

Consent will be required for cookies in Europe - dmytton
http://www.out-law.com//default.aspx?page=10510

======
alecco
I'm mostly against top-down regulations like this. They rarely solve the
problem and make other problems.

But HTTP cookies are a horrible hack mostly created to by-pass the problems of
stateful sessions with a stateless protocol. HTTP needs fixing or perhaps
something on top of it. The current state is a disgrace.

It's not OK advertising groups track people's internet use around the world
with 1x1 pixels and all those tricks. And never mind the evil Adobe tracking
people with Flash, those are even worse and much harder to delete from your
computer.

There are just too many poorly implemented web services using ridiculous
amounts of large cookies. People run into problems because of the 8KB HTTP
header limits in Apache and 16KB in IIS. Also I've worked for a large dotcom
using multiple J2EE technologies running out of cookies in IE6/7 (20 max) and
losing sales as people couldn't add a check-out/basket cookie.

Programming a cookie-based website preventing session hijacking is quite hard
and even major sites had issues. How can you expect people less competents
like mom-and-pops shops and banks to be secure?

This problem needs a proper solution from standards and browser vendors.

[http://en.wikipedia.org/wiki/HTTP_cookie#Drawbacks_of_cookie...](http://en.wikipedia.org/wiki/HTTP_cookie#Drawbacks_of_cookies)

------
jacquesm
That's one law I will simply be breaking. If the powers that be want to take
me to court for it then yes, please. Let's get it over with.

I also wonder if this law as it is written right now goes for sites hosted in
the EU or for sites that are visited by EU citizens (which would have much
further reaching consequences).

~~~
electromagnetic
Laws cannot extend beyond physical territory. All sites hosted on European
servers have to comply; EU laws do not extend to any sites hosted on foreign
servers.

~~~
dchest
This is not true. Example: you have to collect and transfer to EU tax
authorities VAT for downloadable goods sold to customers located in the EU if
you're not located in EU. If you don't, you can't sell to EU customers. This
is ridiculous, but I guess, they can "force" you to block EU users from
accessing your website.

I'm not sure how this is actually enforceable, but I think you'll have
problems with EU (for example, if you decide to go to Europe for holidays) for
not complying with their rules. Which is sad.

~~~
jacquesm
Do you have any citation for that ? It is completely contrary with what I know
of EU tax law.

An EU citizen buying abroad is responsible for paying the VAT (usually to
customs), not the merchant, and if it is 'downloadable' then VAT only applies
if the merchant is european.

~~~
dchest
The law is active since July 2003. There were a lot of buzz among e-commerce
companies and shareware developers about it.

 _The changes eliminate an existing competitive distortion by obliging non-EU
suppliers to charge VAT as EU suppliers when they are providing electronic
services to EU non taxable persons, something which EU businesses had been
actively seeking for some time._

[http://ec.europa.eu/taxation_customs/taxation/vat/traders/e-...](http://ec.europa.eu/taxation_customs/taxation/vat/traders/e-commerce/index_en.htm)
(official website)

Article:

<http://www.internetnews.com/ec-news/article.php/2194111>

Also:

<http://www.avangate.com/articles/software-vat-123.htm>

 _Private customers (consumers) in EU countries must be charged VAT for
electronically supplied services and products, both by EU and non-EU
providers.

...

Non-EU companies that trade with European consumers (private customers) need
to register and account for VAT._

------
bullseye
This is so absurd. I couldn't help but think that this would have made a good
Onion article.

------
eagleal
I'm in European territory. For general purpose and informative sites, like a
personal site, this makes no sense.

But, when you're talking about stores, web applications, entire online
platforms (including advertising ones), I think you _have_ to ask user
permission to do whatever with user's data. I guess this is why EC decided to
ask for opt-in.

Many sites, including Google, Facebook, Wikipedia, require registration, and
you have to agree with the TOU and Privacy Policy, where usually they place
the cookies TOU and policy.

How do they enforce this? I guess browsers with extensions like Firefox (eg.
CS lite) would be advantaged. I remember only Chrome and Firefox with
extensions and Opera's widgets.

EDIT: (some conspiracy) could this be a move against IE? (ActiveX is
discouraged)

------
chaosprophet
This looks like Vista UAC meeting the interwebs. Annoying as hell and probably
extremely damaging to datacenter operations in the EU.

------
ugh
Honest question: Can somebody explain to me why this is a bad thing? Ads can
be served without cookies, right? Sure, (behavioural) targeting would break,
but is that really a problem?

~~~
mrshoe
Cookies are by far the most prevalent system for identifying which user made a
given web request. This isn't just about advertising. Pretty much every site
that supports "logging in" (including HN), and many sites that don't, use
cookies to track user sessions.

~~~
dschobel
How is that not covered by the following provision to the law?

 _An exception exists where the cookie is "strictly necessary" for the
provision of a service "explicitly requested" by the user_

~~~
slapshot
Have you ever seen two lawyer argue over what "strictly necessary" means? One
would claim that ad serving cookies are always "strictly necessary" to an
online business, the other would argue that cookies are never "strictly
necessary" because you can replicate most cookie functionality with a
"?sessionid=12354" header in a GET request.

~~~
pbhjpbhj
Indeed "strictly necessary" to achieve what? If it doesn't tell you then that
leaves a hole the size of reality in the law through which many truckloads of
lawyers salary can pass.

Strange how all those lawyers aiding the writing of the law would miss such a
thing ...!?!

