P3P defines a special set of "safe zone" practices, which SHOULD be used by all P3P-enabled user agent and services for the communications which take place as part of fetching a P3P policy or policy reference file. In particular, requests to the well-known location for policy reference files SHOULD be covered by these "safe zone" practices. Communications covered by the safe zone practices SHOULD have only minimal data collection, and any data that is collected is used only in non-identifiable ways.
To support this safe zone, P3P user agents SHOULD suppress the transmission of data unnecessary for the purpose of finding a site's policy until the policy has been fetched. Therefore safe-zone practices for user agents include the following requirements:
Referer header in the safe zoneAccept-Language HTTP header in the safe zone. Sending the correct Accept-Language header will allow fetching a P3P policy in the user's preferred natural
language (if available), but does expose a certain amount of information about
the identity of the user. User agents MAY wish to allow users to decide when
these headers should be sent. Safe-zone practices for servers include the following requirements:
Referer header, cookies, user agent information, or other information
unnecessary for responding to requests in the safe zoneNote that the safe zone requirements do not say that sites cannot keep identifiable information -- only that they SHOULD NOT use in an identifiable way any information collected while serving a policy file. Tracking down the source of a denial of service attack, for example, would be a legitimate reason to use this information and ignore this recommendation.