
ICO.gov (click on continue without agreeing to cookies) - ggordan
http://www.ico.gov.uk/news/current_topics/website_changes_pecr.aspx
======
yaix
Argh!

99% of people have no clue what a "cookie" is used for and just hear that it
is "evil" and such. At the same time, these same people have no problem
exhibiting themselves of Facebook or tracking their positions on Foursquare.

@gov: Just make something like this (<http://www.networkadvertising.org/> >
"Conumer opt-out") legally binding for tracking networks (not for individual
web sites!) and the whole "Cookie" paranoia is solved.

~~~
nupark2
_> 99% of people have no clue what a "cookie" is used for and just hear that
it is "evil" and such._

99% of people also don't know how to evaluate the safety of a food additive.

Most don't even know proper food handling procedures and couldn't even
evaluate the food safety procedures of their favorite restaurant's kitchen
(assuming they even had the time to do so).

Hence, governmental regulatory bodies. You might not agree with the regulatory
environment, or with the outcomes, but the regulatory position _is_ logically
consistent.

 _> At the same time, these same people have no problem exhibiting themselves
of Facebook or tracking their positions on Foursquare._

Ignorance aside, people are quite often circumspect with what they share on
social networking sites; they, honestly have _no idea_ the level of tracking
and data sharing that occurs.

Even still, your statement is an unfounded generalization; there are clearly
plenty of people that don't use Facebook (or Foursquare) and _do_ have a
problem "exhibiting" themselves.

 _> @gov: Just make something like this (<http://www.networkadvertising.org/>
> "Conumer opt-out") legally binding for tracking networks (not for individual
web sites!) and the whole "Cookie" paranoia is solved._

As a consumer, I prefer opt-in for analytics, user tracking, and unsolicited
spam.

~~~
JonoW
I'm not sure your comparison with food safety is completely apt; This cookie
law is the equalivant of being asked "Do you consent to the use of sodium
benzoate in your food" before entering any restaurant. Most people will have
no idea what to make of that, and will probably hate being asked every time.

It would be different if tracking was such a problem that it was outlawed all
together (like dangerous food additives are), as that would be clear to
everyone how to proceed.

------
adaml_623
In their privacy policy they list the cookie that 'Is essential for their site
to function'

"Essential site cookie|ASP.NET_SessionId|This cookie is essential for the
online notification form to operate and is set upon your arrival to the ICO
site. This cookie is deleted when you close your browser."

They also say that they've left it there because: "as we’re unable to remove
it from one part of the site without affecting another"

So apparently incompetence is an excuse for leaving cookies in place. Problem
solved!

~~~
eitland
Does ASP.Net depend on it for some reason? I used to do some work in Java
Server Pages, and in JSF we were stuck with something called viewstate, that
were kept either as a blob in the page or as reference in the page to a blob
stored on the server. Technically not a cookie, but for all intents and
purposes the same as a cookie that gets deleted when the browser is closed.

~~~
dave1010uk
Blocking the cookie lets me view a few pages of the site perfectly fine. I
guess the session is required in one small part of the site and it wasn't easy
for the developers to make the site only set the cookie in that place.

------
av500
websites had that coming for a long time.

It's a common industry pattern to overdo things and then get regulated.

take e.g german gas stations, they went from adjusting their prices
occasionally (e.g. when the oil price changed) to price changes several times
per day in order to gouge the most out of the customers. Now, they will get
regulated and only be allowed to change their price once per day... they
basically asked for it.

Same for international roaming fees in Europe, from insane to regulated..

Cookies were used to tracks people's shopping carts and that was fine, same
for a site to recognize you. Nowadays they are used to identify and track you
in global ad networks etc.. again, asking for it..

~~~
bxr
This is why we can't have nice things, abuse of something useful for ends
undesirable to the masses leads to it getting banned for all uses.

------
patrickaljord
That's the same site that paid £585 for their favicon
<http://news.ycombinator.com/item?id=2175321>

~~~
benjash
I think that says it all. Clueless.

~~~
spjwebster
I take it you didn't read the comments on that post then? The ones that
explained why the upfront cost of £585 is not at all unreasonable.

------
Silhouette
From the linked page:

> Currently our website contains one cookie that we do not use, but is
> essential for part of the site to operate. At present we have left this in
> place across the site, as we’re unable to remove it from one part of the
> site without affecting another. This session cookie is set on a user’s
> arrival to the site - at which time they’re informed that the cookie has
> been set - and is deleted when a user leaves the site.

I'm fairly sure the advice from the ICO that I read earlier was quite blunt
about cookies that were not strictly necessary: you can't set them without
consent just for your own convenience.

There is a silly box at the top of their page that asks you to accept cookies
and tells you off if you click "Continue" without doing so, which seems
entirely contrary to the principle of this new law to me, before you even get
to this mysterious cookie they apparently set anyway.

~~~
spjwebster
The important bit is "but is essential for part of the site to operate." To
me, that clearly falls under the "strictly necessary" banner, albeit that it
probably shouldn't be set until you enter the part of the site that requires
it.

Government IT moves at a glacial pace, and just like everyone else they're
still trying to figure out how this stuff should work. That's why they've
deferred enforcement for a year.

~~~
Silhouette
> The important bit is "but is essential for part of the site to operate." To
> me, that clearly falls under the "strictly necessary" banner

They say that, but it is easily demonstrable that running a web site providing
static content such as they do does not require the use of any cookies or
similar technology at all to provide the service the user is requesting:
millions of web sites manage it every day. As you say, if only part of their
site requires the cookie for some genuine reason, perhaps they should only set
it there. In any case, there is really no excuse for not explaining properly
what the cookie is for or for cluttering up the screens of visitors who don't
check your "do whatever you want" button just to make the extra panel go away.

Bottom line: the exemption is not for cookies that are required because you
hired poorly trained web developers or picked an inconvenient tool somewhere
on your hosting platform. It's for cookies that are essential to providing the
service that visitors are expecting. The ICO themselves have been very clear
on this in the guidance they published in the run up to the handover, and
their own site is flagrantly violating at least the spirit of the rule if not
the letter of the law -- which AIUI they have responsibility for interpreting
in the UK, so if they can't get it right, what hope is there for anyone else?

------
bruce511
Unfortunately this is another case of throwing the baby out with the
bathwater, and incidentally not really solving the problem.

Firstly there are various kinds of cookies. There are ones that are stored on
your hard-disk, and others which exist only in memory (for the life of the
browser instance.)

There are ones used for marketing and tracking purposes, and others (notably
session cookies) that allow the server to track the "state" - thus allowing
for "web apps" as much as web-pages.

So their idea is to just "ban cookies". Or, as they have done, get all sites
to have a "allow cookies" switch. Don't turn that on? well then you can't use
any part of the site. And if you do turn it on, it's "all or nothing" - I
can't allow say _just_ the session cookie, while banning the tracking cookies?

As to the possibility of enforcing this? Let's not even go there...

~~~
av500
what other option is there? To mandate browser source code that implements
cookies in a lawful way?

And where is the broad coalition of "don't be evil" browser vendors and
websites that proudly claims "we don't track you" and that would have made
such laws unnecessary?

------
teyc
I'm so not looking forward to seeing jsessionid in my urls again.

------
benjash
I really want to know what there jurisdiction and who this effecting.

Does this apply to all EU traffic?

OR does this only apply to websites hosted within the EU?

OR does only apply to EU companies?

Plus how on earth do they plan to enforce this?

~~~
andersju
Unfortunately this is not just a UK thing. Every EU country is forced to do
this.

A similar law was passed in Sweden just the other week and will come into
effect on July 1, despite heavy criticism from pretty much everyone.

So how could they pass such a law? It's from an EU directive, more
specifically 2009/136/EC [1]. A directive is something that every member state
is _required_ to implement into national law, whether they like it or not.
AFAIK every member state is supposed to have implemented this by now. Sigh.

[1] [http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2...](http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:En:PDF)

------
jschuur
Couldn't a site just declare a single session ID as essential, and store
everything else server side? Or is the problem that you usually don't keep
server side session data indefinitely? I suppose you couldn't use client side
JavaScript on your cookies in that case either.

Does this apply to HTML5 localstorage too?

~~~
mike-cardwell
Whether or not you declare it essential is irrelevant. What matters is if it
actually _is_ essential.

As for localstorage, read the guidance from the ICO:

[https://www.ico.gov.uk/~/media/documents/library/Privacy_and...](https://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf)

Third paragraph: "These changes apply to storage or gaining access to
information stored, in the device of a subscriber or user. This means the use
of cookies and similar technologies for storing information."

Fifth paragraph: "The Regulations also apply to similar technologies for
storing information. This could include, for example, Locally Stored Objects
(commonly referred to as "Flash Cookies")."

------
xedarius
This is exactly why we are currently cutting back on bloated Government
departments in the UK. I can see this being repealed in 12 months, it's a
ridiculous, unenforceable law.

~~~
amouat
To be fair, I think it's based on a European directive that all European
countries will need to enforce sooner or later (unless it gets changed).

------
panacea
If you block cookies on that website you don't see the message.

If you don't click 'accept cookies' or 'continue' but simply browse the site,
you've apparently accepted some cookies.

------
Limes102
Okay, so I don't really use cookies ever, the only one I use is for the PHP
Session Identifier. Is this going to be allowed? D:

I'm guessing that it will be because ICO is allowed..

~~~
mike-cardwell
It depends on when you set it and why. If you just set it as soon as anyone
visits your site, and there is no essential reason for you doing that for the
site to work, then you are breaking the law.

If you only set it when somebody logs in to your site, to maintain a logged in
session, then it will be fine.

------
gurraman
The Internet is a really big part of our current society; the concern of a lot
of people. You'd expect that the advisory board of decision-makers of such
important things would consist of the smartest and most knowledgable persons
available - the persons who invented the web, the persons who are making it
work and who are taking it forward.

I haven't done any research. Does anyone know who gives these guys advice?

------
retube
"unless the cookie is strictly necessary to provide a service requested by the
user"

Isn't this open to some interpretation? Seems like a pretty wide loop hole.
Seems that this will allow a site to set/read it's own cookies no problem.
Third-party ad-networks and trackers though, yeah, they would not fall within
this definition I think. And isn't that a good thing?

~~~
Limes102
I don't think it's a good thing. Many websites rely on advertising to allow
them to even exist

~~~
mike-cardwell
So? All those websites have to do is ask permission from the site visitor to
track them. Rather than tracking them without their consent...

And if people don't want to be tracked, and the site loses out by not tracking
them, so be it... That is a better situation than somebody being tracked
without their knowledge/consent.

------
Jencha
But why? "[tick] I accept cookies from this site... what is a cookie?" a user
may ask.

------
jlampart
How do they check if you have cookies enabled without setting one? Aren't they
breaking the law in the process?

------
rojaro
Imagine millions of websites greeting you with a cookie acceptance dialog ...

------
gcb
unfortunately, that's not the regular clueless legislator.

That's an example of the shift of power happening in the web.

Remember when you started using firefox because of all the options and
"about:config"?

Now, remember how you ditched it for Chrome, but have to start firefox to be
able to use crazedlist.org because to disable cross-site referrer on chrome
you have to recompile it? (they even removed the command line option!)

In a few chrome versions (what happens every 15min), I doubt you will be able
to disable cookies.

~~~
patrickaljord
Never heard of crazedlist.org but you can use extensions for cross site
referring <http://code.google.com/chrome/extensions/xhr.html>

~~~
gcb
Don't think we are talking about the same thing.

I'm talking about the referrer headers.

It used to have an option. Then they moved it to a command line[1]. now they
removed it completely!

Disabling referrer header kills some google features in adwords and analytics.
So they have more than enough reason to kill it first.

[1] [http://darklaunch.com/2011/05/07/chrome-disable-referer-
head...](http://darklaunch.com/2011/05/07/chrome-disable-referer-headers)

~~~
gcb
If anyone else is bugged by the lack of control on your referrer headers, star
this <http://code.google.com/p/chromium/issues/detail?id=84177>

For the address bar, i had no luck finding a bug. anyone?

~~~
mike-cardwell
FWIW, on Firefox I use the refcontrol addon, and I've not experienced any
problems yet. If the referer domain is different to the domain of the request,
it modifies the referer to be the root of the site being requested.

~~~
gcb
that's even better than the about:config option of allowing it just for
clicks, not for scripts/iframes/etc. thanks

