The Trouble With Standard Privacy Policies

As I visit my home town newspaper online and read 5 pages, I note today that I have had 67 unique cookies set from 20 different domains! How as a practical matter am I to make informed decisions about these cookies as they are usually set and replayed prior to my ability to even know they are there. Even if I didn't come to the site through its home page but instead went directly to the site's privacy policy (which itself may contain 3rd party data collectors), I would likely find no mention of most of the 20 different domains or any usable information about what those 67 cookies are used to do, by whom and with whom their data is shared. Further, even if such information was available, I would spend far more time reading the policies of these 67 cookies than I had initially intended to spend reading the scores of my local teams (the reason I came to the site in the first place). Complicating the matter further is that even if the privacy policy was able to to provide information about the 20 entities and the 67 cookies, this could change on a moments notice as the parties involved in building content and ads on a website are in constant flux. As it turns out, publishers rarely know who is collecting data on their site, with whom those parties share data and/or what is known about users visa vi those parties understanding of the data once it is in their hands. For this reason publishers are rarely the best party to be informing you about what 3rd parties are doing on their site. The right person to ask is the 3rd party!.

The Right Party To Talk To Practices Is The Party Undertaking The Practice
This "ask them not us" type policy may seem harsh, but it is an unfortunate bi-product of the entire web system. In many ways the web is the greatest extension of the specialization seen in the industrial revolution. It is almost never the case that a web page comes to you from one provider, but rather that each component of that page (visible or not) comes from the provider best able to service that nitch.

This means that embedded video will come from video providers. Analytics will come from analytics providers. Images may come from 3rd party providers. Content may come from partner or affiliate sites or from Content Distribution Networks and Advertising may come from a slew of 3rd party providers including: publisher tool provider, ad networks, ad exchanges, advertiser tool providers, buy side providers, richmedia providers just to name a few. All of these parties typically have the opportunity to collect data and set and receive cookies.

When we visit a typical content site, like a news paper or other information site, we may expect that there are dozens of different data collectors that my browser will send information to including, my IP address, any related cookies, my browser version etc. These collectors will change moment by moment and from page to page making it a practical impossibility for me to make informed decisions as to whom I choose to communicate with, whom I should share data with and whom I should accept cookies from.

What Is P3P?

P3P, the Platform for Privacy Preferences, is an effort by the W3C to standardize the communication of privacy practices into a machine readable format which could then allow automated decisions about information sharing by the web browser. In a nutshell P3P should allow a data collector to make claims with respect to that collectors policies including:
  • The Purpose for which data is collected
  • The type of Categories of data collected
  • The parties who become Recipients of such data
  • The Retention of such data
  • The Access a customer has to their collected data
  • The Remedies the consumers have available to redress grievances

P3P has a predefined schema, its design allows for extensibility.

P3P declarations can be made in one of 2 ways depending on the data covered. For standard data collection, the policy is presented in an XML file which can be automatically found by a browser a number of prescribed and easily implementable manners. Additionally, shorthand policies called Compact Policies which relate only to cookies can be expressed directly through a special header called the P3P: header. An example of such header would be:


Such a policy would impart information including that cookie is unique (UNI) and used for pseudonymous analysis (PSA) and decisioning (PSD), there is no access provided (NON) to the information and that the data the data is not shared with external parties (OUR). It also imparts, by omission, that prima facie Personal Data like name and address are not stored in or linked to the cookie.

Equally more complete and detailed statements may be made in XML in a format that likely goes beyond the scope of this discussion. Importantly what P3P offers (with the help of browser creators) is the ability for a user to exert his preferences in real time as they face an otherwise impractical number of human readable policies with no real way of even identifying who the parties are!

P3P today
Today P3P is only directly incorporated in Internet Explorer. Under its default setting IE looks for the presence of Compact Policy which claims either to not collect and use prima facie personal information or if it does that it offers at least an opt out to such cookie (where the cookie is set in a 3rd party context). This is obviously a helpful first step but has been partially thwarted on a number of fronts:

  • The browser does not distinguish between cookies set in 1st party contexts from the same cookie replayed in a 3rd party context, which is a likely misalignment of consumer expectations
  • To date no serious punishment has been levied against those making false or incorrect P3P statements, which has lead to such promises not being given correct legal scrutiny for specific accuracy (as a practical matter most P3P Compact Headers are demonstrably wrong).
  • Only IE has adopted P3P in any meaningful way.
  • Consumers do not have enough granular control

While the specific future of P3P remains unclear, what is clear is that if consumers are to be confronted with numerous data collectors as they browse web content where these data collectors' practices cannot be accurately disclosed by the 1st party site, there seemingly needs to be some mechanism in place to close the gap between reality and consumer expectation.