Reflecting on Google’s recent decision to postpone third-party cookie deprecation, I can’t help but think: we’ve been here before. Back in 1999, I was part of a team working on the Platform for Privacy Preferences (P3P) Project, a major W3C standards effort aimed at creating machine-readable privacy policies for the web.

P3P was ahead of its time. We envisioned a world where browsers could automatically read and evaluate website privacy policies, giving users more control over their data. This idea was notably supported by Internet Explorer, the dominant browser at the time.

However, P3P had a fatal flaw: trust. Anyone could claim anything in their P3P policy, and there was no way to verify it. I pushed hard for authenticated compact headers, but digital signature standards weren’t ready yet. Without this crucial piece, P3P eventually fell by the wayside.

 

Similar Challenges Being Faced Today

Fast forward to today, and we’re facing similar challenges. Google’s Privacy Sandbox and the broader industry efforts to replace third-party cookies are grappling with the same fundamental issues: How do we balance personalization with privacy? How do we ensure that privacy statements are trustworthy and enforceable?

Revisiting P3P concepts could provide valuable insights for our current privacy challenges. Imagine privacy policies that are not just machine-readable but also cryptographically signed and verified by responsible authorities. In this world, browsers can enforce these policies automatically, and users have granular control over their data without reading through pages of legalese. They can rely on recommended preferences from trusted authorities like the AARP or Consumers Union.

We now have regulations, blockchain technology, advanced cryptography, and a much more sophisticated understanding of online privacy. But the core principles of P3P – transparency, user control, and machine-readability – are still relevant.

What’s Next? What’s Possible?

We already have added labels for cookies with the HttpOnly, SameSite, and Partitioned attributes. My suggestion is to make this more useful with a digitally signed “nutrition label” detailing how the cookie will be used.

Google’s decision gives us a chance to get this right. Let’s not waste it by reinventing the wheel. Instead, let’s learn from the successes and failures of P3P and other privacy initiatives. Browser-arbitrated privacy controls can work with robust mechanisms for verification and enforcement. It won’t be easy, but it’s necessary if we want to preserve a vibrant open web.

The future of online privacy isn’t just about getting rid of cookies – it’s about creating a new paradigm for data transparency and control.

And who knows? Maybe this time, we’ll nail it.

About the Author

Daniel Jaye

Chief Executive Officer

Dan has provided strategic, tactical and technology advisory services to a wide range of marketing technology and big data companies.  Clients have included Altiscale, ShareThis, Ghostery, OwnerIQ, Netezza, Akamai, and Tremor Media. Dan was the founder and CEO of Korrelate, a leading automotive marketing attribution company, purchased by J.D. Power in 2014.  Dan is the former president of TACODA, bought by AOL in 2007, and was the founder and CTO of Permissus, an enterprise privacy compliance technology provider.  He was the Founder and CTO of Engage and served as the acting CTO of CMGI. Prior to Engage, he was the director of High Performance Computing at Fidelity Investments and worked at Epsilon and Accenture (formerly Andersen Consulting).

Dan graduated magna cum laude with a BA in Astronomy and Astrophysics and Physics from Harvard University.

Categories

Recent Posts

Subscribe Now

This field is for validation purposes and should be left unchanged.