

The cookie law is dead, you’re welcome - silktide
http://blog.silktide.com/2012/09/the-cookie-law-is-dead-youre-welcome/
Last week we laid down a bitter ultimatum to the guardians of the cookie law: Go Ahead And Sue Us.
We stripped our sites bare of cookie warnings and begged them to do their worst.
======
gioele
To all the people bashing the EU e-Privacy directive [1] (the "cookie law"):
have you bothered read it all?

If so, could you please pin-point which part of the directive you do not like?
Which part are hard to implement? Can you also explain us (with the same verve
used to bash the directive) how your national implementation is even worse
than the EU-wide directive?

The directive is quite short, definitely shorter than a review of a new Mac OS
X release. Give it a try.

Spoiler: the word "cookie" is not used in the law, only in the explanatory
preamble.

[1] latest consolidated version of the EU e-Privacy directive [http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLE...](http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2002L0058:20091219:EN:HTML)

~~~
ppod
This part:

>Access to specific website content may still be made conditional on the well-
informed acceptance of a cookie or similar device, if it is used for a
legitimate purpose.

Could certainly be interpreted to mean that users must actively accept or
refuse cookies before accessing a website. I don't like this because the
inconvenience outweighs the privacy benefits, in my opinion.

~~~
gioele
That part is not part of the law, just introductory text. The law says in
Article 5:

«3. Member States shall ensure that the storing of information, or the gaining
of access to information already stored, in the terminal equipment of a
subscriber or user is only allowed on condition that the subscriber or user
concerned has given his or her consent, having been provided with clear and
comprehensive information, in accordance with Directive 95/46/EC, inter alia,
about the purposes of the processing.

This shall not prevent any technical storage or access for the sole purpose of
carrying out the transmission of a communication over an electronic
communications network, or as strictly necessary in order for the provider of
an information society service explicitly requested by the subscriber or user
to provide the service.»

A site can store data on a person's computer only if that person has give its
consent to it or if it is technically needed. Your ad campaigns, your A/B
tests, your detailed analytics are not technically needed and I want to have a
say on whether they are going to be stored in my computer.

Please note that many national implementation explicitly allow for broad
mechanism like "accept all cookies" buttons during installations as long they
are set or clicked by the user and are not simple defaults.

~~~
ppod
Whether it is in the recital or the enacting terms is irrelevant, I quoted the
recital because it is a little clearer.

The effect is the same - sites have interpreted the law to mean that a pop-up
prompt is necessary. I think that the inconvenience of this outweighs the
benefit. You might disagree, but don't try to make it sound as if everyone who
disagrees with you is ignorant.

------
mixmax
The EU cookie law is so stupid and full of holes that it's absolutely
ridiculous. Also nobody seems to know how to implement it properly so most
people just don't. This includes a lot of government websites and EU
organisations, even the EU's main website <http://europa.eu/> doesn't comply
with the law.

If ever there was a bad case of Politicians trying to reach a noble goal (in
this case caring about a users privacy) but not having a clue about the
technological means to reach the goal this is it.

Maybe EU needs a technology commissioner.

~~~
chalst
It's worth noting that this law wasn't produced in the usual way, and there
was not much in the way of industry involvement in the legislation' s drafting
process. About 15 months ago, I commented:

> I think it was not so much that the community was ignored, but that the law
> was passed under unusual circumstances: usually the lobbyists inform the
> legislators, who defer to industry on the specifics. Here the lobbyists
> mostly hated the legislation, but legislators were more responsive to
> privacy activists because of widespread public concern. So the law is a
> triumph of democracy over technocracy.

> And I think that's reflected in the legislation. The principles are OK, but
> the detail does not match up with practice. Hence the law is some way from
> being something workable.

<http://news.ycombinator.com/item?id=2587995>

So I don't think this is really the politician's fault, so much as problems
with parliamentary process. Your idea of a technology commissioner might be
helpful, but the whole problem here is that the EU Commission did not guide
the legislation, with the drafting being driven by parliament.

------
grabeh
I do enjoy a self-propagandising and excessively hyperbolic headline.

In principle the law has an honest objective to increase user awareness of
cookies. I just don't understand all the developers on here jumping around at
the outrageousness of the law when the ICO in the UK is obviously taking a
relaxed approach to enforcement.

Obviously the problem is that a law as drafted could be applied as drafted
however I think there is room for a pragmatic approach here which acknowledges
a) the type and sophistication of the site and its users b) the type of
cookies being used and c) the risk of a user being harmed or making a
complaint.

~~~
ThomPete
Increasing awareness of cookies is not very helpful. People don't give a rats
heini about stuff like that.

All it does is make things more confusing causing customers to drop off.

And I still don't understand what is so bad about them being able to profile
me. I want them to do that so I can get better ads / better communication in
the future.

~~~
grabeh
I think the problem is that you are aware of this profiling in the first
place. Many are not. At least if they are informed, they can make a decision
as to whether or not they care about it.

I don't know where I lie on the divide between those who value the input that
targeted advertising can bring and those who are vehemently against any form
of tracking. The problem I think is the uneducated majority in the middle.
They may browse one site and then wonder why ads from that site or for a
similar product are suddenly appearing. They have no awareness whatsoever that
information about their browsing habits is being collected.

I personally think it is a more preferable situation to have an educated
populace opting in to that form of collection of information than to have an
uneducated one who has no comprehension that companies are engaging in this
sort of behaviour.

I accept it is likely to be relatively harmless in many cases, but as I saw, I
would rather than an informed opt-in or at least knowledge that this was
taking place.

------
Fletch137
It seems that the bigger companies (BBC, Amazon, etc.) have just gotten away
with having a link to their cookies policy in the footer, while the smaller
guys (e.g. the web dev place I work at) have been scared into placing often
intrusive JS notifications that grab the user's attention needlessly.

If the average user were to even understand what cookies were, I could see at
least some reasoning behind the law, but as it stands, it's like having a
prompt at the petrol pump that asks you if you consent to something in your
fuel that's there to help your engine - most people don't know about it and
don't want to be bothered being asked the question in the first place.

~~~
davedx
The BBC had an annoying popup banner thing.

~~~
Fletch137
Just checked and you're right... bad example, I should have checked before I
posted. There are, however, plenty of larger companies that did just use a
link in the footer (Amazon was one). The day before (IIRC) the deadline for
having the law applied, the ICO decided that implied consent could be used,
thus making a link in the footer perfectly okay.

~~~
malsme
The ICO's interpretation of the privacy law requires the user to understand
that continued usage of a website will result in tracking (i.e. alert them
until they agree), so the BBC's version complies better with the
recommendations.

That's what they mean by implied consent – the user can use the website so
long as they understand the situation, they don't have to physically agree. A
lot of websites then decided to take their own meaning from the term "implied
consent" without reading the document.

------
AshleysBrain
I admit to not spending the time to read the actual law text (mainly because
it seems so ridiculous), but can't it be worked around using other
technologies?

If the law bans cookies, can't sites just switch to using
WebStorage/IndexedDB/webkit FileSystem to achieve the same thing, but not
using cookies? Thus actual bad guys have a workaround, and the good guys who
keep using cookies because they're useful are apparently breaking the law.

Does the cookie law ban other technologies or can we just shift to a new tech
not covered by the law?

~~~
stingraycharles
CTO of an adserving company here. The law states that explicit consent is
required for third-party tracking cookies.

The law doesn't specifically say cookies either: it is deliberately vague to
mean any data stored on a client's pc. So flash cookies, webstorage, etc all
fall under this category. This is due to the law's original intent to fight
malware / spyware.

A basic summary of the relevant parts of the law can be found here:
<http://www.aboutcookies.org/default.aspx?page=3>

------
junto
I'm fairly sure that the EU issued a directive and not regulation. The member
state takes these directives and decide whether to (and how to) implement them
into the statutory law of their country.

The rest of Europe looked at this directive and decided not to implement it
'ad pedem litterae'. You don't see any other countries with stupid little
cookie notices plastered all over their websites.

The United Kingdom on the other hand, has a long history of misunderstanding
the purpose of directives and implementing them without due consideration or
manipulation.

Thus, the EU Cookie Law is misnamed. It is the UK Cookie Law.

It followed from the EU Directive 2002/58 on Privacy and Electronic
Communications:
[http://en.wikipedia.org/wiki/Directive_on_Privacy_and_Electr...](http://en.wikipedia.org/wiki/Directive_on_Privacy_and_Electronic_Communications)

Directive... Directive... Directive...

Don't blame Brussels. Blame the UK government.

More on regulation and directives here:
<http://news.bbc.co.uk/2/hi/europe/8160808.stm>

------
digitalengineer
The maximum fine can add up to 450.000,- _per violation_. AND: By lay, if you
add third-party plugins (analytics or social widgets) to your INTRANET you
also need to comply to the cookie-law. How about that?

~~~
sigzero
I am not sure how they could enforce it against an INTRANET at all.

~~~
digitalengineer
I don't think they can either. But it's in the law. It's completely crazy.

------
delinka
This all looks like typical political rhetoric to me. The politicians think
_something_ must be done-- OK, here is _something_ , let's do it! It doesn't
matter that this _something_ isn't the _right_ thing, because now "I did
_something_ about this problem. Re-elect me."

------
bartkappenburg
According to <http://www.cookie-checker.com>, the top 3 uses 65 to 85
cookies(!) Law or no law, I still think this is quite heavy in the light of
privacy.

------
kintamanimatt
Cookies in the UK may end up being treated like weed in the Netherlands:
technically illegal, but not prosecuted even when out in the open.

------
erichocean
Are you required to give the cookie notice if people log in to your site (and
you only use cookie's _after_ that point)?

------
saw-lau
Grammar pedantry: surely it should be 'The cookie law is dead. You're
welcome.'?

------
5h
not quite yet, fingers crossed though, the legislation is unabashed bullshit,
i've been recommending my clients hold fire in spite of the fact this would be
billable work for me, because it is so arse-about-face.

------
Peroni
So is your site apparently.

------
maeon3
One day we will all wake up as slaves to a great machine smarter than any
human, we will live, eat, laugh, cry, and die by the machine. And it will know
best.

Don't question its authority over you. It's judgement is flawless, divine and
infallible. it never makes a mistake.

