Getting P3P, IE and Privacy Policy Settings in Place
What is P3P?
P3P is a combination of a machine-readable and human-readable website privacy policy. The standard today is to publish a text privacy policy, but in reality who reads them? They are almost always hard to find and lengthy to read. P3P is supposed to solve this problem.
A P3P implementation consists of two files, an XML formatted document that will be read by the web browser. This XML file contains machine readable statements about how and why the website needs you to accept cookies. The other part consists of a regular, compact, privacy statement formatted in regular HTML.
How does a policy affect the web browser?
When the web browser is presented with a cookie (1st or 3rd party) that either does not have a P3P policy, or if the P3P polity does not match the user’s privacy preferences, the user will be alerted and the cookie will be blocked.
IE6/7 Red Eyeball
Both versions of IE come with a medium privacy setting. A medium setting is described as:
- Blocks third-party cookies that do not have a compact privacy policy
- Blocks third-party cookies that save information that can be used to contact you without your explicit consent
- Restricts first-party cookies that save information that can be used to contact you without your implicit consent
When any of the above items gets triggered, the user gets prompted, IE6 and 7 both flash a red eyeball icon located in the status bar:
For Intervals, we wanted it to disappear, simply because our application is a hosted solution and required cookies in order to function properly. Implementing P3P allowed us to extend our normal HTML privacy policy as well as giving our customers a little more flexibility on what cookies they want to accept.
Our solution consisted of the addition of an HTTP P3P header which points to an XML Reference file. The HTTP header itself contains the compact version of the XML policy, it usually transforms into something like:
“NON DSP ADM DEV PSD IVDo OUR IND STP PHY PRE NAV UNI NOI”
Each code corresponds to a certain statement. NOI for example means: No personally identifiable information (PII) collected.
Implementation
There are many ways to get this implemented, you can either do it yourself or go the service route. I’d say the biggest task is getting your actual privacy policy settings into an XML reference file. Visit some of the links below for more information, the implementations link especially.
Useful Links
Tags: p3p, privacy, Web Standards
