P3P Standards Could Have Privacy Concerned Users Tossing Cookies

Ad frequency caps, site visitor numbers and all sorts of third party data are being sabotaged. Blame it on a little birdie, a browser behemoth and good intentions.

Cookies are used to target, serve, track and optimize ad campaigns, pre-populate online forms, personalize user experiences and measure site visits and interaction, but P3P policy tracking agents are throwing a wrench into those everyday business mechanisms that Web publishers take for granted.

“A lot of people don’t know it’s going on,” marvels Eric Picard, director of product management for online marketing and ad serving firm, Bluestreak.

Platform for Privacy Preferences, or P3P, was developed by the World Wide Web Consortium; it enables client software like Web browsers to retrieve and assess privacy policies automatically by putting those policies into a machine-readable language. User software can then determine whether a site’s policy and use of cookies are acceptable based on user-defined standards.

In order to prevent personally-identifiable data from being tracked, Microsoft’s Internet Explorer 6 browser’s default settings allow cookies to be set only by the domain visited, not third party domains unless they have P3P-compliant statements set up. That means any cookies served along with any type of Web content through another domain that’s not P3P compliant will not be accepted by IE6 users. Around half of Web surfers globally use IE6 according to Browser News, and the steady flow of upgrades from IE5 will continue to boost version 6 penetration rates.

“Every time I come back it thinks I’m a new user,” explains Dave Morgan, president and CEO of audience management software company Tacoda Systems. Morgan cautions that since cookies are being rejected, visitor numbers can be inaccurate and frequency caps on ads like pop-ups can fail.

The most at-risk publishers: sites and networks that serve content from a variety of Web domains and/or those that manage their own ad serving in-house. By now, most any third party ad serving platform managed off-site has implemented P3P. Some estimate that two-thirds of the top 100 most visited sites have not implemented P3P on their servers.

Cookies are blocked when users access CBS MarketWatch content through The New York Times on the Web. The same goes for cookies served to iVillage visitors who click on “horoscopes” or “beauty”.

iVillage is in the process of implementing a P3P policy, but is taking care, mainly for legal reasons, to ensure that the information included in the P3P language matches that of its site privacy policy. Carl Fischer, VP of corporate communications at iVillage laments that the IE6 browser default standards “cause someone other than the publisher to dictate user experience on the site, and that’s a big deal! We know our users better than anyone else.”

“Most of the time, privacy policies are much broader than what the P3P statement says,” states TRUSTe executive director, Fran Maier. TRUSTe approval requires only that P3P policies be consistent with site privacy policies, but doesn’t require that sites have P3P implemented.

In addition to legal concerns, the P3P system could give users a false sense of security because compliance is voluntary. Technically, tracking agents like IE6 and the AT&T Privacy Bird could give the green light to cookies served from a site even if it doesn’t abide by the standards its P3P policy says it does.

How are publishers dealing with P3P problems? Find out in the second part of this two-part series, coming soon.

Next story loading loading..