

The stupid cookie law is dead at last - silktide
http://blog.silktide.com/2013/01/the-stupid-cookie-law-is-dead-at-last/

======
polshaw
The cookie law is in no way dead, the ICO is just doing what every other
'compliant' site has always done.

New policy for the ICO site:

 _> Cookies set on arrival to the site. New cookies banner displayed. Banner
explains that the website uses cookies and that cookies have been set, tells
users they can change their cookie settings (via a new cookies page), or
continue to use the site._

I always thought the _"set first and offer the user to kindly f' off if they
don't like it"_ method was not in the spirit of the law, but that is the one
that sites have adopted. There was never any realistic possibility of
prosecution in that scenario, so i see this move as just the ICO accepting
reality.

~~~
radiac
Rather than what Silktide are saying, this change just seems to be bringing
their own website into line with their last-minute clarification (or rather
u-turn) on implicit consent.

The ICO spent a year banging on about how you need explicit consent, and lots
of people ran around implementing various solutions that make people click
buttons and are generally incredibly annoying. Then, about 12 hours before the
law came into effect, the ICO said "Actually, you know what? Implicit consent
is fine."

On the off-chance anyone is still interested in this sort of thing, I wrote a
small implicit consent script after the ICO clarified their position:
<http://radiac.net/projects/cookieuse/>

------
grabeh
I was wondering when another sensationalist blog post would pop-up from
Silktide.

Last May, the ICO acknowledged that in certain cases, implied consent would be
appropriate and this is judged on the basis of the type of cookies that a site
is looking to set plus the information that is made available to a user on its
site regarding cookies.

The ICO considers that due to having had explicit consent on their site for a
number of months, and due to the information generally available on their
site, it was ok to switch to an implied consent approach. The cookies that are
set when you go on the ICO websites do not include any third party advertising
cookies.

For other sites, it is not guaranteed that an implied consent will be
appropriate where for example third-party advertising cookies are set and very
little information is provided generally (for example in a specific cookie
policy).

As such, it is still for each website to consider whether in their own
specific circumstances, it is appropriate to have an explicit consent or
whether implied consent is ok. I appreciate that this creates ambiguity but as
I understand it, it reflects the present position.

I still think the overall aim of the policy in terms of educating users as to
the nature of cookies is a good one. That aim is one that is of course not
particularly aimed at anyone who browses this website I wouldn't have thought.

~~~
alanctgardner2
> the type of cookies

The ones with text inside them, or the other ones with text inside them? I
don't understand how you decide between good and evil cookies.

> The ICO considers that due to having had explicit consent on their site for
> a number of months, and due to the information generally available on their
> site, it was ok to switch to an implied consent approach

Why is there a temporal component ( a couple of months ), surely new visitors
come all the time? Why is the content relevant? According to their stats, 10%
of the users explicitly consented. Switching to implied consent on that basis
makes no sense.

> it is not guaranteed that an implied consent will be appropriate

I'm pretty sure it's not OK to say 'You might be breaking the law, but we'll
let you know once we decide to prosecute'. 'Very little information' is a
terrible metric; there's an implication that quality is also necessary. If I
populate my user-tracking page with mathematical proofs, I've encoded
information on that page - potentially a lot. It doesn't mean anything.

> I appreciate that this creates ambiguity

I appreciate that you didn't create this law (I hope). Ambiguity is bad. And
expensive. All this backtracking they've been doing, it wastes my time, it
wastes some civil servant's time, and it accomplishes nothing. It seems like
these policies should be like trademarks; subject to dilution if they aren't
suitably enforced. If Disney decided to give everyone two years to use their
logo free and clear, or they only prevented 'content-free' uses, they would
lose that mark.

~~~
Nursie
_"I don't understand how you decide between good and evil cookies."_

It's all in the intended use.

Good cookies: Session cookies for ecommerce and other transactional style web
interaction

Bad cookies: Advertisers tracking cookies that track users across multiple
sites without their knowledge or consent.

See?

~~~
mryan
How about "session cookies for ecommerce and other transactional style web
interaction, that track users across multiple sites without their knowledge or
consent"? Are these good or bad?

We can decide on a case by case basis whether any particular use of cookies is
good or bad, but coming up with a generic rule to do so is fraught with
difficulties.

~~~
Nursie
Well those would be bad, as they've clearly strayed well beyond necessary use
of cookies as a mechanic of the website operating and into tracking people
without their knowledge or consent.

What about "Tracking people without their knowledge or consent" being A Bad
Thing is hard to understand?

The original poster said " in certain cases, implied consent would be
appropriate and this is judged on the basis of the type of cookies that a site
is looking to set". Your example clearly goes beyond.

~~~
delinka
"...necessary use of cookies as a mechanic of the website [operation]..."

My shopping cart cookie that tracks you across multiple websites is necessary
because it keeps my prices lower than my competition giving me the competitive
advantage and my customers a better price on the things they want.

Your turn.

~~~
Nursie
Nope, you're still tracking someone without their consent, your reason is
nothing to do with the technical operation of your website.

Keep trying though, this is entertaining.

~~~
im3w1l
By tracking the user across many websites we can give personal recommendations
of new products the user might like based on their surfing habits. For
instance depression is correlated with erratic surfing behaviour. By making
use of these types of relationships we can offer our customers what they need
when they need it.

Another good feature is what we call multisite one-click shopping. Having to
enter address, credit number, cvc etc on lots of websites is daunting for the
customer and can hurt conversions.

/s

~~~
Nursie
Cool, all sounds useful, so you have no issue asking for the user's permission
to do this?

Because it's still not _technically_ necessary for the functioning of whatever
it is that the user is trying to do on your particular site.

These are all fine business reasons but (AFAICT) the entire intent of the law
is that _business_ reasons are not good enough to track people without their
explicit knowledge and permission that that is what you're doing.

(yes of course they fouled up on the coding and execution of the law,
bureaucrats were involved)

~~~
delinka
Yet again, semantics matter.

You didn't originally say " _technically_ necessary," but my argument is not
with you. It's with half-baked legislation. Does the legislation make the
distinction? You use the phrase "technically necessary for the functioning
of..." and the business guys in the company will continue to argue that yes,
this is technically necessary for the functioning of their
company/website/business etc.

Ask the engineers whether these things are "technically necessary" to
facilitate the business plan, because the business plan is the entire reason
the company exists. The answer is yes. I'd suspect the workaround is that you
just don't do business with people who don't want to be tracked.

Are we going to start legislating every detail of business?

~~~
Nursie
_"the business guys in the company will continue to argue that yes, this is
technically necessary for the functioning of their company/website/business
etc."_

Except it's not.

 _"Ask the engineers whether these things are "technically necessary" to
facilitate the business plan, because the business plan is the entire reason
the company exists. The answer is yes."_

The Business plan is irrelevant. You're clutching at (false) straws here and
you know very well what I mean by technically necessary for the functioning of
the site, the law and/or guidelines even talk about implied consent covering
only what is needed to allow the interaction between a site (the site you are
ON, not a third party) and the user). In any other circumstances you have to
ask. I don't understand what you find so hard about this - are you setting the
cookie to enable the user to have a session on your site? Cool. Are you using
it to track their movement? Not cool. End.

 _"Are we going to start legislating every detail of business?"_

Where it starts to impinge on personal privacy, I hope so, yes.

------
UnoriginalGuy
Browsers already have the ability to ask the user if they want to accept a
cookie. So all this law did was reproduced browser functionality that has
existed all the way back to Netscape.

That all being said however, I'm not entirely sure it is "dead." The current
legal standing from my understanding is a grey area...

~~~
kintamanimatt
No, the law also prohibited use (without permission) of such things as flash
cookies and cookie-like things stored in HTML5's web storage, HTTP ETags, IE
userData storage, Silverlight isolated storage, etc. The browser has no
control over these things, only standard HTTP cookies for which it is
responsible.

~~~
lucian1900
The browser has full control over HTML5 storage.

~~~
samastur
Yes, but browser's user generally doesn't (in easily accessible way).

~~~
lucian1900
At least on Chrome, they are displayed precisely in the same manner as
cookies.

~~~
kintamanimatt
The user doesn't have the same fine-grained control. In the case of HTTP
cookies you can control whether session cookies are permitted independently of
whether persistent cookies are allowed. I believe no such control exists in
the domain of local storage.

------
onemorepassword
This is just more disinformation and FUD from the anti-privacy marketing
clowns at Silktide. Nothing has changed when it comes to the EU rules on
tracking cookies.

Of course it doesn't help that the UK's authority tasked with enforcing the
law is utterly incompetent.

~~~
oliveremberton
How exactly am I spreading Fear, Uncertainty or Doubt here? (I wrote that
article, and run Silktide).

We have no problem with privacy - quite the opposite, I wish it were being
taken seriously - but this law is not remotely about that. If you look at the
ICO's latest report they say their audit of sites like Facebook and Google was
done purely "visually". They are literally evaluating privacy by looking for
banners or legal pages, and not at say the technology or intent behind it.

This event is newsworthy because their site - which is clearly going to be
looked at as an exemplar of best practice - is changing from explicit opt-in
to implicit. Essentially we're now back to 2009, when sites were expected to
include privacy policies that explain if they use cookies.

------
morphics
Thank goodness for that. Countless hours have been lost debating how best to
implement this pointless law, and the amount of business lost due to unsightly
and confusing consent banners must have been huge.

~~~
walshemj
yes given that my employer a FTSE 100 publisher must have spent a huge amount
time and money on this stupid law - can we claim this back against our tax
bill.

~~~
kintamanimatt
Well, yes. Generally and imprecisely speaking, expenses are deducted from
revenues and the net is what's taxable. Your employer will end up paying a
little less corporation tax because of it. Whether it's a net loss for the
government is another matter, as what isn't paid in corporation tax might be
paid in national insurance and individual income taxes.

Could your employer sue the government for their compliance costs? Almost
certainly not.

~~~
Dylan16807
Yes very cute but that only gets a $TAXRATE percentage refund on the wasted
money. The rest is gone.

------
gvido
A similar law is still going strong in The Netherlands. As of this year, most
Dutch sites greet you with an annoying pop-up.

~~~
panacea
Annoyance, related to privacy. I vote for being "annoyed".

~~~
jules
In the abstract, I agree. Only somebody who does not understand cookies would
say such a thing in this context however (like our Dutch politicians).

You, the website visitor, are running a program called a browser. This browser
sends and receives data from servers that host the web sites you visit. Some
of that data contains a request to store a piece of information on your
computer. Your browser stores that piece information, and later when you visit
the site again, it sends the same piece of information back to the site.

Note that cookies are not some evil technology created by website owners to
track you. It is YOU who is running the software that stores the cookie. If
you don't want cookies, DON'T STORE THEM. This is easily done in any competent
browser.

By analogy, if you don't want people to store things in your basement, don't
give them the keys to your basement! The current Dutch law is: after you
already gave them the access to store cookies on your computer, the law forces
that person to ask you again if they are allowed to store cookies. Not only
does it not keep any bad people out and thus gives a false sense of security,
it's also annoying.

The correct action to take is to educate people on the existence of cookies,
and how to disable them completely or disable them for specific ranges of
sites. This is less annoying for both the users and the site owners, and more
importantly it also works for foreign sites that the Dutch law has no power
over, like Google analytics & Facebook like buttons that track you all over
the internet (which is a much bigger privacy concern than uitzendinggemist.nl
or nos.nl). While they're at it they might as well sponsor efforts to make
browsers less identifiable through other means than cookies, and support
projects like Tor. Of course that's not going to happen, because the current
security theater reminds millions of Dutch citizens every day that they are
being protected by their politicians through messages in annoying popups.

~~~
Nursie
The basement analogy is flawed. It's like a proxy holding your keys and giving
them to anyone that asks, without your knowledge.

Education wasn't going to happen without notices like these.

~~~
jules
Yes, I wanted to keep it simple. The fact is that that proxy (the browser) is
the problem, and is also where the solution lies, not in the subset people
that Dutch law happens to apply to who make use of that proxy to obtain your
keys.

~~~
Nursie
Making them tell you they want the keys and give you a reason isn't all bad.

But yes, the proxy ought to do more to encourage people. One problem is that
two of the major browsers (Firefox and Chrome) are funded by a company that
makes all its money from tracking and advertising (google), and it's pretty
unlikely they would turn off third-party cookies by default, which I think
would be a good start.

~~~
jules
I wouldn't be against a law that requires _browsers_ to make third party
cookies opt-in. Note also that the current law has no effect on Google's
tracking whatsoever.

------
LTheobald
I'm sorry but hasn't this been the case for a good while now? I remember
seeing this on the Guardian last year:

[http://www.guardian.co.uk/technology/2012/may/26/cookies-
law...](http://www.guardian.co.uk/technology/2012/may/26/cookies-law-changed-
implied-consent)

And isn't that why sites like The Guardian, BBC etc. have been using a banner
anyway?

~~~
oliveremberton
It's significant because they're the regulator, and now they're changing to do
what everyone else is, instead of telling everyone else to do what they've
been doing.

------
robotmay
Well at least they realised they were being a bit thick; they could have just
kept on blindly enforcing it. I think it really hit home when they lost a
serious percentage of their analytics data.

~~~
panacea
A "serious amount of their analytics data" was already lost to US.com

