P3P

The HTTP P3P response header communicates a website's privacy practices in a machine-readable format defined by the W3C Platform for Privacy Preferences specification.

Usage

The P3P header was designed to let websites express data collection and usage practices through compact policy tokens. A compact policy (CP) is a string of three-letter and four-letter codes summarizing categories like data purpose, data recipients, and retention policies.

Internet Explorer used compact policies to filter third-party cookies. A response arriving in a third-party context (such as an iframe or cross-domain request) needed a valid CP string for Internet Explorer to accept its cookies. This behavior led many sites to send minimal or fabricated P3P headers solely to ensure their cookies were accepted, without reflecting actual privacy practices.

Google adopted a well-known placeholder explicitly stating the header is not a real policy. Other sites sent strings of valid-looking tokens not corresponding to a published privacy policy. A 2010 study from Carnegie Mellon found widespread misuse of compact policy tokens across major websites.

Values

CP (Compact Policy)

The CP field contains a quoted string of space-separated tokens. Each token is a three-letter or four-letter code from the P3P 1.0 specification representing a specific privacy practice.

Common token categories include:

• Purpose tokens: CUR (current use), ADM (administration), DEV (development), NAV (navigation), INT (interactive), COM (communication)
• Recipient tokens: OUR (the site itself), DSP (same as stated in the dispute policy), COR (corrections available)
• Data tokens: UNI (unique identifiers), PHY (physical contact information), ONL (online contact information)
• Access tokens: NON (no identified data collected), ALL (all identified data accessible)

Purpose tokens accept an optional suffix: a (always), i (opt-in), or o (opt-out). For example, DEVi means data is collected for development purposes on an opt-in basis.

Example

Google sends a P3P header explicitly declaring the value is not a real policy. This approach bypassed Internet Explorer's cookie filtering without claiming to express actual privacy practices.

P3P: CP="This is not a P3P policy! See g.co/p3phelp
for more info."

A compact policy with valid tokens describes the site's stated data practices. The tokens below declare: no identified data (NON), dispute resolution available (DSP), corrections possible (COR), data used for current activity (CUR), administration (ADM), development (DEV), pseudonymous analysis (PSA, PSD), data shared only with the site itself (OUR), unique identifiers collected (UNR), business practices disclosed (BUS), and purposes including communication (COM), navigation (NAV), interactive features (INT), demographic analysis (DEM), and stated purpose (STA).

P3P: CP="NON DSP COR CUR ADM DEV PSA PSD OUR UNR BUS
UNI COM NAV INT DEM STA"

Some sites include purpose suffixes to indicate whether data collection is always active, opt-in, or opt-out. The a suffix on CURa and ADMa means those purposes are always in effect, while DEVa indicates development data collection is always active and IVAi and IVDi mark individual analysis as opt-in.

P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi
CONi HIS OUR IND CNT"

Takeaway

The P3P header was part of the W3C Platform for Privacy Preferences specification, designed to express website privacy policies in machine-readable form. Internet Explorer was the only browser to enforce P3P compact policies for third-party cookie decisions, and the specification was officially obsoleted in 2018.

See also

• W3C P3P 1.0 Specification (obsoleted)
• Cookies
• HTTP headers