAs required by law or liability under applicable law: Information is retained to meet a stated purpose, but the retention period is longer because of a legal requirement or liability. For example, a law may allow consumers to dispute transactions for a certain time period; therefore a business may for liability reasons decide to maintain records of transactions, or a law may affirmatively require a certain business to maintain records for auditing or other soundness purposes. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy.0.54%
BUSis retained under a service provider's stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy.19.11%
INDInformation is retained for an indeterminate period of time. The absence of a retention policy would be reflected under this option. Where the recipient is a public fora, this is the appropriate retention policy.62.40%

Categories are elements inside data elements that provide hints to users and user agents as to the intended use of the data.

PHYInformation that allows an individual to be contacted or located in the physical world -- such as telephone number or address.27.47%
ONLInformation that allows an individual to be contacted or located on the Internet -- such as email. Often, this information is independent of the specific computer used to access the network. (See the category COM)29.77%
UNINon-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.20.75%
PURInformation actively generated by the purchase of a product or service, including information about the method of payment.9.29%
FINInformation about an individual's finances including account status and activity information such as account balance, payment or overdraft history, and information about an individual's purchase or use of financial instruments including credit or debit card information.6.82%
COMInformation about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.65.28%
NAVData passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.49.75%
INTData actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.18.16%
DEMData about an individual's characteristics -- such as gender, age, and income.45.11%
CNTThe words and expressions contained in the body of a communication -- such as the text of email, bulletin board postings, or chat room communications.12.30%
STAMechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously -- such as HTTP cookies.34.01%
POLMembership in or affiliation with groups such as religious organizations, trade unions, professional associations, political parties, etc.6.45%
HEAInformation about an individual's physical or mental health, sexual orientation, use or inquiry into health care services or products, and purchase of health care services or products.6.79%
PREData about an individual's likes and dislikes -- such as favorite color or musical tastes.11.43%
LOCInformation that can be used to identify an individual's current physical location and track them as their location changes -- such as GPS position data.6.67%
GOVIdentifiers issued by a government for purposes of consistently identifying the individual.0.43%
OTCOther types of data not captured by the above definitions.9.37%

The TEST element indicates that the privacy policy is an example ONLY, and must be ignored (i.e. not considered a valid P3P policy).

TST 0.01%

© 1998-2024 E-Soft Inc. All rights reserved.