Many Internet users are under the impression that the privacy policy of a company--represented by the Platform for Privacy Preferences Project (P3P) protocol--is an accurate and legal statement. This is not always correct.

This paper follows a simple methodology to show that there is a gap between the legal jurisdiction and the posted policies, regarding the handling of users’ private information. Although the methodology may not be completely accurate--for example, the location of the Web server indicates the location/country of the company’s Web site and a P3P document with syntax errors was not taken into account--the outcome of the methodology is very clear.

The authors describe well the limitations of P3P as a tool to represent the privacy policy of a company. They also give a very comprehensive description of related legislation in different countries.

While extensive work has been done on how to create and manage a P3P privacy policy, there is little work on how to ensure that the privacy policy is actually being followed. This paper helps readers realize that currently, P3P is a marketing tool rather than a tool that protects the privacy of Internet users.