New Privacy Principles for a more trustworthy web

Protecting user privacy is fundamental to creating a web that works for everyone. Last week, W3C published its Statement on Privacy Principles, in support of furthering this goal. This document defines some foundational privacy concepts and provides a set of privacy principles to guide web development. We hope this guide will enhance the community’s understanding of privacy, illustrate ways of realizing it in practice, and inspire a vision of the trustworthy web that we can create and sustain together.

Last December, W3C published its first ever Statement, on Ethical Web Principles. The Privacy Principles Statement continues this series, focusing specifically on the considerations required for creating a web that respects people’s privacy. This milestone is significant: W3C Statements are documents that have been formally reviewed and endorsed by W3C's membership as a whole. The Privacy Principles document was developed over three years and incorporated feedback and contributions from the W3C community, and is now accepted as a W3C Statement to indicate our collective stance on the fundamental importance of web privacy and how to achieve it in practice.

I first started working on privacy with W3C in 2012 (as one of the original co-chairs of the Privacy Interest Group) and I have seen first-hand how users’ online privacy has evolved over the years, both in terms of new opportunities as well as new challenges. During this time, a lot of helpful privacy material has been produced, such as a guide on mitigating browser fingerprinting (to reduce the risk of user tracking) and a questionnaire to assist specification authors and reviewers in improving the level of privacy and security of their designs. The Privacy Principles Statement complements this body of work by providing a more general document that includes core privacy concepts as well as overarching guidance that ensures privacy is built into the foundations of web technologies.

Privacy is a very broad topic. In order to reason about privacy on the web, and therefore provide actionable guidance, it’s first necessary to define what we mean by privacy in the context of the web. That’s why this document begins with an introduction to privacy on the web, covering topics like data governance, individual autonomy, deceptive patterns, consent, opt-out and privacy labor, as well as the role that browsers (user agents) play in safeguarding web users. This provides context for the actionable principles, each of which is marked with the audiences that it's most relevant to: websites, user agents or API (web technology) designers.

It’s also important to consider how web technologies interact with social and policy aspects in the privacy realm. The regulatory environment, for example, is constantly evolving and has significant implications for the data protection of users around the world. One of the goals of the Privacy Principles Statement is to support online privacy regulations; the document is written to address both technological and policy considerations and hopefully help achieve some alignment between different regulatory regimes. Because the discussions around online data can sometimes become complex, the document includes several short, concrete examples to illustrate privacy risks and possible mitigations – for example, handling geolocation information or managing children’s services.

It’s taken a lot of work from many members of the W3C community to get these Privacy Principles to this stage, and I want to acknowledge their hard work and dedication. This document is the result of sustained effort by the Privacy Principles Task Force (a group representing a wide range of web stakeholders, convened by the W3C Technical Architecture Group), with particular credit to its Chair Daniel Appelquist and to the document editors, Robin Berjon and Jeffrey Yasskin. Additional thanks are due to all of the people who constructively engaged in discussions about web privacy–some of them over several years!–that were instrumental in producing a Statement that accurately reflects our collective privacy vision for the web.

While we’re taking a moment to celebrate the publication of this document, we acknowledge that the work is far from over. We’re eager to hear feedback about the Privacy Principles, which we can use to improve and expand our future documentation. And of course we encourage you to put the principles into practice as we build a better web!