A P3P Exchange

In this scenario, a site’s privacy policy is stored in a “well-known” default location (e.g., /w3c/p3p.xml) on the Web site.

1. A user enters the URL of the Web site. The browser begins by requesting its privacy policy.

2. The site returns the privacy policy to the browser, which parses the policy and compares it with the user’s preferences.

3. The browser requests the Web page referenced by the URL the user entered. Note that the browser cannot know in advance whether a particular page actually contains elements, such as third-party cookies, that conflict with its privacy policies. The site’s privacy policy only describes how it handles information derived from such elements when they are present on pages covered by that policy. Thus, the browser may request pages even if the site’s privacy policy conflicts with the user’s preferences, but it will then reject any offending items on the page, such as third-party cookies without compact privacy policies, that violate the user’s privacy preferences.