99% of people have no clue what a "cookie" is used for and just hear that it is "evil" and such. At the same time, these same people have no problem exhibiting themselves of Facebook or tracking their positions on Foursquare.
@gov: Just make something like this (http://www.networkadvertising.org/ > "Conumer opt-out") legally binding for tracking networks (not for individual web sites!) and the whole "Cookie" paranoia is solved.
> 99% of people have no clue what a "cookie" is used for and just hear that it is "evil" and such.
99% of people also don't know how to evaluate the safety of a food additive.
Most don't even know proper food handling procedures and couldn't even evaluate the food safety procedures of their favorite restaurant's kitchen (assuming they even had the time to do so).
Hence, governmental regulatory bodies. You might not agree with the regulatory environment, or with the outcomes, but the regulatory position is logically consistent.
> At the same time, these same people have no problem exhibiting themselves of Facebook or tracking their positions on Foursquare.
Ignorance aside, people are quite often circumspect with what they share on social networking sites; they, honestly have no idea the level of tracking and data sharing that occurs.
Even still, your statement is an unfounded generalization; there are clearly plenty of people that don't use Facebook (or Foursquare) and do have a problem "exhibiting" themselves.
> @gov: Just make something like this (http://www.networkadvertising.org/ > "Conumer opt-out") legally binding for tracking networks (not for individual web sites!) and the whole "Cookie" paranoia is solved.
As a consumer, I prefer opt-in for analytics, user tracking, and unsolicited spam.
I'm not sure your comparison with food safety is completely apt; This cookie law is the equalivant of being asked "Do you consent to the use of sodium benzoate in your food" before entering any restaurant. Most people will have no idea what to make of that, and will probably hate being asked every time.
It would be different if tracking was such a problem that it was outlawed all together (like dangerous food additives are), as that would be clear to everyone how to proceed.
The previous implementation of the law was opt-out. It didn't work, because most users were completely unaware they were being tracked.
The real saviour will likely come in the shape of browser support for Do Not Track [1]. While it's not fine-grained enough to be used as the sole mechanism for gaining user consent for all non-essential cookies, it at least covers the 3rd party tracking cookies that were the motivation behind this law change. Note that DNT specifies that the default MUST NOT be opt-in:
> A user agent MAY adopt NO-EXPRESSED-PREFERENCE or OPT-OUT by default. It MUST NOT transmit OPT-IN without explicit user consent.
It didn't work, because most users were completely unaware they were being tracked.
More like, most users just plain don't care. So now, the regulators respond with: "we don't care what your personal priorities are, we're going to force everyone you interact with to conform to our values rather than your own".
getting their informed consent isn't going to pose an issue at all. So there's no problem here, right?
Wrong.
First, you're forcing anyone with a web presence that currently has cookies (and that's probably most of us) to spend time and developer resources addressing this -- time that we could spend really servicing our customers.
Second, you're still not going to get their informed consent. What makes you think that somebody's going to actually read the site's warning (assuming that there is one, and that it's written well enough to be comprehensible)? If they don't already care enough about web privacy issues, they're not going to take the time to read about them now.
Third, the regulation completely forbids a potential business model built around targeted advertising. There's nothing fundamentally wrong with that business model. It may be distasteful to someone sharing your values, but there are certainly a lot of people who don't care (and there's no fundamental reason that they ought to care). You're preventing people from doing business one way not because it's wrong, but simply because you find it distasteful.
> First, you're forcing anyone with a web presence that currently has cookies (and that's probably most of us) to spend time and developer resources addressing this -- time that we could spend really servicing our customers.
I don't accept your premise that "most of us" are using cookies.
In any case, many sites don't need cookies or similar technologies at all, and most of those that do only need them for session data like whether a user is logged in or what is in their shopping cart. Such use is exempt from these new regulations anyway.
I find it interesting that you have such a strong view about regulations that require some trivial effort on the part of legitimate businesses, while at the same time having no problem with a business model that is fundamentally built on harassing all users and making their browsing experience worse. How is your position not hypocritical?
> You're preventing people from doing business one way not because it's wrong, but simply because you find it distasteful.
While you, on the other hand, are suggesting there is nothing wrong with a busines model based on practices that consumers widely dislike but currently cannot do anything about.
The reason we have consumer protection laws is precisely so consumers win and abusive businesses lose in this sort of situation, and while I question the details of these new regulations, I see nothing wrong with the principle behind them.
> What makes you think that somebody's going to actually read the site's warning (...)? If they don't already care enough about web privacy issues, they're not going to take the time to read about them now.
If what you say is correct (that users don't care), they'll just click on Accept, right? And you have their consent. You've given them the option to make an informed choice. Your duty has been performed.
> Third, the regulation completely forbids a potential business model built around targeted advertising.
It forbids potential business models built around targeted advertising not based on visitor knowledge and consent (so it forbids business models that wilfully violate the privacy of site visitors without their knowledge, and without their consent). Again, if users don't care (as you point out), the gaining of consent isn't going to be an issue, so these business models will retain their viability.
So given your statement that users don't care about third party tracking or profiling, none of what you outline are really issues.
Along with the NAI check out what the newly formed Digital Advertising Alliance (http://www.aboutads.info/) is doing. Peter Kosmala, formerly from the NAI, was just appointed its head -- I would expect to hear more from this group soon.
Edit: The problem with both of these programs are that they are self-regulatory, which means only the "good guys" are going to follow the guidelines.
In their privacy policy they list the cookie that 'Is essential for their site to function'
"Essential site cookie|ASP.NET_SessionId|This cookie is essential for the online notification form to operate and is set upon your arrival to the ICO site. This cookie is deleted when you close your browser."
They also say that they've left it there because: "as we’re unable to remove it from one part of the site without affecting another"
So apparently incompetence is an excuse for leaving cookies in place. Problem solved!
Does ASP.Net depend on it for some reason? I used to do some work in Java Server Pages, and in JSF we were stuck with something called viewstate, that were kept either as a blob in the page or as reference in the page to a blob stored on the server. Technically not a cookie, but for all intents and purposes the same as a cookie that gets deleted when the browser is closed.
Blocking the cookie lets me view a few pages of the site perfectly fine. I guess the session is required in one small part of the site and it wasn't easy for the developers to make the site only set the cookie in that place.
It's a common industry pattern to overdo things and then get regulated.
take e.g german gas stations, they went from adjusting their prices occasionally (e.g. when the oil price changed) to price changes several times per day in order to gouge the most out of the customers. Now, they will get regulated and only be allowed to change their price once per day... they basically asked for it.
Same for international roaming fees in Europe, from insane to regulated..
Cookies were used to tracks people's shopping carts and that was fine, same for a site to recognize you. Nowadays they are used to identify and track you in global ad networks etc.. again, asking for it..
> Currently our website contains one cookie that we do not use, but is essential for part of the site to operate. At present we have left this in place across the site, as we’re unable to remove it from one part of the site without affecting another. This session cookie is set on a user’s arrival to the site - at which time they’re informed that the cookie has been set - and is deleted when a user leaves the site.
I'm fairly sure the advice from the ICO that I read earlier was quite blunt about cookies that were not strictly necessary: you can't set them without consent just for your own convenience.
There is a silly box at the top of their page that asks you to accept cookies and tells you off if you click "Continue" without doing so, which seems entirely contrary to the principle of this new law to me, before you even get to this mysterious cookie they apparently set anyway.
The important bit is "but is essential for part of the site to operate." To me, that clearly falls under the "strictly necessary" banner, albeit that it probably shouldn't be set until you enter the part of the site that requires it.
Government IT moves at a glacial pace, and just like everyone else they're still trying to figure out how this stuff should work. That's why they've deferred enforcement for a year.
> The important bit is "but is essential for part of the site to operate." To me, that clearly falls under the "strictly necessary" banner
They say that, but it is easily demonstrable that running a web site providing static content such as they do does not require the use of any cookies or similar technology at all to provide the service the user is requesting: millions of web sites manage it every day. As you say, if only part of their site requires the cookie for some genuine reason, perhaps they should only set it there. In any case, there is really no excuse for not explaining properly what the cookie is for or for cluttering up the screens of visitors who don't check your "do whatever you want" button just to make the extra panel go away.
Bottom line: the exemption is not for cookies that are required because you hired poorly trained web developers or picked an inconvenient tool somewhere on your hosting platform. It's for cookies that are essential to providing the service that visitors are expecting. The ICO themselves have been very clear on this in the guidance they published in the run up to the handover, and their own site is flagrantly violating at least the spirit of the rule if not the letter of the law -- which AIUI they have responsibility for interpreting in the UK, so if they can't get it right, what hope is there for anyone else?
Unfortunately this is another case of throwing the baby out with the bathwater, and incidentally not really solving the problem.
Firstly there are various kinds of cookies. There are ones that are stored on your hard-disk, and others which exist only in memory (for the life of the browser instance.)
There are ones used for marketing and tracking purposes, and others (notably session cookies) that allow the server to track the "state" - thus allowing for "web apps" as much as web-pages.
So their idea is to just "ban cookies". Or, as they have done, get all sites to have a "allow cookies" switch. Don't turn that on? well then you can't use any part of the site.
And if you do turn it on, it's "all or nothing" - I can't allow say _just_ the session cookie, while banning the tracking cookies?
As to the possibility of enforcing this? Let's not even go there...
what other option is there? To mandate browser source code that implements cookies in a lawful way?
And where is the broad coalition of "don't be evil" browser vendors and websites that proudly claims "we don't track you" and that would have made such laws unnecessary?
Unfortunately this is not just a UK thing. Every EU country is forced to do this.
A similar law was passed in Sweden just the other week and will come into effect on July 1, despite heavy criticism from pretty much everyone.
So how could they pass such a law? It's from an EU directive, more specifically 2009/136/EC [1]. A directive is something that every member state is _required_ to implement into national law, whether they like it or not. AFAIK every member state is supposed to have implemented this by now. Sigh.
Couldn't a site just declare a single session ID as essential, and store everything else server side? Or is the problem that you usually don't keep server side session data indefinitely? I suppose you couldn't use client side JavaScript on your cookies in that case either.
Third paragraph: "These changes apply to storage or gaining access to information stored, in the device of a subscriber or user. This means the use of cookies and similar technologies for storing information."
Fifth paragraph: "The Regulations also apply to similar technologies for storing information. This could include, for example, Locally Stored Objects (commonly referred to as "Flash Cookies")."
This is exactly why we are currently cutting back on bloated Government departments in the UK. I can see this being repealed in 12 months, it's a ridiculous, unenforceable law.
It depends on when you set it and why. If you just set it as soon as anyone visits your site, and there is no essential reason for you doing that for the site to work, then you are breaking the law.
If you only set it when somebody logs in to your site, to maintain a logged in session, then it will be fine.
The Internet is a really big part of our current society; the concern of a lot of people. You'd expect that the advisory board of decision-makers of such important things would consist of the smartest and most knowledgable persons available - the persons who invented the web, the persons who are making it work and who are taking it forward.
I haven't done any research. Does anyone know who gives these guys advice?
"unless the cookie is strictly necessary to provide a service requested by the user"
Isn't this open to some interpretation? Seems like a pretty wide loop hole. Seems that this will allow a site to set/read it's own cookies no problem. Third-party ad-networks and trackers though, yeah, they would not fall within this definition I think. And isn't that a good thing?
IMO, the 'service requested by the user' is to deliver the website, and all that the 'website' entails.
One might also say that cookies are never strictly necessary. We can always just put tracking IDs in the URL. And when browsers get rid of URL bars, it'll be harder for people to copy/paste the URL (with session ID) so the 'security' aspect against that argument will fall on deaf ears ("I can't see the problem you're talking about, so it's not real").
So? All those websites have to do is ask permission from the site visitor to track them. Rather than tracking them without their consent...
And if people don't want to be tracked, and the site loses out by not tracking them, so be it... That is a better situation than somebody being tracked without their knowledge/consent.
unfortunately, that's not the regular clueless legislator.
That's an example of the shift of power happening in the web.
Remember when you started using firefox because of all the options and "about:config"?
Now, remember how you ditched it for Chrome, but have to start firefox to be able to use crazedlist.org because to disable cross-site referrer on chrome you have to recompile it? (they even removed the command line option!)
In a few chrome versions (what happens every 15min), I doubt you will be able to disable cookies.
FWIW, on Firefox I use the refcontrol addon, and I've not experienced any problems yet. If the referer domain is different to the domain of the request, it modifies the referer to be the root of the site being requested.
Also, remember the old firefox moto? "Take back the web"?
it's just changed to "Made to make the Web a better place."... can it get more Orwelian? :D
Give me back my browser control. and stop hiding my url bar, dammit! ...they start removing the protocol, nobody bothers. ha http, who cares? Then move a little to the side, 'to align with the tab'. Then will make it autohide. And before you notice the only way to go to a page is to use AOL^H^H^H GOOGLE KEYWORDS.
99% of people have no clue what a "cookie" is used for and just hear that it is "evil" and such. At the same time, these same people have no problem exhibiting themselves of Facebook or tracking their positions on Foursquare.
@gov: Just make something like this (http://www.networkadvertising.org/ > "Conumer opt-out") legally binding for tracking networks (not for individual web sites!) and the whole "Cookie" paranoia is solved.