Last week we laid down a bitter ultimatum to the guardians of the cookie law: Go Ahead And Sue Us.
We stripped our sites bare of cookie warnings and begged them to do their worst.
To all the people bashing the EU e-Privacy directive [1] (the "cookie law"): have you bothered read it all?
If so, could you please pin-point which part of the directive you do not like? Which part are hard to implement? Can you also explain us (with the same verve used to bash the directive) how your national implementation is even worse than the EU-wide directive?
The directive is quite short, definitely shorter than a review of a new Mac OS X release. Give it a try.
Spoiler: the word "cookie" is not used in the law, only in the explanatory preamble.
That part where half the websites I use started giving me popups asking if I accept cookies before I could use the site was the part that I did not like.
>Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.
Could certainly be interpreted to mean that users must actively accept or refuse cookies before accessing a website. I don't like this because the inconvenience outweighs the privacy benefits, in my opinion.
That part is not part of the law, just introductory text. The law says in Article 5:
«3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.
This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.»
A site can store data on a person's computer only if that person has give its consent to it or if it is technically needed. Your ad campaigns, your A/B tests, your detailed analytics are not technically needed and I want to have a say on whether they are going to be stored in my computer.
Please note that many national implementation explicitly allow for broad mechanism like "accept all cookies" buttons during installations as long they are set or clicked by the user and are not simple defaults.
Whether it is in the recital or the enacting terms is irrelevant, I quoted the recital because it is a little clearer.
The effect is the same - sites have interpreted the law to mean that a pop-up prompt is necessary. I think that the inconvenience of this outweighs the benefit. You might disagree, but don't try to make it sound as if everyone who disagrees with you is ignorant.
Welcome to the world of EU bashing. People usually never read anything that comes from Brussels, but love to complain about it. Unfortunately, that is especially true for British media.
Welcome to the world of $LARGE_ORGANIZATION bashing. People usually never read anything that comes from $LARGE_ORGANIZATION, but love to complain about it. Unfortunately, that is especially true for $EVERYONE.
(Sorry. Excessively-specific adjectives are a bit of a pet peeve of mine.)
Just read European newspapers and the justifications of politicians in Europe when they want to implement some unpopular policy.
Its not uncommon that a political party introduces a policy first on the EU level (say, in the Commission) and then complain about it later that the "EU forces them" to implement it on a national level (even though it was that same party that promoted it in Europe). Its the easiest way for politicians to blame unpopular but necessary policies on somebody else.
In this case, sure. I mentally think of it as the excessively-specific adjective problem, because usually I'm wanting to replace "British media" with "media" or something. This shot right off the adjectives entirely. (This is explanation, not defense, BTW; you are entirely correct.)
The EU cookie law is so stupid and full of holes that it's absolutely ridiculous. Also nobody seems to know how to implement it properly so most people just don't. This includes a lot of government websites and EU organisations, even the EU's main website http://europa.eu/ doesn't comply with the law.
If ever there was a bad case of Politicians trying to reach a noble goal (in this case caring about a users privacy) but not having a clue about the technological means to reach the goal this is it.
It's worth noting that this law wasn't produced in the usual way, and there was not much in the way of industry involvement in the legislation'
s drafting process. About 15 months ago, I commented:
> I think it was not so much that the community was ignored, but that the law was passed under unusual circumstances: usually the lobbyists inform the legislators, who defer to industry on the specifics. Here the lobbyists mostly hated the legislation, but legislators were more responsive to privacy activists because of widespread public concern. So the law is a triumph of democracy over technocracy.
> And I think that's reflected in the legislation. The principles are OK, but the detail does not match up with practice. Hence the law is some way from being something workable.
So I don't think this is really the politician's fault, so much as problems with parliamentary process. Your idea of a technology commissioner might be helpful, but the whole problem here is that the EU Commission did not guide the legislation, with the drafting being driven by parliament.
Technology is covered by the European Commissioner for research, innovation and science, currently Máire Geoghegan-Quinn of European Liberal Democrat and Reform Party.
However, the commissioners, as members of the European Commission do not take part in EU legislature, the EU Parliament does.
I do enjoy a self-propagandising and excessively hyperbolic headline.
In principle the law has an honest objective to increase user awareness of cookies. I just don't understand all the developers on here jumping around at the outrageousness of the law when the ICO in the UK is obviously taking a relaxed approach to enforcement.
Obviously the problem is that a law as drafted could be applied as drafted however I think there is room for a pragmatic approach here which acknowledges a) the type and sophistication of the site and its users b) the type of cookies being used and c) the risk of a user being harmed or making a complaint.
Whenever a group largely objects to a law, it seems that some of the group will say something like "Well, at least they're not enforcing it", or "Well, at least prosecutors have discretion on bringing charges", as though this is better, when in fact lax enforcement is worse. If people are not in immediate danger from a law, no matter how bad it is, they will be less inclined to spend their own time and resources fighting it. This means that in modern democracies, bad laws that stay on the books almost always come with inconsistent or rare enforcement, because that's how they stay on the books: people are not outraged enough to lobby for repeal or amendment.
...or be subject to stochastic enforcement. Anything not predictable is inherently risky and likely to be avoided by the more risk averse. The actors engaging in more risky behavior then become the prototypes for bad behavior and a justification for tougher enforcement and more laws.
Increasing awareness of cookies is not very helpful. People don't give a rats heini about stuff like that.
All it does is make things more confusing causing customers to drop off.
And I still don't understand what is so bad about them being able to profile me. I want them to do that so I can get better ads / better communication in the future.
I think the problem is that you are aware of this profiling in the first place. Many are not. At least if they are informed, they can make a decision as to whether or not they care about it.
I don't know where I lie on the divide between those who value the input that targeted advertising can bring and those who are vehemently against any form of tracking. The problem I think is the uneducated majority in the middle. They may browse one site and then wonder why ads from that site or for a similar product are suddenly appearing. They have no awareness whatsoever that information about their browsing habits is being collected.
I personally think it is a more preferable situation to have an educated populace opting in to that form of collection of information than to have an uneducated one who has no comprehension that companies are engaging in this sort of behaviour.
I accept it is likely to be relatively harmless in many cases, but as I saw, I would rather than an informed opt-in or at least knowledge that this was taking place.
>All it does is make things more confusing causing customers to drop off.
So what you're saying, is that it becomes more expensive to use cookies for bullshit like user profiling and you have to think about whether or not they're goddamn necessary for your website?
As is true of many laws in England and Wales, having weakly enforced laws on the books can come in handy when there's someone you want to nail but on whom you can't solidly pin anything else.
In a way, this is one of the beauties of our legal system. Something as simple as swearing in public is an arrestable offense but almost no-one casually swearing within earshot of an officer would get hauled in. If that person were antagonising people, acting "suspiciously", etc, then it gives the officer a handy way to haul them in without proving a different offense.
Likewise, the "cookie law" could be a way of reeling a dangerous Web site in when there's no solid proof of anything else they're doing.
It seems that the bigger companies (BBC, Amazon, etc.) have just gotten away with having a link to their cookies policy in the footer, while the smaller guys (e.g. the web dev place I work at) have been scared into placing often intrusive JS notifications that grab the user's attention needlessly.
If the average user were to even understand what cookies were, I could see at least some reasoning behind the law, but as it stands, it's like having a prompt at the petrol pump that asks you if you consent to something in your fuel that's there to help your engine - most people don't know about it and don't want to be bothered being asked the question in the first place.
Just checked and you're right... bad example, I should have checked before I posted. There are, however, plenty of larger companies that did just use a link in the footer (Amazon was one). The day before (IIRC) the deadline for having the law applied, the ICO decided that implied consent could be used, thus making a link in the footer perfectly okay.
The ICO's interpretation of the privacy law requires the user to understand that continued usage of a website will result in tracking (i.e. alert them until they agree), so the BBC's version complies better with the recommendations.
That's what they mean by implied consent – the user can use the website so long as they understand the situation, they don't have to physically agree. A lot of websites then decided to take their own meaning from the term "implied consent" without reading the document.
I admit to not spending the time to read the actual law text (mainly because it seems so ridiculous), but can't it be worked around using other technologies?
If the law bans cookies, can't sites just switch to using WebStorage/IndexedDB/webkit FileSystem to achieve the same thing, but not using cookies? Thus actual bad guys have a workaround, and the good guys who keep using cookies because they're useful are apparently breaking the law.
Does the cookie law ban other technologies or can we just shift to a new tech not covered by the law?
CTO of an adserving company here. The law states that explicit consent is required for third-party tracking cookies.
The law doesn't specifically say cookies either: it is deliberately vague to mean any data stored on a client's pc. So flash cookies, webstorage, etc all fall under this category. This is due to the law's original intent to fight malware / spyware.
It covers all such technologies used for the same purpose:
>The law which applies to how you use cookies and similar technologies for storing information on a user’s equipment such as their computer or mobile device changed on 26 May 2011.
I'm fairly sure that the EU issued a directive and not regulation. The member state takes these directives and decide whether to (and how to) implement them into the statutory law of their country.
The rest of Europe looked at this directive and decided not to implement it 'ad pedem litterae'. You don't see any other countries with stupid little cookie notices plastered all over their websites.
The United Kingdom on the other hand, has a long history of misunderstanding the purpose of directives and implementing them without due consideration or manipulation.
Thus, the EU Cookie Law is misnamed. It is the UK Cookie Law.
The maximum fine can add up to 450.000,- per violation. AND: By lay, if you add third-party plugins (analytics or social widgets) to your INTRANET you also need to comply to the cookie-law. How about that?
This all looks like typical political rhetoric to me. The politicians think something must be done-- OK, here is something, let's do it! It doesn't matter that this something isn't the right thing, because now "I did something about this problem. Re-elect me."
According to http://www.cookie-checker.com, the top 3 uses 65 to 85 cookies(!) Law or no law, I still think this is quite heavy in the light of privacy.
not quite yet, fingers crossed though, the legislation is unabashed bullshit, i've been recommending my clients hold fire in spite of the fact this would be billable work for me, because it is so arse-about-face.
One day we will all wake up as slaves to a great machine smarter than any human, we will live, eat, laugh, cry, and die by the machine. And it will know best.
Don't question its authority over you. It's judgement is flawless, divine and infallible. it never makes a mistake.
If so, could you please pin-point which part of the directive you do not like? Which part are hard to implement? Can you also explain us (with the same verve used to bash the directive) how your national implementation is even worse than the EU-wide directive?
The directive is quite short, definitely shorter than a review of a new Mac OS X release. Give it a try.
Spoiler: the word "cookie" is not used in the law, only in the explanatory preamble.
[1] latest consolidated version of the EU e-Privacy directive http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLE...