Cookies and Third Party Content - Part 2 of Chapter 5 from Web Privacy with P3P (4/4) | WebReference

Cookies and Third Party Content - Part 2 of Chapter 5 from Web Privacy with P3P (4/4)

To page 1To page 3To page 3current page

Web Privacy with P3P, Chapter 5: Overview and Options

One Policy or Many?

The simplest way to deploy P3P on a web site is to translate the site's human-readable privacy policy into a single P3P policy and associate that policy with all of the site's content. However, some sites may find it advantageous to create multiple P3P policies.

Sites that have content that is created and maintained by multiple entities not all bound by the same policies should offer separate P3P policies corresponding with each entity's policy. For example, in an online shopping mall, each store might have its own privacy policy. In this case, each store should have its own P3P policy. In addition, companies that have different privacy policies for each of their business units should have multiple P3P policies. Sites that allow individuals to create their own web pages--for example, universities that allow students to post their own personal web pages--should be cautious about advertising a sitewide privacy policy unless they can be sure that it will be followed by all of the individuals with pages on that site.

Sites that handle data in different ways depending on the part of the site in which it was collected may want to post multiple P3P policies. For example, a site that has an area especially for children might want to post a special P3P policy for that area that reflects the site's policy for handling data from children (in the U.S. there are legal restrictions on the collection of data from children--see Chapter 2 for more information). Alternatively, sites may write their P3P policies to include all of their data practices for all parts of the site. Thus, if a site collects data for completing the current transaction on one page and for research and development on another, the site could declare both data-collection purposes in a single P3P policy posted on both pages.

The advantage of posting separate policies is that web site visitors are given only the data-collection information relevant to the pages they request. Thus, visitors need not be concerned about data collection that occurs several clicks into a site when they are viewing a site's home page, where minimal data-collection occurs. However, some sites may prefer to present a consistent policy across the entire site, so that visitors are not surprised when they download a page that requests additional data. Furthermore, sites that choose to post multiple policies must be careful to associate the correct policy with each page as pages are updated over time. As P3P-aware web site management systems are created, tools may be developed that make it easier to ensure that the correct P3P policy is associated with each page.

If your site uses cookies, you should also declare a P3P policy for the cookies on your site. You can either declare the same policy for cookies as you do for the rest of your site or declare a different policy for cookies (or even a different policy for each cookie your site uses). Again, site management is simpler if you use the same policy for cookies as you do for the rest of your site. However, declaring different policies for cookies depending on their function allows users to make cookie-acceptance decisions separately for each cookie--thus, even if users object to some of the cookies on your site, they may not set their browser to reject all of them.

If you decide to declare different policies for cookies depending on their functions, be very careful that you fully understand the function of each cookie and the environment in which it may be replayed. As discussed in the previous section, if you set a cookie so that it will be replayed with any request to your web site, any application developer who works on your site might decide to take advantage of it and use it. If you set the cookie so that it can be returned to multiple hosts in your domain, the cookie may end up being used by applications running on computers of which you may not even be aware. Likewise, your cookies may be replayed with (and thus linked to) other cookies of which you are not aware. If you cannot be sure about where your cookies might be replayed or to what they might be linked, it is best to declare a single policy for all your cookies (and possibly your entire web site). In fact, this is what I recommend for most web sites.

To page 1To page 3To page 3current page

Created: December 30, 2002
Revised: December 30, 2002