Does anyone know of a decent and up to date guide on what is/is not allowed? The official guidance is typically not much help and my searches reveal a lot of stuff out of date and other sites that are more interested in selling me cookie analysis - so I'm taking their advice with a grain of salt.
The interpretation of the law is up to the individual countries. I've only been watching what's been happening in the UK. Until last week the guidance from the Information Commissions' office has been 'you need explicit opt-in' if you want to set cookies that aren't vital to your site's work (example, cookies set when a user is shopping and puttnig items into their cart are deemed vital, Google Analytics is not).
However last week the ICO issued new guidance saying that implied consent is OK
I would argue that analytics is vital - if you cant work out what your site is doing then you can not work out how to improve the site which costs money and indirectly jobs.
I look forward to each individual shop/business making us sign a waiver when we enter a shop with CCTV ie 95% of UK shops
So would a lot of people, but the official guidance makes it clear that they are not considered vital as far as these legal rules are concerned.
The "essential cookies are OK" criteria relate to the functionality the user has explicitly asked for, not to functionality that the site operator needs to run the site in a commercially viable fashion. Thus things like session cookies to record that you have logged in or what's in a shopping cart are OK, but things like analytics aren't allowed to piggy-back on top.
There seems to be some doubt about how seriously anyone in the UK is going to take these rules, though. Even the ICO can't get its opinion straight, and it's the government body responsible for enforcement. As I understand it, we're already taking this whole mess far more seriously than most countries in the EU, in that some web sites run by large organisations have made some effort to comply with the rules, while even that might not be true in most places that are theoretically affected.
Well as some one who has been working on www based systems since 1994 and one online systems for many years before it's a pity they did not ask people actulay working in the industry.
Ironically Neelie Kroes, the EU's Digital Agenda Commissioner now wants us to have manditory electronic id cards storing god only knows what information about us.
This is a far worse infringement of our rights that some aggressive retargeting as opposed to being asked "papers please" on the euro star.
