Cookies and Third Party Content - Part 2 of Chapter 5 from Web Privacy with P3P (4/4)
Web Privacy with P3P, Chapter 5: Overview and Options
Sites that handle data in different ways depending on the part of the site in which it was collected may want to post multiple P3P policies. For example, a site that has an area especially for children might want to post a special P3P policy for that area that reflects the site's policy for handling data from children (in the U.S. there are legal restrictions on the collection of data from children--see Chapter 2 for more information). Alternatively, sites may write their P3P policies to include all of their data practices for all parts of the site. Thus, if a site collects data for completing the current transaction on one page and for research and development on another, the site could declare both data-collection purposes in a single P3P policy posted on both pages.
The advantage of posting separate policies is that web site visitors are given only the data-collection information relevant to the pages they request. Thus, visitors need not be concerned about data collection that occurs several clicks into a site when they are viewing a site's home page, where minimal data-collection occurs. However, some sites may prefer to present a consistent policy across the entire site, so that visitors are not surprised when they download a page that requests additional data. Furthermore, sites that choose to post multiple policies must be careful to associate the correct policy with each page as pages are updated over time. As P3P-aware web site management systems are created, tools may be developed that make it easier to ensure that the correct P3P policy is associated with each page.
If you decide to declare different policies for cookies depending on their functions, be very careful that you fully understand the function of each cookie and the environment in which it may be replayed. As discussed in the previous section, if you set a cookie so that it will be replayed with any request to your web site, any application developer who works on your site might decide to take advantage of it and use it. If you set the cookie so that it can be returned to multiple hosts in your domain, the cookie may end up being used by applications running on computers of which you may not even be aware. Likewise, your cookies may be replayed with (and thus linked to) other cookies of which you are not aware. If you cannot be sure about where your cookies might be replayed or to what they might be linked, it is best to declare a single policy for all your cookies (and possibly your entire web site). In fact, this is what I recommend for most web sites.
Created: December 30, 2002
Revised: December 30, 2002