P3P, Cookies and IE6.0: A Case Study

Share this article

This topic is not dear to my heart. Nevertheless, I think it’s one of the most important issues facing Webmasters today. It’s privacy.

As an Internet user, I’m reasonably concerned with privacy. Of course, I don’t want my address sold to unscrupulous spammers, but, like most, I don’t always read the privacy policies of the sites I visit.

A Website’s users are its lifeblood, especially in the game of Internet marketing and online business. So, it’s vitally important that we treat the privacy requirements of our sites with the attention they demand.

Don’t worry — I’m not going to bore you with a thesis here; I’ll just give you the quick answers. Read this article, and update your site with the techniques you learn here. Then, if you choose to find out more from the resources I’ve listed below, you’ll be better prepared than most to handle changes in the area of consumer privacy online. At the very least, you will have complied with the rules. And, for some, there will be spinoffs that actually increase your traffic. More on that later, though.

Privacy Compliance — Who Cares?

Microsoft, as we know, dominates the market with its Internet Explorer browser, so, generally, we all sit up and take notice of anything MS does. With the latest version (IE6.0), MS redefined the way the browser reacts to cookies, based on the new w3c (World Wide Web Consortium) standard for P3P (The Platform for Privacy Preferences Project).

As this article is written by a layman for other laymen and women, I’ll deliberately keep this discussion light. If you want to talk tech and get the tools I refer to along the way, visit the links at the end of the article.

Suffice to say that MS IE6.0 has redefined the browser’s security settings; it appears that our old ‘high’ security setting has now become ‘medium’, which the software is set to use as its default. It’s more than that, though. The browser of course allows the user to change these settings and, indeed, to override them, but to the hordes of users out there who are struggling with the basic concept of cookies, this represents nothing less than a new barrier to accessing online content.

Many sites — even large, highly-trafficked ones — do not appear to have privacy policies that comply with the new P3P standards. If you use IE, you can tell this when you arrive at those sites, as an ‘eyeball’ with a red ‘minus’ sign appears in the status bar of your browser. The first time a user tries to use IE6.0 to access a site that doesn’t have a compliant privacy policy, a warning dialogue appears. This is scary stuff to new users — your users. If they check the box that says ‘don’t alert me about this again’, the magic eye starts to appear instead. Though this is a downgraded alert, it’s still unsettling enough to make those who don’t know or trust the Internet feel a little more suspicious of a site’s contents — perhaps your site’s contents.

You can see where we’re headed with this. As marketers on the Internet, our task is to gain the trust of our customers and provide them with a pleasant and valuable experience that leads to a purchase. Hey, business is business, right? And that trust could be quickly eroded by a browser on the alert rampage — before you even know what’s happening.

How many thousands of people may have come to your site already and experienced the dreaded ‘minus eyeball’ or even a fully blown ‘batten down the hatches, this site is nasty!’ warning? Don’t worry, I’ll show you how to fix the problem in just a moment.

It gets worse for owners of many domains that frame URLs, forwarding their visitors to one main server. This is in fact what led me to start investigating the whole P3P issue for myself, and to pen this article on P3P quick-compliance.

The P3P Problem Gets Personal

I recently registered the domain yousmartass.com for a new online venture with my partner Mitch Baldwin. As I already had two large host servers with enough room to swing many cats, I chose to forward the domain yousmartass.com to my already-hosted domain, free-agent-path.info.

I coded all the pages and created a privacy policy from an existing statement that I edited to suit my needs. Many people take this approach, even though you can get a policy made specifically for your site for free — more on that in a minute.

I decided the best and fastest way to allow access to my site was to use a cookie as the ticket for entry. Users would have a cookie placed on their machine when they entered their contact details as part of the site’s software download process. It worked on paper, so I tried it myself.

The redirect from yousmartass.com to the specified folder on free-agent-path.info worked as expected. Once I’d entered my name and email address, my machine was offered a cookie, which was accepted automatically and I was granted access. So … where’s the problem?

The problem is that I didn’t have invoked on my browser the medium setting that’s now the default standard. I found out the hard way that hundreds of visitors were being turned away when my software page didn’t see the cookie that was quite obviously never placed. It wasn’t placed on the user’s machine because the site had no machine-readable privacy policy, and the browser’s rule states that if no policy exists, no cookie will be accepted.

But this was no ordinary cookie I was trying to place. Because I’d redirected the initial URL, and the cookies were being placed by this new domain (free-agent-path.info), they were defined as third-party. Tougher laws have been defined for third party cookies, and mine certainly weren’t being accepted in the spirit in which they were offered. Death by cookies seemed the order of the day.

The stringent cookie standards are there to stop shady individuals and companies from learning things about you without your consent, as you surf innocently on a host site. It’s particularly supposed to protect users from third party sites that host advertisements that suck your personal info. Ever tried switching your settings so that you’re prompted each time a cookie is placed through your browser? You can do it in Tools -> Internet Options -> Privacy -> Advanced. Then go somewhere like howstuffworks.com. You can see why we need the privacy thing — at the very least, so that we aren’t constantly swatting at dialogue boxes all day!

I had to figure a way to get the browsers to relax on this third-party cookie issue and start accepting them, otherwise, many of my visitors would be left out in the cold. In fact, they already were! I was, at the time, receiving countless emails from people pleading to get in, some having tried more than 4 times on different occasions.

Your Own P3P Privacy Policy

Let’s go back a few steps. What exactly is a privacy policy? It’s four things, really.

First, it’s a human-readable statement of the information you collect about visitors to your site, and what you intend to do with that information. This should be plainly visible to the user, usually linked to the homepage (typically in the footer) and other key pages of the site.

The second aspect of having a P3P-compliant privacy policy involves hosting a full policy in XML (eXtensible Markup Language), which defines the particulars of your business address, contact details, the location of your human-readable privacy policy, actions to be taken if a user feels their privacy has been breached, and the types of, and options pertaining to, user data that’s collected.

The third consideration is the policy reference file. The reference file points to the location of the policy file on your server. Both files are usually located in what is called the well-known location — a folder you must call w3c, and locate on the top level of your site. Not above the top level, like the cgi-bin, but at the first level inside your html documents folder.

Both of these files are XML documents, but you needn’t rush out and buy the Idiot’s Guide just yet — help is at hand. IBM has come to the party with a Java application that runs on your own machine and is supposed to walk you though everything required for you to achieve compliance. Enter your intentions in one end, and out come the goods at the other! All for free.

In reality, though, it’s not quite as simple as it sounds. The procedure involves dragging instances of information collection from your site (defined in the left window) across to the right window, which is your active policy. As the instances hit the right window, they’re incorporated into the profile. And, as the profile grows, it also generates a written privacy policy.

However, the site owner must go into a menu and click through a number of tabs, inputting specific company and/or individual information in like business address, phone number, email contact, etc. There are a small number of other steps we must take before the process is complete. The combination of the error page’s messages, and some general menu snooping, leads us to create the policy reference file without too much work.

The finished files can be saved to their respective folders on your server, as described earlier (privacy_policy.xml and ref_policy.xml are both placed in the w3c folder at www.your_domain/w3c/).

Fourth, and of particular interest to sites that use cookies, is the compact policy, or CP. This is a machine-readable header code that uses an abbreviated form of the full policy. It’s actually derived from the full policy when you use the IBM policy generator.

But — and here’s the great news — the only thing you’ll require immediately to guarantee that your visitors will not block your cookies is the compact policy. Let’s see how it works.

The Compact Policy

Headers are pieces of information sent to the browser before the main page is evaluated. When a cookie is sent, it must be accompanied by a compact privacy policy so the user’s browser can look at both, see if they marry up, and decide what to do. Get this bit right, and all but the toughest setting on your user’s browser won’t have a problem with your cookies.

Now, we don’t need to go through the details of this, because the good folks at the Privacy Council offer an automated service that creates compact policies. They’ll even email the result to you. Just register with them, select from a series of multiple choice questions about what your site does and doesn’t do, and you’re in business again.

Now, you need to know how to implement the compact policy into your pages. Again, I’ll illustrate this point with the code I used for my own site.

In pure HTML pages, insert this code into the head section of your page:

<meta http-equiv="P3P" content='CP="IDC DSP COR CURa ADMa  

In PHP pages, insert this as the first thing on the page after the setting of the cookie:

<?php header('P3P: CP="IDC DSP COR CURa ADMa OUR IND  

For other server-side languages, see the link below titled “Header Creation”.

Of course, don’t just use the code above as-is. You need to go to the URL given below at the Privacy Council, and generate your own. Don’t worry, it’s straightforward and non-technical.

It’s important to understand that only pages that place cookies need to have a CP. Form pages don’t set cookies, so they don’t need a policy. Remember that if you use a piece of JavaScript code to set a cookie for popup control, the page that calls the popup and does the cookie-setting will require a compact policy.

Some sites may need more than one policy. Why? Well, a policy describes what information is collected (and why) in a specific URL location. That can be the whole site, or specific folders on your site. While most of us will probably generate one policy for the whole site, it is possible to point to a different policy location in each header, on each page. You would do this if, for example, one section of your site allowed users to subscribe to your newsletter by providing their email addresses and first names, while the other offers a members’ area that uses cookies to customize the browser’s view. Perhaps you also provide a shopping cart that stores user status and personal information for use in processing the order.

If you need to point to another policy that has been generated to describe a specific use of cookies like this, you’ll want to put one of the following headers on the page(s) that pass cookies to the visiting browser:

Firstly, using PHP:

<?php Header('P3P: href="/your_2nd_policy/p3p.xml"   
CP="your compact policy"'); ?>

Now, using HTML:

<meta http-equiv="P3P" href="/your_2nd_policy/p3p.xml"  
content='CP="your compact policy"'>

If, following these guidelines, you’ve built your own individual files, you can test them with the policy validator provided courtesy of the W3C at https://www.w3.org/P3P/validator.html

Who’s Responsible?

Lastly, before you can call yourself an expert, you must be aware that all this P3P stuff still doesn’t specify any sort of evaluation of compliance. A site may well be lying through its teeth about what it does with user data, but, if the policies are in order, the browser is happy. The policy must list a course of action for the user to take in the dispute resolution process, and in most cases, that can be the Direct Marketing Association.

Well, this was the soft introduction to the world of privacy compliance through P3P as defined by the W3C. If you have learned anything it should be that privacy issues can affect your site’s operation and most certainly your user’s attitude towards you and your business. Armed with this new knowledge, you will, I hope, turn away fewer visitors and make more sales. See the links below for more information.


AlphaWorks IBM Full Policy Generator

Privacy Council Compact Policy Generator


How To Make Your Site Compliant In Six Easy Steps

A Simple Technical Overview

A More Detailed Technical Overview

Compact Privacy Policy Info

Technical Definitions

Header Creation

WWW Consortium Mission

Dispute Resolution

Direct Marketing Association

Nicholas FehlbergNicholas Fehlberg
View Author

Nicholas is a Website designer with a special interest in Internet marketing. He also specializes in audio for the Web, and is co-creator of the free online plain-text formatting tool, SMARTass.

Share this article
Read Next
Get the freshest news and resources for developers, designers and digital creators in your inbox each week
Loading form