The Right Party To Talk To Practices Is The Party Undertaking The Practice
This "ask them not us" type policy may seem harsh, but it is an unfortunate bi-product of the entire web system. In many ways the web is the greatest extension of the specialization seen in the industrial revolution. It is almost never the case that a web page comes to you from one provider, but rather that each component of that page (visible or not) comes from the provider best able to service that nitch.
This means that embedded video will come from video providers. Analytics will come from analytics providers. Images may come from 3rd party providers. Content may come from partner or affiliate sites or from Content Distribution Networks and Advertising may come from a slew of 3rd party providers including: publisher tool provider, ad networks, ad exchanges, advertiser tool providers, buy side providers, richmedia providers just to name a few. All of these parties typically have the opportunity to collect data and set and receive cookies.
When we visit a typical content site, like a news paper or other information site, we may expect that there are dozens of different data collectors that my browser will send information to including, my IP address, any related cookies, my browser version etc. These collectors will change moment by moment and from page to page making it a practical impossibility for me to make informed decisions as to whom I choose to communicate with, whom I should share data with and whom I should accept cookies from.
P3P has a predefined schema, its design allows for extensibility.
P3P declarations can be made in one of 2 ways depending on the data covered. For standard data collection, the policy is presented in an XML file which can be automatically found by a browser a number of prescribed and easily implementable manners. Additionally, shorthand policies called Compact Policies which relate only to cookies can be expressed directly through a special header called the P3P: header. An example of such header would be:
P3P: CP="CUR PSAo PSDo ADMa OUR ONL UNI COM INT DEM STA PRE DSP COR NON BUS"
Such a policy would impart information including that cookie is unique (UNI) and used for pseudonymous analysis (PSA) and decisioning (PSD), there is no access provided (NON) to the information and that the data the data is not shared with external parties (OUR). It also imparts, by omission, that prima facie Personal Data like name and address are not stored in or linked to the cookie.
Equally more complete and detailed statements may be made in XML in a format that likely goes beyond the scope of this discussion. Importantly what P3P offers (with the help of browser creators) is the ability for a user to exert his preferences in real time as they face an otherwise impractical number of human readable policies with no real way of even identifying who the parties are!
Today P3P is only directly incorporated in Internet Explorer. Under its default setting IE looks for the presence of Compact Policy which claims either to not collect and use prima facie personal information or if it does that it offers at least an opt out to such cookie (where the cookie is set in a 3rd party context). This is obviously a helpful first step but has been partially thwarted on a number of fronts:
While the specific future of P3P remains unclear, what is clear is that if consumers are to be confronted with numerous data collectors as they browse web content where these data collectors' practices cannot be accurately disclosed by the 1st party site, there seemingly needs to be some mechanism in place to close the gap between reality and consumer expectation.