Privacy Policy Won't Validate

Forum Moderators: phranque

Message Too Old, No Replies

Privacy Policy Won't Validate

Policy does Not Exist?

Mardi_Gras

7:28 pm on Jan 28, 2004 (gmt 0)

I am trying to get my privacy policy to validate at W3C.org, but I keep getting this error message:

The specified policy does not exist. Validation aborted. [http://www.mysite.com/w3c/full_p3p.xml]

But the policy - and that file - do exist. If I run a privacy report using IE, it opens up my privacy policy. I suspect I am missing something obvious here - any ideas what I should look for?

I also get another error that doesn't seem fatal, but maybe it is contributing:

Policy URI check

/w3c/p3p.xml has some warnings or errors.

Error: The URI fragment identifier (#****) is necessary to specify a POLICY element in a POLICIES element.

P3P policy for [mysite.com...] is [http://www.mysite.com/w3c/full_p3p.xml]

The HTML version of the policy is [mysite.com...]

Suggestions welcomed.

Mardi_Gras

11:40 pm on Jan 29, 2004 (gmt 0)

Any ideas?

mbauser2

8:36 am on Jan 30, 2004 (gmt 0)

Am I correct in assuming we're talking about the site in your profile?

If so, the problem is that p3p.xml can't link to just "/w3c/full_p3p.xml". You need a fragment identifier linking straight to the POLICY element in full_p3p.xml, because policy files can contain more than one POLICY. Try "/w3c/full_p3p.xml#Privacy_Policy".

But that's only one problem: The big problem is that your POLICY statement isn't accurate for your site. That contact form asks for a lot of personally identifiable information. You need, at the very least, to create a second POLICY statement for your contact.html page, specifying use and retention policies for the information people provide when they use the forml.

Mardi_Gras

1:54 pm on Jan 30, 2004 (gmt 0)

Thanks, mbauser2. I do recognize that I need a second policy for the inquiry form - I was trying to get the main one working first and couldn't get past the validation hurdle.

I will try the code you've suggested and let you know what happens.

Mardi_Gras

2:43 pm on Jan 30, 2004 (gmt 0)

I guess if you know what you're doing with the IBM privacy policy editor this is a lot easier :(

At this point, I would be ahead of the game if I just asked all my visitors to call me and I will personally explain my privacy policy.

I have, at least, succeeded in identifying my policy as a test policy and specifically excluding my contact form.

Mardi_Gras

3:53 am on Jan 31, 2004 (gmt 0)

I just don't understand the naming convention for the full privacy.xml file. My p3p.xml file seems to work fine. But I don't understand using the hashmark to link to the full file - but it doesn't seem that the hashmark and text that follows is actually part of the file name.

Bottom line is, my p3p.xml file cannot find the full_p3p.xml file.

I guess this will be really obvious once someone explains it to me. At least I hope so.

mbauser2

5:00 am on Jan 31, 2004 (gmt 0)

The # isn't for linking to whole file -- it's for linking to the POLICY statement inside the file.

Your first POLICY element begins with <POLICY name="Privacy_Policy" , so link to /w3c/full_p3p.xml#Privacy_Policy.

When you add another POLICY to the file, it will have to have a unique "name" attribute so you can link to it.

Mardi_Gras

1:55 pm on Jan 31, 2004 (gmt 0)

>Your first POLICY element begins with <POLICY name="Privacy_Policy"

Okay, now it is obvious :)

Thanks.

<<Added>>It Validates!

Mbauser2, I can't thank you enough. I have set up a policy that I think overstates what I collect on most pages but covers the contact form; now I will try to set up a second policy that more accurately reflects all the pages except contact.html. Thanks again. <</added>>

mbauser2

4:47 am on Feb 1, 2004 (gmt 0)

Actually, "contact.html" isn't the URL that needs a separate policy, the URL of the script that processes the form is, because that's the URL that receives the data. The user's data doesn't leave their computer until unless they submit the form, so the "submit URL" is what's important. (You can give the form and submit URLs the same policy if you want, but it's not strictly necessary.)

See [w3.org...] , "specific example" #1.

Mardi_Gras

4:53 am on Feb 1, 2004 (gmt 0)

Thanks, I did not realize that. What is the best way to go about setting up two different policies for different pages? Can I list them both in one reference file using includes and excludes?

mbauser2

7:12 am on Feb 1, 2004 (gmt 0)

Yes, that's exactly what INCLUDE and EXCLUDE are for. It's a lot like robots.txt -- use the INCLUDE to define the whole site, then use an EXCLUDE to exclude the contact script. Then, add a second POLICY-REF that uses INCLUDE to list just the contract script. Something like this:


<META xmlns="http://www.w3.org/2002/01/P3Pv1">
 <POLICY-REFERENCES>
 <POLICY-REF about="/w3c/privacy.xml#site">
 <INCLUDE>/*</INCLUDE>
 <EXCLUDE>/cgi/contact.cgi</EXCLUDE>
 </POLICY-REF>
 <POLICY-REF about="/w3c/privacy.xml#cgi">
 <INCLUDE>/cgi/contact.cgi</INCLUDE>
 </POLICY-REF>
 </POLICY-REFERENCES>
</META>

(Which would be easier to read if Webmaster World didn't strip the tabs out....)

Note that there's only one POLICY-REFERENCES element, but that it contains two POLICY-REF elements. (Inside a POLICY-REF, the INCLUDE has to precede EXCLUDE.)

Likewise, the example file above links to "privacy.xml", which has one POLICIES element containing two POLICY elements (one named "site" and one named "cgi").

This would be so much easier to explain if all the elements didn't have such similar names....

Mardi_Gras

2:11 pm on Feb 1, 2004 (gmt 0)

>This would be so much easier to explain if all the elements didn't have such similar names....

And to understand! But you've been a great help and I think I can get it figured out from your example.