Cookies and Third Party Content - Part 2 of Chapter 5 from Web Privacy with P3P (1/4) | WebReference

Cookies and Third Party Content - Part 2 of Chapter 5 from Web Privacy with P3P (1/4)

current pageTo page 2To page 3To page 4

Web Privacy with P3P, Chapter 5: Overview and Options

Analyzing the Use of Cookies and Third-Party Content

[The following is a continuation of our series of excerpts from the O'Reilly title, Web Privacy with P3P. -Ed.]

A thorough analysis of the use of cookies and third-party content on your web site can be tedious and time-consuming, but it is a good idea to do this to make sure that the statements you make in both your human-readable privacy policy and your P3P policy are accurate and that all the content on your web site will be covered by P3P policies. To conduct this analysis, you will first need to create a list of all of the web servers in your domain (or domains), including those on your internal intranet. Depending on the size and complexity of your web site, you may want to examine each server, ask the administrator of each server to respond to a survey, or use automated software tools to discover where and how cookies and third-party services are being used on your web site. After you complete your analysis, you may find that you need to change some of your practices or adjust your privacy policy.


Cookies (introduced in Chapter 2) can be used either to store data directly or as a key that allows data collected on separate occasions to be linked together. Several ways that cookies that do not actually contain personally identifiable information may be linked to such information are explained below. To understand how this linkage occurs, it is important to keep in mind some basic information about how cookies work. Cookies are set by a web site by including a Set-Cookie header in an HTTP response. This header indicates not only the name and value of the cookie, but also when it expires and a domain and path. Web browsers automatically check to see whether they have any cookies with matching domains and paths before they make a request. If they find a matching cookie, they replay that cookie by adding to the request a header with the cookie's name and value.

Web sites that keep personally identifiable customer data set cookies that contain unique identifiers. These cookies generally contain long strings of numbers and letters that are meaningless to the user but that the web site can use to look up a customer's records. In some cases, the site may add information about a user's use of the web site each time he visits. Because this information gets linked to personally identifiable information via a cookie containing a unique identifier, the P3P policy for the cookie must declare the unique identifier, the personally identifiable information, and the site usage information.

current pageTo page 2To page 3To page 4

Created: December 30, 2002
Revised: December 30, 2002