...that you'd not have to pay for it, P3P is just an XML standard and can be (or is) built into the web browser as a native component...
However... it's also 95% totally useless
The system then alerts the user in plain English about conflicts between the site's privacy policies and the user's preferences. Alternatively, the site simply rejects the website's cookie, the piece of code which stores information about the user.
The cookie simply stores information about the user (generally their session id) on the user's machine... using a transparent session ID (passed around in the URI) means all that tracking potential is still in place, it just can't be passed from one session to another (although using transparent SIDs does leave the sessions open to hijacking unless you code something in to attempt to prevent it). The company that runs the site still has access to all that data and can do what they like with it.
Hell, chuck some GeoIP software on the server, cross reference that against ISP IP allocation ranges and UserAgent strings and you could probably, even with cookies disabled on the user's PC, match up their current session to any previous ones (if you logged that session data).
You'd not even have to get that complicated ... if a user visits your site and rejects your session cookie, just tell them that they can't use your site. It's a totally crap way of doing it, but hardly uncommon. Many user's will simply follow your nice helpful instructions on how to disable that annoying P3P software in Internet Explorer (as an example).
P3P is NOT a privacy protection tool, it's a _marketing_ tool, nothing more.