P3P, Cookies and IE6.0: A Case Study
The Compact Policy
Headers are pieces of information sent to the browser before the main page is evaluated. When a cookie is sent, it must be accompanied by a compact privacy policy so the user's browser can look at both, see if they marry up, and decide what to do. Get this bit right, and all but the toughest setting on your user's browser won't have a problem with your cookies.
Now, we don't need to go through the details of this, because the good folks at the Privacy Council offer an automated service that creates compact policies. They'll even email the result to you. Just register with them, select from a series of multiple choice questions about what your site does and doesn't do, and you're in business again.
Now, you need to know how to implement the compact policy into your pages. Again, I'll illustrate this point with the code I used for my own site.
In pure HTML pages, insert this code into the head section of your page:
<meta http-equiv="P3P" content='CP="IDC DSP COR CURa ADMa
OUR IND PHY ONL COM STA"'>
In PHP pages, insert this as the first thing on the page after the setting of the cookie:
<?php header('P3P: CP="IDC DSP COR CURa ADMa OUR IND
PHY ONL COM STA"'); ?>
For other server-side languages, see the link below titled "Header Creation".
Of course, don't just use the code above as-is. You need to go to the URL given below at the Privacy Council, and generate your own. Don't worry, it's straightforward and non-technical.
It's important to understand that only pages that place cookies need to have a CP. Form pages don't set cookies, so they don't need a policy. Remember that if you use a piece of JavaScript code to set a cookie for popup control, the page that calls the popup and does the cookie-setting will require a compact policy.
Some sites may need more than one policy. Why? Well, a policy describes what information is collected (and why) in a specific URL location. That can be the whole site, or specific folders on your site. While most of us will probably generate one policy for the whole site, it is possible to point to a different policy location in each header, on each page. You would do this if, for example, one section of your site allowed users to subscribe to your newsletter by providing their email addresses and first names, while the other offers a members' area that uses cookies to customize the browser's view. Perhaps you also provide a shopping cart that stores user status and personal information for use in processing the order.
If you need to point to another policy that has been generated to describe a specific use of cookies like this, you'll want to put one of the following headers on the page(s) that pass cookies to the visiting browser:
Firstly, using PHP:
<?php Header('P3P: href="/your_2nd_policy/p3p.xml"
CP="your compact policy"'); ?>
Now, using HTML:
<meta http-equiv="P3P" href="/your_2nd_policy/p3p.xml"
content='CP="your compact policy"'>
If, following these guidelines, you've built your own individual files, you can test them with the policy validator provided courtesy of the W3C at http://www.w3.org/P3P/validator.html
Who's Responsible?
Lastly, before you can call yourself an expert, you must be aware that all this P3P stuff still doesn't specify any sort of evaluation of compliance. A site may well be lying through its teeth about what it does with user data, but, if the policies are in order, the browser is happy. The policy must list a course of action for the user to take in the dispute resolution process, and in most cases, that can be the Direct Marketing Association.
Well, this was the soft introduction to the world of privacy compliance through P3P as defined by the W3C. If you have learned anything it should be that privacy issues can affect your site's operation and most certainly your user's attitude towards you and your business. Armed with this new knowledge, you will, I hope, turn away fewer visitors and make more sales. See the links below for more information.
