
Spain begins disciplinary proceedings against site for violating Cookie Law - martinml
http://translate.google.com/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.pabloburgueno.com%2F2013%2F08%2Fsancion-por-incumplir-la-ley-de-cookies%2F&act=url
======
martinml
Sorry for submitting a Google Translate link. It's not doing a perfect job on
a legal text but I didn't find any source in English. This is a blogpost of
the lawyer taking this case, and the client name is unknown yet.

Here's my summary of some facts (IANAL!):

\- The cookies being investigated are from Google Analytics, Google Maps,
YouTube, Adsense and WordPress.

\- The website was setting the cookies in the browser _and then_ showing a
popup warning the user that the site used cookies and that if they didn't want
them they could delete them.

\- The AEPD is a governmental organization which watches over personal data
and privacy infringements. If a company infringes your rights as a citizen,
you submit a complaint to the AEPD, and they can investigate and fine if
necessary.

\- The AEPD states that the fine is imposed because the website should not set
any cookies _until the user had accepted the warning_.

\- The Spanish law being used here is RD 12/2012, which was created using the
2009/136/CE EU Directive as its framework.

\- The fine is still not final. They can still present allegations.

~~~
ealexhudson
This is one of the most stupid and anti-user laws on the books. Worse, it's
probably the only law I've ever seen have an instant and devastating effect on
the UX of a swathe of websites.

Hopefully they are going to start suing people regularly (unlike the inaction
being taken in the UK) so that business wakes up to this stupid law and
finally gets it repealed, the sooner the better.

~~~
malandrew
The best balance would be to present the user with a page that lists all the
things the site would like to track and let the user opt out of anything they
don't want tracked.

Some people may value a "degraded" experience over being tracked.

I put "degraded" in quotes because it's often a degraded experience for the
company's profits not the end-user.

Please, give us some examples of how this is "devastating" for the UX of a
swathe of websites.

~~~
claudius
> The best balance would be to present the user with a page that lists all the
> things the site would like to track and let the user opt _in to any way in
> which they would like to be tracked_.

FTFY.

~~~
dasil003
That's not a balance. That makes the cookies effectively unusable since 99% of
people stick with defaults, and even more so in this case because they'll see
the boilerplate so often that a spinal reflex will kick in before they even
see the box with their conscious brain. This will, in turn force all websites
to force users to accept the tracking in order to use the service.

~~~
malandrew
Ok, better option.

Give the user four big buttons.

(1) "Deselect all tracking options. I will choose the ones I want" (2) "Select
all tracking optimal user experience, but don't opt me into additional
tracking metrics for your use" (3) "Opt me into all tracking options, both
those for an optimal user experience and ones that help you improve the
service." (4) "Give me the most commonly selected options by previously
registered users"

(1) is privacy mode. (2) is privacy mode with some concessions for optimal
experience. (3) is okay I'll help you guys out. and (4) is I trust the wisdom
of the crowds.

------
nolanl
The last place I worked was a Swiss organization that built web sites for the
European Commission. Dealing with the EU cookies directive was an amazing
waste of brain cells for everyone on the team.

For instance, were we allowed to ignore it because we were Swiss (non-EU)? If
not, which version of the law were we required to comply with? For instance,
the UK implementation of the law says that you can assume "implied" consent if
the user ignores your popup altogether. However, the Dutch version of the law
is much stricter - the user must click "I accept" before you can save any
cookies. And the French version of the law allows for lots of exceptions, e.g.
for setting the user's preferred language.

Plus, we needed a cookie just to store whether or not the user clicked "yes"
or "no," so in effect we were forced to break the law no matter what we did.
(The only alternative would be to show the "no" users the popup every time
they came back to the site, since we were supposed to forget that they had
even clicked "no"...)

So all in all, it was a huge mess. In the end we just copy-pasted a JQuery
plugin from GitHub and chose the strictest setting. Now our site is uglier,
it's more confusing to users, and we still have to cross our fingers that we
didn't miss a corner case in Bulgaria or something.

~~~
gcb0
> Plus, we needed a cookie just to store whether or not the user clicked "yes"
> or "no," so in effect we were forced to break the law no matter what we did.

this means you didnt' waste too much brain cells after all.

if user clicks no, you either show it everytime, or set a session cookie,
which is not supposed to be saved on disk per the specs. if the browser decide
to save it on disk, it's their problem.

But if you set a no cookie. then it's the typical governemnt contractor. Going
the extra mile to bill for the law, but completely ignoring the law purpose
and benefits.

------
notatoad
Has there been any work done at all to standardize this process and allow
users to opt-in to cookies at a browser level, so that we can all stop seeing
this stupid warning? would that even be allowed under the law?

i tried to download a firefox extension called "cookiesOK", but it doesn't
seem to work in most cases.

~~~
ensmotko
The problem is that every site owner displays a slightly different popup. A
few of my friends were trying to build a chrome extension[1], but they soon
figured out they are going to need custom Javascript for every site in
Slovenia (and others of course, but they were focusing on Slovenia) and they
abandoned the project.

Personally I believe EU should target browsers not site owners for this. At
least by doing so we would get a standardized UI and the ability to opt-in or
out.

[1]
[https://chrome.google.com/webstore/detail/peeshkot/idfkeeahc...](https://chrome.google.com/webstore/detail/peeshkot/idfkeeahcifaocjonphgjmpmmfonahle?hl=en)

~~~
AJ007
One would assume that the act of visiting a web site, from a personally
identifiable IP address, using a web browser that accepts cookies is an act of
consent to receive those cookies. The behavior is both expected, avoidable,
and blockable.

This approach -- either by law, or by some "do not track" flag broadcast to
web sites is the equivalent of walking through a busy city with hundred dollar
bills hanging out of your pocket, with a sign hanging around your neck
requesting that no one takes your money -- all when a simple wallet in your
pocket would be adequate.

There are serious privacy issues when it comes to the internet and tracking.
The "solutions" we've seen targeting cookies in both the US & EU would be
laughable if they did not threaten to add considerable legal obligations over
even the most casual of web site owners.

~~~
icebraining
Expected? By whom? Technologists like us, yes, but not many of the general
public. Walking around with $100s is a false analogy; accepting tracking
cookies is completely invisible to the user. Furthermore, even if one _does_
walk with $100s, theft is still illegal.

------
ogig
Mentioned in the article: Spanish business using Facebook pages could be non
compliant to this law. Same with others using wordpress, blogger, tumblr and
so on since tracking cookies are been installed without a previous user
acceptance. Also note that the business is liable for this, not the hosting
service provider.

I wonder how far hosting provider definition goes. If twitter is used in a
company marketing strats, is it liable for the cookies installed by twitter? I
don't see it different from the facebook pages cited example.

The only practical option given this is to stop using those providers.

------
vklj
Actually, most warning implementations punish those users that disable cookies
in their browsers by forcing them to see the obnoxious warning every time they
visit the site.

This is arguably worse than the previous situation.

~~~
mindstab
... This isn't some "punishment" this is how the internet works. If you opt
out of being tracked and cookies... how would that be remembered? That is
really a sign it's working. This is part of why this is such an amazingly
defective law

~~~
pgeorgi
Some pages (eg. all that use the consent.truste.com script) use localStorage
to store the decision. That way the decision remains client-side and can still
be persistent by hiding the question via javascript.

~~~
notok22
This law applies to any kind of "data" stored on the client, so using
localStorage to store the user's answer would be breaking the law.
[http://www.cookiepedia.co.uk/eu-cookie-law](http://www.cookiepedia.co.uk/eu-
cookie-law)

~~~
pgeorgi
I don't remember the specifics. They could add a checkbox "store this decision
locally", which would allow storing this single information - and localStorage
is the best place to put it (unlike cookies).

------
lifeisstillgood
I am surprised - isn't this what we want? Instead of secrecy, governments warn
_everyone_ they are being tracked online. And we moan about it. It wrecks the
UI, it is annoying. Folks - this is the Snowden debate, but without the
security services.

Yes they should have got into the RFC / IEEE debates (which are fast becoming
laws of their own), yes they should be doing it better. Yes they should stop
monitoring everyone.

But they are at least starting the debate. And not on an obscure tech forum,
or in dusty volumes of proceedings, but right there, in everyone's face.

And until we find a way to make privacy and surveillance and technology
triggers in every politician's Skinner box, then its probably the best start
we can get.

~~~
AJ007
Not even close. These solutions we have seen, both legal and from the browser
level, are the equivalent of walking around nude in a busy city with a sign
hanging around your neck saying "Please no photos." (I gave a slightly
different analogy in another comment.)

A browser "do not track" request presents absolutely no true privacy, nor does
fining forcing all web sites to implement custom pop ups which block site
usage if the visitor doesn't agree.

These solutions are stupid, the things they claim to accomplish are already
possible by the user's own choice, if someone could be bothered to tell them
how to do it.

If these political entities really cared about privacy here are some of the
things they would be doing:

a) blocking foreign intelligence agencies from openly monitoring all internet
traffic in their country (and I don't just mean the NSA)

b) pass laws radically reducing or eliminating ISP logs rather than
increasingly them

c) investigate private companies engaged in mass-surveillance that also use
cookie-less tracking techniques. (Facebook mass facial recognition, several
nameless companies claiming to prevent ecommerce fraud, etc)

e) spend money educating the public about simple, free, existing techniques to
ensure their personal privacy

What you are witnessing in regards to cookies is a hoax, meant only to
distract from the real issues.

~~~
lifeisstillgood
> if someone could be bothered to tell them how to do it.

Its been clear and simple how to turn off cookies. But the silver haired old
grandmother simply does not read those sort of instructions. That kind of
knowledge comes from osmosis, from the surrounding culture.

We want to avoid 150 years of pollution before the digital equivalent of the
EPA or the Clean Air Act. We want to get the surrounding culture focused on
what is tracked and trackable. Snowden has massively moved this on, but
putting a web page in front of everyone is also moving it on.

There are no reasonable regulatory fixes to NSA/GCHQ/Russia/China, that are
not supported and demanded by a sizeable majority of people.

Not sure how to get there, but claiming this is a hoax is a little unfair

------
scrrr
Is there an open source JavaScript snippet somewhere that I can put on my page
and it shows a pop up prompting users to accept cookies?

~~~
stingraycharles
There are several, with [http://www.civicuk.com/cookie-
law/index](http://www.civicuk.com/cookie-law/index) and
[http://silktide.com/cookieconsent](http://silktide.com/cookieconsent) being
the most popular afaik.

------
devx
Does this impact only sites hosted in EU? Or with a domain from an EU country?

~~~
albertoperdomo
The actual implementation of the laws depend on the countries, but they are
based on the same EU directive.

AFAIK this applies to companies registered in those countries, or with an
office there or targeting the market in those countries.

So, to make things more difficult, the German law implementation might be
different from the Spanis implementation. If you are targeting both markets,
you'd need to pay close attention to both.

------
terhechte
Is this message only required on commercial sites? Or do I need to display the
cookie UI whenever I have any kind of html on the web that uses Google
analytics (i.e. cookies)?

------
ripberge
Yikes. I'm generally in favor of web privacy, but with unemployment numbers
like theirs, that seems like the last thing Spain needs right now.

~~~
albertoperdomo
I'm from Spain and I've been running a webdev shop for 6 years now.

Things are getting worse here and the government if anything is actually just
making things more difficult for everyone.

I agree with those trying to protect their privacy but for the sake of
practicality they should look for a pragmatic approach.

BTW, making individuals and companies responsible for tracking cookies
installed by third party platforms like Facebook, Tumblr, etc. because of this
law doesn't really help us being more competitive either [sarcasm sign].

~~~
lingben
can you please explain a little bit more about this cookie law? the only one I
heard about was the UK cookie law and it was abandoned months ago.

which websites does it apply to? websites hosted in Spain? websites of
commercial businesses operating in Spain? any website with an address in
Spain?

~~~
paradoja
I'm not him, but I can try to answer you.

It applies to any businesses, professionals with a web page, and anyone who
offers a service as long as they a) are located in Spain, b) target their
services to the Spanish market or c) if they have a (permanent or regular)
workplace or facilities in Spain.

(It's a translation from Spanish legalese, so probably the language is
muddled, sorry.)

~~~
lingben
thanks. so by condition b that includes almost anyone on the internet!

~~~
paradoja
It seems so, but I guess it'll be difficult to fine businesses without
presence in Spain.

------
Kiro
So if I'm outside of Spain I don't need to care about this?

~~~
camus
if you are doing business anywhere in Europe you should.

~~~
Kiro
Care to elaborate? I thought the Cookie Law was dead.

------
joyinsky
Don't the have anyhing more important to do? like, e.g.(creating the 6M jobs
they desesperately need)

------
smoyer
My web-sites will say - "This site uses cookies ... If you agree, please
leave."

------
Uchikoma
How does one store that a user opted out of cookies?

------
adcuz
This is a shambles.

