Export (0) Print
Expand All

Internet Explorer Privacy Feature FAQ

Windows Internet Explorer privacy features require Web sites to deploy compact policies with their cookies as defined in the Platform for Privacy Preferences (P3P) specification. This specification is currently under consideration as a standard by the World Wide Web Consortium (W3C). The following questions and answers address privacy in Microsoft Internet Explorer 6 from the viewpoint of the Web site. Consult the W3C: Platform for Privacy Preferences (P3P) Project specification for complete details on implementing privacy policies.

Q: Suppose a user's default privacy preference is set to 'Medium' when our site sets a cookie. Our compact policy is acceptable under the 'Medium' setting, but not the 'Medium High' setting. Will our cookie still be replayed if the user changes their privacy preference setting to 'Medium High'?

Answer: Yes. Unless the privacy preference is set to "Block All Cookies," changing the privacy preference setting in Internet Explorer does not affect the cookie acceptance policy for cookies that are already set. However, when a user's privacy preference is set to 'Block All Cookies', then cookie operations are disallowed without exception.

Q: Is it OK to send a P3P header if 'Set Cookie' is not specified?

Answer: Yes.

Q: Can we send the P3P header multiple times for one response?

Answer: Only the first P3P header is recognized. The rest are ignored.

Q: We have Web pages that include third party content within <iframe> and <img> tags. These third parties do not use cookies. Will we encounter problems under any of the Internet Explorer privacy settings?

Answer: No. As long as third parties do not perform cookie operations, they are not affected by Internet Explorer privacy settings.

Q: Can a user set their Internet Explorer privacy preferences on a site-by-site basis?

Answer: Yes. Users can elect Always Accept or Always Reject Cookies from a given Web site. To select this option, the user clicks Internet Options from the Tools menu and then clicks Edit under Web Sites on the Privacy tab.

Q: Can a Web site set the user's privacy preferences without their permission?

Answer: No. Privacy settings are controlled exclusively by the user.

Q: Where can we find Web sites that deploy P3P privacy policies?

Answer: The W3C keeps a list of P3P Compliant Sites.

Q: If a third party persistent cookie specifies in its compact policy that it does not collect any personally identifiable information (PII), is it allowed in Internet Explorer? And, if it is allowed, does it remain a persistent cookie or is it downgraded to a session cookie?

Answer: This cookie is allowed in Internet Explorer and does remain a persistent cookie unless the user's default privacy preference is set to Block All Cookies. The user can also specifically request that all cookies are blocked using Advanced Options. To edit Advanced Options the user clicks Internet Options from the Tools menu and then clicks the Advanced button under Privacy Preferences on the Privacy tab.

Q: We serve ads and cookies with compact policies. We place our ads on Web sites in a third-party context. Are privacy policies required of the Web sites on which we place our ads?

Answer: Cookies are evaluated in terms of your compact policy regardless of the Web site's P3P implementation. However, the Web site needs to implement P3P to preserve the functionality of its own cookies.

Q: The W3C states that a compact policy header is optional, but cookies do not seem to work without it. Is a compact policy header required?

Answer: Although compact policies are optional for P3P compliance, they are required by Internet Explorer to determine the Web site's privacy practices concerning cookies.

Q: We use cookies in a third-party context only to delete preexisting (expired) cookies. Is a compact policy required when deleting cookies in this way?

Answer: If a cookie is not leashed, then you do not need a compact policy to delete these cookies. However, you cannot delete a leashed cookie from a third-party context.

Q: What happens when my site is added to the per-site list with the Block option selected?

Answer: When the user adds your domain to the per-site list with the Block option selected, cookies from your domain are deleted and subsequent cookies are blocked.

Q: How can I retrieve my legacy cookies?

Answer: Legacy cookies (cookies that exist when Internet Explorer is installed or imported from another browser) are leashed and can only be accessed in a first-party context unless the user's privacy setting is set to Allow All Cookies.

Q: I have P3P on my Web site. Why do I still get the privacy icon due to 3rd party ads hosted on my site?

Answer: Sites need to work with the providers of the content from different domains to deploy P3P. This is especially important when a site is a mixture of content from many different sites. In default user preferences, third-party context cookies are filtered based on privacy policy. when the browser acts on a cookie, such as blocking, the privacy icon displays to inform the user what happens behind the scenes.

Q: I have P3P on my Web site. Why do users who already have my site's cookies on their systems get the privacy icon when they upgrade Internet Explorer?

Answer: Cookies that exist on a computer prior to an upgrade are bound to first-party use only. That is, they are sent as usual on HTTP requests in the first-party context, but they are not sent on HTTP requests in the third-party context. When the cookie is suppressed in that third-party context request, the privacy icon displays to inform the user of this protection. This helps to protect the user's privacy from the very beginning of using Internet Explorer. Any site that appears in a first-party context can retrieve those legacy cookies and exercise their relationship with their user. Sites can delete legacy cookies to keep the privacy icon from appearing.

Q: How do I provide localized versions of my privacy policy?

Answer: Normally, no special action is required to display a localized version of the privacy policy. Internet Explorer interprets the XML that defines the policy and renders the privacy policy using localized strings. If your privacy policy uses the other-purpose or consequence elements, the text contained within these elements is not localized. If localization is required, avoid using these elements. The link to the human-readable privacy policy can redirect users to a localized version of this policy based on the Accept-Language HTTP header.

Related topics

Privacy in Internet Explorer
How to Create a Customized Privacy Import File



© 2014 Microsoft