[synx508]

This isn't about third party cookies, it's about cookies period - with the exceptions listed in the article. If you use your own analytics package, the chances are it will use cookies, so user permission will still be required. Log parsing isn't sufficient to get user-based statistics.

[icebraining]

Yes, but they also say "we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action."

So in theory all cookies are the same, in practice they're not - first party analytical cookies are mostly safe.

[mwexler]

The law is the law as it's written and then as it's reflected in court decisions. We can't choose to do what is defined as illegal just because a FAQ says "we probably won't come after you". That's a risk that many businesses can't afford to take. It's a poorly written law, and as is often the case in laws as knee-jerk reactions to tech changes, throws the baby out with the bathwater. I do think this law shows that we need better tracking mechanisms to meet the needs and expectations of the site owners and the site users, but it shows us by trying to destroy instead of trying to help guide.

[DanBC]

> The law is the law as it's written and then as it's reflected in court decisions.

That's true. While I'd welcome clearer law it's important to point out that it's the ICO who'll be enforcing the law, so if they say they're not going to go after people it's safe to say they won't.

If anything people want the ICO to be a bit tougher - there are plenty of actually dodgy privacy invading practices going on the the ICO seems to be powerless to stop.

> knee-jerk reactions

This law has been a long time in the making. Self-regulation would be ideal. But there are too many operators who are willing to ignore sensible privacy standards for self-regulation to be possible. Unfortunately some of those bad actors are going to ignore any laws.

[ajdecon]

> While I'd welcome clearer law it's important to point out that it's the ICO who'll be enforcing the law, so if they say they're not going to go after people it's safe to say they won't.

Until some group puts pressure on them to enforce against analytics sites. Or the top brass at ICO are switched out. Or a politician makes it their mission for a little while. Or...

"We are making this illegal, but we won't enforce it, really!" is not a trustworthy statement.

[nknight]

> The law is the law as it's written and then as it's reflected in court decisions.

That may not be as true as you think.

I don't really know how the modern UK legal system works in this regard, but in the US, the courts would A) defer to the interpretation of the agency (in this case the ICO) as to what a statute means, and B) greatly frown on any attempt to prosecute without warning people who reasonably relied on the agency's declarations.

[uggedal]

You can get user-based statistics without cookies with:

    (new Image()).src="http://your.tld/track.png?ua=" + encodeURIComponent(navigator.userAgent);

and then parse your logs.

Update: this is just an example, as ars notes the user agent is sent as a HTTP header. But screen resolution etc is not.

[dhx]

§66 on page 20 of Directive 2009/136/EC at [1] uses the word "information", not "cookies".

  Third parties may wish to store information on the
  equip­ment of a user, or gain access to information
  already stored, for a number of purposes, ranging
  from the legiti­mate (such as certain types of
  cookies) to those involving unwarranted intrusion
  into the private sphere (such as spy­ware or
  viruses). It is therefore of paramount importance
  that users be provided with clear and comprehensive
  infor­mation when engaging in any activity which
  could result in such storage or gaining of access.

The purpose of the directive is to be as broad as possible to cover collection of any type of information without express permission or "strictly necessary and legitimate purpose".

[1] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2...

[ars]

???

How does this help? The UserAgent is already sent in the headers - what's the point in sending it in a query string?

[mwexler]

Look, there are tons of data available in the browser, see http://panopticlick.eff.org/ for a good example. But they are non-stable for reasons outside of the user's control. So, if a user wants to kill her cookies every day, cool, they can. They can't randomly change their useragent+screen-resolution on a daily basis with the same ease. In addition, UA changes outside of user's control (a browser update pushed on them, for example) and that breaks tracking they may want.

So, no, these workarounds are not the right answer; we need mechanisms that let users control their data and let them choose to share it. It's up to us as product makers to give them a good reason.

[jasomill]

Well, having made no special effort, the site claims my User-Agent is as unique as my set of 5,150 installed fonts. To be fair, I suppose WebKit nightly version numbers don't satisfy most definitions of "random".

As for mechanisms, to what end, if nobody bothers to use them? Especially things like "randomize User-Agent string" that'd break a great many "non-evil" sites?

[mwexler]

Looks like someone made a "randomize user-agent" for Chrome: http://news.ycombinator.com/item?id=3880536