Internet Explorer Privacy Feature FAQ
Windows Internet Explorer privacy features require Web sites to deploy compact policies with their cookies as defined in the Platform for Privacy Preferences (P3P) specification. This specification is currently under consideration as a standard by the World Wide Web Consortium (W3C). The following questions and answers address privacy in Microsoft Internet Explorer 6 from the viewpoint of the Web site. Consult the W3C: Platform for Privacy Preferences (P3P) Project specification for complete details on implementing privacy policies.
Q: Suppose a user's default privacy preference is set to 'Medium' when our site sets a cookie. Our compact policy is acceptable under the 'Medium' setting, but not the 'Medium High' setting. Will our cookie still be replayed if the user changes their privacy preference setting to 'Medium High'?
Answer: Yes. Unless the privacy preference is set to "Block All Cookies," changing the privacy preference setting in Internet Explorer does not affect the cookie acceptance policy for cookies that are already set. However, when a user's privacy preference is set to 'Block All Cookies', then cookie operations are disallowed without exception.
Answer: Only the first P3P header is recognized. The rest are ignored.
Answer: No. As long as third parties do not perform cookie operations, they are not affected by Internet Explorer privacy settings.
Answer: Yes. Users can elect Always Accept or Always Reject Cookies from a given Web site. To select this option, the user clicks Internet Options from the Tools menu and then clicks Edit under Web Sites on the Privacy tab.
Answer: No. Privacy settings are controlled exclusively by the user.
Answer: The W3C keeps a list of P3P Compliant Sites.
Q: If a third party persistent cookie specifies in its compact policy that it does not collect any personally identifiable information (PII), is it allowed in Internet Explorer? And, if it is allowed, does it remain a persistent cookie or is it downgraded to a session cookie?
Answer: This cookie is allowed in Internet Explorer and does remain a persistent cookie unless the user's default privacy preference is set to Block All Cookies. The user can also specifically request that all cookies are blocked using Advanced Options. To edit Advanced Options the user clicks Internet Options from the Tools menu and then clicks the Advanced button under Privacy Preferences on the Privacy tab.
Q: We serve ads and cookies with compact policies. We place our ads on Web sites in a third-party context. Are privacy policies required of the Web sites on which we place our ads?
Answer: Cookies are evaluated in terms of your compact policy regardless of the Web site's P3P implementation. However, the Web site needs to implement P3P to preserve the functionality of its own cookies.
Q: The W3C states that a compact policy header is optional, but cookies do not seem to work without it. Is a compact policy header required?
Answer: Although compact policies are optional for P3P compliance, they are required by Internet Explorer to determine the Web site's privacy practices concerning cookies.
Answer: If a cookie is not leashed, then you do not need a compact policy to delete these cookies. However, you cannot delete a leashed cookie from a third-party context.
Answer: When the user adds your domain to the per-site list with the Block option selected, cookies from your domain are deleted and subsequent cookies are blocked.
Answer: Legacy cookies (cookies that exist when Internet Explorer is installed or imported from another browser) are leashed and can only be accessed in a first-party context unless the user's privacy setting is set to Allow All Cookies.
Q: I have P3P on my Web site. Why do I still get the privacy icon due to 3rd party ads hosted on my site?
Q: I have P3P on my Web site. Why do users who already have my site's cookies on their systems get the privacy icon when they upgrade Internet Explorer?
Answer: Cookies that exist on a computer prior to an upgrade are bound to first-party use only. That is, they are sent as usual on HTTP requests in the first-party context, but they are not sent on HTTP requests in the third-party context. When the cookie is suppressed in that third-party context request, the privacy icon displays to inform the user of this protection. This helps to protect the user's privacy from the very beginning of using Internet Explorer. Any site that appears in a first-party context can retrieve those legacy cookies and exercise their relationship with their user. Sites can delete legacy cookies to keep the privacy icon from appearing.