
Europe Caught in the Cookie Jar - voodoochilo
http://blogs.wsj.com/tech-europe/2012/05/25/europe-caught-with-its-hand-in-the-cookie-jar/?mod=WSJBlog
======
gcp
The articles calling this a "Europe" or "EU law" are disingenuous. The EU
issued a directive. It's up to the individual countries to implement the
directive. So here's what happened:

[http://www.dlapiper.com/files/Uploads/Documents/DLA_Piper%20...](http://www.dlapiper.com/files/Uploads/Documents/DLA_Piper%20_%20How_the_EU_has_implemented_the_new_law_on_cookies.pdf)

Quite a few countries chose an opt-out system, which appears to be workable.
Quite a few (most?) countries are still debating what to do or are
intentionally or unintentionally dragging their feet (this is very typical).

The UK _chose_ an extremely strict opt-in system, which is complete bullshit
and unworkable in practise.

Now, I know it's "de rigeur" for the UK to blame Europe each time something
bad happens, but in this case they only have their local government to blame.
So please, stop calling this a European problem and tell it like it is: it's a
_UK problem_ brought onto them by a stupid government. The sooner the people
of the UK realize they have their elected officials to blame, the sooner this
can get fixed.

~~~
ticks
As far as I understand it, the UK now allows an implied opt-in, so long as you
make it clear to the user that cookies are being used.

~~~
gcp
Do you have a reference for that? I don't see anything like it at the ICO
site.

~~~
ticks
Here are some selective quotes from the document, I take it to mean: tell the
user with a clear message at least once (ideally get them to click confirm but
it's not a requirement):

"In some circumstances those seeking consent might consider implied consent as
an option that was perhaps more practical than the explicit opt-in model...
For implied consent to work there must be some action taken by the consenting
individual from which their consent can be inferred... This might for example
be visiting a website, moving from one page to another or clicking on a
particular button... The key point, however, is that when taking this action
the individual has to have a reasonable understanding that by doing so they
are agreeing to cookies being set."

[http://www.ico.gov.uk/for_organisations/privacy_and_electron...](http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/~/media/documents/library/Privacy_and_electronic/Practical_application/cookies_guidance_v3.ashx)

------
junto
The UK has misunderstood the word "directive" for a considerable amount of
time. Maybe it was a translation problem, and it should be reworded to
"guidance", since the UK has a very bad habit of applying directives without
due consideration. The rest of Europe leaves such directives where they should
be, in a box marked, "Good but unworkable ideas. Please archive".

------
dandinu
This is Europe's way of trying to make users read the Terms & Conditions of
every website.

The intentions of the law are good, but I do not believe the approach is that
smart. They could have made the companies who own the websites place cookies
on the users machines only after they have actually created an account... that
seems like consent to me.

------
TomGullen
Can someone explain to me why cookies are something that laws need to be
written up about? What's wrong with cookies? What's wrong with paranoid people
disabling cookies on their browser and then just granting access to the sites
if they need to?

~~~
zurn
The EU privacy legislation is supposed to prevent tracking of people without
their consent/knowledge. This is widely considered a worthy goal by consumers.

Fiddling with browser cookie settings is bad because it's opt-out instead of
opt-in, opt-out just doesn't work since users have to be technically clueful
and spend lots of time and effort on it. Compare to opt-in vs opt-out in email
spam.

edit: see
[http://en.wikipedia.org/wiki/Data_Protection_Directive#Princ...](http://en.wikipedia.org/wiki/Data_Protection_Directive#Principles)

~~~
TomGullen
Do cookies track 'people'?

Recently it was determined by courts that an IP address cannot be attributed
to a person (in regards to torrents). Why is it different for cookies?

~~~
zurn
The reliability standard for evidence in court cases is a bit higher than what
typical cookie applications require.

------
zurn
We can hope this will persuade some percentage of sites to abandon cookies,
even though the directive ended up pretty toothless.

