[alanctgardner2]

> the type of cookies

The ones with text inside them, or the other ones with text inside them? I don't understand how you decide between good and evil cookies.

> The ICO considers that due to having had explicit consent on their site for a number of months, and due to the information generally available on their site, it was ok to switch to an implied consent approach

Why is there a temporal component ( a couple of months ), surely new visitors come all the time? Why is the content relevant? According to their stats, 10% of the users explicitly consented. Switching to implied consent on that basis makes no sense.

> it is not guaranteed that an implied consent will be appropriate

I'm pretty sure it's not OK to say 'You might be breaking the law, but we'll let you know once we decide to prosecute'. 'Very little information' is a terrible metric; there's an implication that quality is also necessary. If I populate my user-tracking page with mathematical proofs, I've encoded information on that page - potentially a lot. It doesn't mean anything.

> I appreciate that this creates ambiguity

I appreciate that you didn't create this law (I hope). Ambiguity is bad. And expensive. All this backtracking they've been doing, it wastes my time, it wastes some civil servant's time, and it accomplishes nothing. It seems like these policies should be like trademarks; subject to dilution if they aren't suitably enforced. If Disney decided to give everyone two years to use their logo free and clear, or they only prevented 'content-free' uses, they would lose that mark.

[Nursie]

"I don't understand how you decide between good and evil cookies."

It's all in the intended use.

Good cookies: Session cookies for ecommerce and other transactional style web interaction

Bad cookies: Advertisers tracking cookies that track users across multiple sites without their knowledge or consent.

See?

[mryan]

How about "session cookies for ecommerce and other transactional style web interaction, that track users across multiple sites without their knowledge or consent"? Are these good or bad?

We can decide on a case by case basis whether any particular use of cookies is good or bad, but coming up with a generic rule to do so is fraught with difficulties.

[Nursie]

Well those would be bad, as they've clearly strayed well beyond necessary use of cookies as a mechanic of the website operating and into tracking people without their knowledge or consent.

What about "Tracking people without their knowledge or consent" being A Bad Thing is hard to understand?

The original poster said " in certain cases, implied consent would be appropriate and this is judged on the basis of the type of cookies that a site is looking to set". Your example clearly goes beyond.

[delinka]

"...necessary use of cookies as a mechanic of the website [operation]..."

My shopping cart cookie that tracks you across multiple websites is necessary because it keeps my prices lower than my competition giving me the competitive advantage and my customers a better price on the things they want.

Your turn.

[Nursie]

Nope, you're still tracking someone without their consent, your reason is nothing to do with the technical operation of your website.

Keep trying though, this is entertaining.

[im3w1l]

By tracking the user across many websites we can give personal recommendations of new products the user might like based on their surfing habits. For instance depression is correlated with erratic surfing behaviour. By making use of these types of relationships we can offer our customers what they need when they need it.

Another good feature is what we call multisite one-click shopping. Having to enter address, credit number, cvc etc on lots of websites is daunting for the customer and can hurt conversions.

/s

[grabeh]

> The ones with text inside them, or the other ones with text inside them? I don't understand how you decide between good and evil cookies.

Yes, of course, on a basic level, there is no difference between cookies but I think it's reasonable to say that they can achieve different purposes, particularly in terms of the information that they can allow third parties to collect on a user.

> Why is there a temporal component ( a couple of months ), surely new visitors come all the time? Why is the content relevant? According to their stats, 10% of the users explicitly consented. Switching to implied consent on that basis makes no sense.

Of course there will be new visitors who will have no idea about the opt-in approach previously taken by the ICO. You are quite right to identify that to those users, the previous opt-in approach was irrelevant. Rather than focusing on individual users, to me, the ICO's approach is to identify what steps a site is taking to educate its users in general.

In reality, I'm sure a large proportion of users will click whatever box they are told to if it means they can access a site or remove a banner but that doesn't mean that a site should be excused of its obligation to at least provide information to those users who may want to learn more about the cookies being set.

In terms of content, I should have been clearer, I meant content providing clear information on the types of cookies being set.

> I'm pretty sure it's not OK to say 'You might be breaking the law, but we'll let you know once we decide to prosecute'. 'Very little information' is a terrible metric; there's an implication that quality is also necessary. If I populate my user-tracking page with mathematical proofs, I've encoded information on that page - potentially a lot. It doesn't mean anything.

Yes, any law should provide clear limits to its effect to people can know when they are breaking it. From what I have read, the ICO is likely to adopt a consultative approach to enforcement in terms of letting a site know that they consider that the site could do more to educate its users as to the cookies that are being set when a user visits. By information, I mean relevant information in the form of a policy clearly explaining to users the cookies that will be set when a user visits the site.

> I appreciate that you didn't create this law (I hope). Ambiguity is bad. And expensive. All this backtracking they've been doing, it wastes my time, it wastes some civil servant's time, and it accomplishes nothing. It seems like these policies should be like trademarks; subject to dilution if they aren't suitably enforced. If Disney decided to give everyone two years to use their logo free and clear, or they only prevented 'content-free' uses, they would lose that mark.

Heh, no, I did not create this law. I agree that ambiguity is bad, and that responsible businesses who sought to implement solutions before the ICO's u-turn on implied consent last May have incurred expenses unnecessarily which is not how laws are meant to operate.

The elephant in the room is that in certain quarters, the UK's approach to interpretation/enforcement falls short of that required to comply with the terms of the Directive. Whilst this may be the case, I'm sure sites would prefer to be subject to the ICO's softer approach at this stage than have to implement a full opt-in and be subject to harsh enforcement.

Your proposal might make a degree of sense - however, a trade mark owner's rights would generally not be revoked for lack of enforcement. A grant of trade mark rights as you mention would be subject to an implied licence which Disney could arguably revoke at any time. At worst, if they did not take action against an unlicensed use, they could be deemed to have acquiesced in the usage, and be prevented from taking enforcement action subsequently. This may be a more appropriate analogy than simply having the underlying rights (mark or legislation) removed.

I'm not particularly positive about the law itself and acknowledge that it is adding confusion and additional costs to businesses in terms of compliance. My only concern is that posts like the Silktide one are unnecessarily bias against the law and are essentially just preaching to the converted (developers/IT professionals etc are aware of how cookies work and what purposes they achieve).

The position I laid out above is only really my interpretation of the ICO's current stance. Although completely anecdotally, only last week, some colleagues who I would consider to be your average internet user were commenting on how weird it was that adverts in relation to sites that they had previously visited were appearing on other sites. If the cookie law means even a small proportion of users are educated about cookies, I think this is a good thing.

[gavinlynch]

>>> "Yes, of course, on a basic level, there is no difference between cookies but I think it's reasonable to say that they can achieve different purposes, particularly in terms of the information that they can allow third parties to collect on a user."

And the arbitrator of this decision is: Some lawyer? This is why this entire law is so fantastically absurd.

[grabeh]

Technically under the directive, any storage of information on the user's system should have the full consent of the user, with the exception of information which is strictly necessary for the functioning of the service requested by the user (see 2009 amendment to the original directive[1]).

Consequently, it's not necessarily at the determination of a lawyer, but I think the ICO has acknowledged that this is a difficult proposition so is taking a softer approach to enforcement.

At the very least the distinction could very easily be drawn between cookies which facilitate the sharing of information on the user's usage of multiple sites, to cookies which deal solely with the user's usage of the site where the cookie is set.

[1] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2...

[darkarmani]

> Technically under the directive, any storage of information on the user's system should have the full consent of the user

Isn't consent assumed by the fact that they've configured their browser to accept cookies?

[grabeh]

No, consent is not assumed. From my understanding, most browsers are generally set up to accept cookies automatically. If it was the other way round, and users had to physically change their settings, this could be an appropriate opt-in.

The E-Privacy Directive specifically contemplates browser solutions as being a potential solution, however, I understand that at this stage, there isn't an acceptable implementation.

If for example a browser on first load asked what I wanted to do with cookies during that session, that might be acceptable.

I suspect browser makes are hesitant to work towards a solution because it would obviously be a blanket policy when it may be more appropriate for a more nuanced one dependent on each each site's cookie usage.

You can obviously configure cookies in your browser settings but I imagine for most users this option is overly complex for them to understand.

[darkarmani]

> You can obviously configure cookies in your browser settings but I imagine for most users this option is overly complex for them to understand.

Can't one argue the same thing for setting up your website to be compliant with this law?

The fact that the easy and free solution is to just tell users to turn off all cookies in their browsers makes any laws of this type a waste.