
Stupid EU cookie law will hand the advantage to the US - emmanuelory
http://eu.techcrunch.com/2011/03/09/stupid-eu-cookie-law-will-hand-the-advantage-to-the-us-kill-our-startups-stone-dead/
======
randomwalker
As numerous commenters have noted, this article twists/omits facts, blows
things out of proportion, and doesn't talk about the benefit to consumers.

Tracking is currently a hot topic in the US as well, where a different
approach, labeled _Do Not Track_ is being pursued. I happen to be at the thick
of it, so I thought I'd add that to the discussion.

Do Not Track (<http://donottrack.us/>) is fundamentally an opt-out from
tracking rather then an opt-in, which makes it much harder to claim that it
will threaten the ad industry, startups, puppies, or anything else [1]. It is
an HTTP header which, if enabled, signals to advertisers and other trackers to
stop tracking you across multiple third-party websites. First-party tracking
is OK.

The Do Not Track option has already been implemented in Firefox 4. As of
yesterday it is an Internet-Draft[2], and on the legislation side,
Congresswoman Speier recently introduced a bill to give the Federal Trade
Commission powers to enforce Do Not Track.[3]

I'm a computer scientist and this is my first major foray into the policy
arena, and having worked with most of the people/entities involved in this
effort, I have to say I've been pleasantly surprised how the disparate parts
of the technology/policy/regulatory machinery started to work together.

I don't want to get into which approach is better, but just wanted to describe
how we're doing it in the US. Feedback welcome.

[1] <http://cyberlaw.stanford.edu/node/6592>

[2] <http://cyberlaw.stanford.edu/node/6633>

[3]
[https://speier.house.gov/index.cfm?sectionid=48&itemid=6...](https://speier.house.gov/index.cfm?sectionid=48&itemid=683)

~~~
smokeyj
I'm always skeptical of a legal solution to a technical problem, but I wonder
how this is to keep me safe from trackers on foreign soil? Wouldn't these
companies just move there server a country over? What if our ISP allowed us to
block traffic from those who don't comply with the don't track header, would
that solve our problem?

~~~
randomwalker
Excellent question. One solution for this would be to prohibit US-based first-
parties from doing business with noncompliant third-parties (similar to what
you propose, but doesn't cut across different layers, so less messy, less
potential for abuse). It is similar to how some other laws work, and it would
be up to the FTC to make this rule.

------
xd
This is being blown out of all proportions.

[http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/...](http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2008/08-04-10_e-
privacy_EN.pdf)

Read point 50.

The general gist seems to be, that if you use a cookie to track the
communications between you and the user (à la sessions), no problem. But if
you are using a cookies to track where and/or what the user has been doing
across sites then you need to make said user aware.

Please correct me if I am wrong.

~~~
berkes
You are not wrong. Some examples: A login for your site needs no concent. A
session to store some status-message to a user ("comment posted!") is allowed
just fine. But Google (analytics) must provide a warning before it is allowed
to track people, because it tracks people across domains and sites.

edit: I wrote opt-in but meant to say "provide a warning"

~~~
jkent
Google Analytics does not track user behaviour across domains and sites,
unless those domains and sites are specifically linked.

Google Analytics uses a 1st-party cookie set by the website that runs it.

[http://code.google.com/apis/analytics/docs/concepts/gaConcep...](http://code.google.com/apis/analytics/docs/concepts/gaConceptsCookies.html#HowGAUsesCookies)

~~~
Silhouette
Google Analytics is a third party service that is tracking users' behaviour
around the Internet, quite possibly without their knowledge or consent. It
doesn't matter what the original site operator can see. _Google_ can see
everything. This is _exactly_ the kind of shady behaviour that this law is
supposed to prohibit, and Google getting screwed on this point appears to be
in keeping with both the letter and the spirit of the law.

------
gacek
And stupid enviromental laws don't allow excessive mining and require costly
procedures when handling waste. It hands the advantage to China, and other
less restrictive countries.

'This is how its always been done' is not reason enough. Many sites require
you to accept terms&conditions. Another checkbox really won't matter.

~~~
john-n
While this is true, alot of cookies are used without any login/signup process,
so you need to provide these pop-ups alot more often.

------
csomar
I can't figure out how this will hit EU startups. Actually, this is promoting
transparency and I really like it. I won't be suspicious if the site is
gathering some data from me or not; if it is, it'll just display a friendly
_warning_.

This is actually beneficial for users; and the ones who refuse are probably
not the users you are looking for.

~~~
fmavituna
Isn't it clear from the article?

"It clearly makes UK companies less competitive because sites we build will
need to be plastered with warnings – and our competitors will not. It is a
well known fact that at each stage of a signup process you lose customers – if
you have to have a big warning sign just for a cookie that will remember you
for purely convenience so that it keeps you logged in. The user wont read that
detail – they will just think your a privacy nightmare and wont sign up."

~~~
whatwhatwhat
>It clearly makes UK companies less competitive because sites we build will
need to be plastered with warnings – and our competitors will not.

An American startup doing business globally and with citizens of the UK would
have to abide by this law too, though, right?

~~~
fmavituna
In theory yes, but in practice not really. Consumer doesn't care, doesn't
know.

On a side note, In theory if you are EU company you _cannot_ use a CRM which
hosts your data outside of the EU. For a USA CRM company only way to get
around this "Safe Harbor Policy". Do you know how many SaaS CRMs apply Safe
Harbor Policy? AFAIK Only 1, SalesForce.

But obviously there are thousands of Europan users of these CRM companies
which violate this EU law.

~~~
Silhouette
I'm not sure about CRM specifically, but certainly various serious companies
are aware of the EU data protection rules and take specific steps to comply.
For example, I've been looking at off-site back-up for one of my companies
recently, and while talking to Mozy they confirmed unambiguously and with
specific details that any data from my company (in the UK) that was backed up
using their service would be held in various protected ways in specific data
centres within the protected area.

If you're in a business like that, where people are trusting you with that
kind of sensitive information, I think you expect that serious customers are
going to ask and they're going to need straight answers. I would agree that
this is a barrier to entry for start-ups, but I think if you're trying to
enter that kind of market but you aren't in a position to provide that level
of service, you're already dead anyway.

------
gyardley
Both the EU and US regulations will backfire badly. They both interfere with
site optimization and advertising targeting, and both site optimization and
advertising targeting impact profits.

Rather than taking the hit to their bottom line, publishers will adjust by
making explicit user opt-in mandatory. Since explicit opt-in is nice and
unambiguous, the targeting itself can then be a lot more invasive.

I really don't understand the desire to mess with the current system we have
today, which works well enough. The small percentage of users who truly care
about tracking have simple and effective technical solutions available to
them. Publishers turn a blind eye to these unprofitable users, since their
numbers are small. Finally, since most ad targeting currently falls in a
policy 'grey area', the ad industry self-polices reasonably well.

At least there's going to be some interesting startup opportunities in
detecting tracking circumvention and forcing compliance.

~~~
Silhouette
I couldn't disagree with you more.

The current system does not work. Tracking people around the Internet is shady
behaviour any way you cut it, and a lot of people don't like it.

A lot more people don't even know about it, which is why the effect on sites
today is still relatively small. Try sampling a population who have been fully
informed about what is going on and see the reaction you get.

Ultimately, businesses do not have _carte blanche_ to engage in whatever shady
practices they like in the interests of increasing profits. This is why we
have laws and why we punish businesses that break those laws.

If publishers who want to spy on everyone make opt-in mandatory in response to
measures like this, they will just create a market for publishers who are
willing to share their content with ads based on that content alone rather
than on tracking individual visitors' personal details. This worked well
enough to establish things like Google ads in the first place, after all.

I have about as much sympathy for any company hit by these measures as I have
for cigarette companies who are forced to display a warning about the proven
health implications of their product in big letters on the packet.

~~~
gyardley
_Try sampling a population who have been fully informed about what is going on
and see the reaction you get._

I've yet to see a 'fully informed' sample from anyone. While people don't like
getting tracked, they don't like getting tracked in contrast to an imaginary
situation where they can access all the same content with no tracking
whatsoever, which simply isn't possible.

Whenever people complain about ad targeting, you should think of the guy who
spends all his time grousing about taxes while still wanting the government to
pay his for roads and his Medicare and his Social Security. Same thing.

 _Ultimately, businesses do not have carte blanche to engage in whatever shady
practices they like in the interests of increasing profits._

Of course. This is why online businesses will end up doing what, for example,
a credit card provider or a magazine publisher does - they'll tell you that
they're going to sell your information six ways as a condition of receiving
the service, and the public will say 'well, I want the service, so what choice
do I have?' Unless, of course, the government makes the very practice of ad
targeting illegal, in which case the content goes behind a paywall where the
poor don't get to read it.

 _If publishers who want to spy on everyone make opt-in mandatory in response
to measures like this, they will just create a market for publishers who are
willing to share their content with ads based on that content alone..._

Now _this_ argument is like the guy who thinks the government can balance its
budget and lower taxes just by getting rid of some sort of vague unspecified
'waste'.

You are more than welcome to try to make real money through contextual
advertising alone. Unless you own a search engine or are churning out made-
for-AdSense content tailored specifically to search queries, you will fail.
Brand advertisers doesn't do much contextual, so say goodbye to agency CPMs.
The contextual stuff itself performs horribly when users aren't explicitly in
'search' mode. Why do you think those 'three weird tips to losing belly fat'
ads are everywhere instead of Google AdSense? Yes, even that spray-and-pray
CPA stuff outperforms contextual. Now picture all your brand advertising going
away and trying to subsist solely on the pittance you get from education loan
and car insurance ads. Now picture doing this while trying to produce quality
content. Good luck.

I get that people don't like advertising, and I get that they don't like
analytics. People expect the web to be like a backlit newspaper, and when they
find out that their reading material is reading them back, they're
disconcerted. However, they're just going to have to get over it, because
that's the real price of 'free'. The alternative is paying for it, which helps
turn the internet into a place for the privileged.

I've yet to see a scenario that's going to end up better than the muddling-
through we're doing now. You can effectively opt-out just by installing an
extension, as can anyone else who really, truly cares about a website knowing
they're a college-educated male between the ages of 25 and 34. Stop trying to
fix the world, you're simply going to make it worse.

~~~
Silhouette
I guess my problem with this whole debate is that I'm struggling to think of a
single site I visit at all regularly that offers this hypothetical content I
wouldn't want to lose, yet which couldn't/doesn't have alternatives available
other than pseudo-spyware advertising.

Most of the good small-scale sites I visit are related to some particular
topic, perhaps a hobby or a particular technical subject. That means they
already have a ready-targeted audience without any tracking whatsoever, so if
there are any related products to advertise at all, they are pretty much a
marketer's ideal channel. I don't know the operators of most of the sites I
use personally, of course, but a few of those I do know get guaranteed rates
from specialist advertisers based on real contracts that would make the
average CPM-based ad-networked blogger cry.

Larger-scale sites tend to have more options open to them anyway once their
user base has reached critical mass. You get to the scale of corporate
sponsorship, serious donation volumes, and eventually the kind of mainstream
advertising campaigns you see with mass media, major sports events, etc.

Obviously there are lots of other kinds of sites, but mostly run by people or
organisations for their own reasons that don't necessarily involve profit.

What's left? Small-scale sites that need to make a significant amount of money
yet have no particular speciality nor offer any particularly original and
valuable content that others aren't contributing for free?

By the way, I don't accept your analogy between this situation and taxes at
all, but I have no interest in getting into a superficial political debate
that I don't think is particularly relevant.

Also by the way, I don't have much problem with prohibiting this kind of
tracking outright either. Privacy laws are, IMNSHO, not nearly strong enough
in most jurisdictions today. Far too many people wind up suffering significant
harm in one form or another as a result, and if the trend for tracking
everyone all the time continues along its current path, things will surely
become much worse. If a few minor web sites have to be lost for preventing
massive, organised surveillance of everyone's private lives, then I'm sorry
but I consider that a small price to pay.

~~~
gyardley
I would genuinely be interested in seeing examples of significant harm from
web analytics or behaviorally-targeted advertising. Right now the most common
(and frequently made) argument against FTC regulation of these fields is that
no one has been able to bring forward an individual that's actually suffered
harm, so your comment about "far too many people wind up suffering significant
harm in one form or another" makes me cock an eyebrow.

'Mainstream advertising campaigns' for larger publishers are absolutely and
completely reliant on third-party tracking and targeting - for frequency
capping, serving verification, and demographic targeting. If these tools go
away, the branded ad spend stays on television.

The New York Times is the most obvious example of a publisher (and journalism
the most obvious sector) that'd be negatively impacted by Do Not Track.
They're making significant revenue from their online business right now, but
they also have very significant expenses. It costs money to run a news
organization capable of international reporting and investigative journalism.
'Minor websites' are not the issue here - it's the major websites that are
concerned.

I'm calling it a night, but I'll wrap up with a couple of quotes from the
Online Publishers Association (which includes the NYT and every other major
American news organizations) comment on the FTC's "Protecting Consumer Privacy
in an Era of Rapid Change" preliminary report:

 _Online publishers should have the right to offer their content and services
on any lawful terms that are explicitly communicated to consumers and withhold
access from those who do not agree to such terms. To require otherwise would
burden publishers’ First Amendment speech with free riders who enjoy the
benefits of access to valuable content without providing fair value in
exchange._

 _[D]efault rules that prevent fair value exchanges of digital content for
user data could harm consumer welfare by reducing incentives for some
publishers to invest in the production of content and/or creating incentives
for publishers to charge or charge more for content that they would otherwise
make available for free or at a lower cost._

~~~
Silhouette
> I would genuinely be interested in seeing examples of significant harm from
> web analytics or behaviorally-targeted advertising.

I think advertising itself is more of an annoyance than a serious harm in most
cases, though I would certainly regard targeting certain profiles with
advertising for certain products as abuse. That is mainly where the target is
unlikely or unable to make sound judgements, for example where children,
adults with learning difficulties, those suffering from a recent emotional
trauma, or those who are recognisably not well-informed about things like
legal, medical or financial matters are involved.

However, what really worries me is that it's not only advertising that can be
driven by this kind of personal profiling, and the effects in other cases can
be far greater than the irritation of seeing yet another toy advert because
you just uploaded some baby photos.

For example, here in the UK, there was a lot of media attention a couple of
days ago, because it looks like car insurers are going to be forced to stop
offering different prices to male and female customers just because of their
gender. The insurers, of course, have been profiling, and argue that _on
average_ young male drivers are more expensive in terms of the accidents they
have and the resulting cost. However, while there may be some correlation
there, that doesn't imply a causative effect in any individual case, and it
doesn't change the fact that there are many safe male drivers who are paying
more and many dangerous female drivers who are paying less. Since all drivers
are required by law to have insurance in my country, this sort of profiling
has effectively meant that many good male drivers have been charged thousands
of pounds of basically unescapable tax, just for fitting a naively constructed
risk profile.

Is it such a leap to wonder what would happen if health insurance companies
were able to start profiling on grounds that were not directly clinically
relevant, particularly in countries where private health insurance is the
norm?

What about profiling and employer blacklists: sorry, we can't give you the
job, because even though you appear on the surface to be an excellent and
highly qualified candidate, we've analysed your friendship network and several
of your regular contacts have photos up on Facebook that our automated
analysis software thinks show them being excessively drunk, which means that
statistically there is a relatively high chance of you also having your work
performance impaired for alcohol-related reasons. Oh, and just to save you
some time, don't bother applying for any other jobs where your hard-earned
specialist skills and useful experience would be relevant, because we know
that the other four big name employers all check the same databases we do.

> I'm calling it a night, but I'll wrap up with a couple of quotes from the
> Online Publishers Association

As far as I'm aware, no-one is saying that publishers can't offer content on
their own terms. The publishers will simply have to be transparent and up-
front about what those terms really are now, and compete accordingly.
Moreover, where there are monopolies or essential services involved, consumer
protection regulation may be warranted in the same way that state-sanctioned
monopolies, such as our railway and postal networks, are sometimes subject to
pricing constraints dictated to them other than by market forces.

------
Facens
The article does NOT describe the situation. The situation is different and is
explained by this part of the Directive: "This shall not prevent any technical
storage or access for the sole purpose of carrying out the transmission of a
communication over an electronic communications network, or as strictly
necessary in order for the provider of an information society service
explicitly requested by the subscriber or user to provide the service" And by
the further comments to the text, clearly reducing the so claimed 'stupidity'.

Pascal Van Hecke wrote a useful comment explaining the situation and clearing
the misunderstandings. The comment can be read here:
[http://eu.techcrunch.com/2011/03/09/stupid-eu-cookie-law-
wil...](http://eu.techcrunch.com/2011/03/09/stupid-eu-cookie-law-will-hand-
the-advantage-to-the-us-kill-our-startups-stone-dead/#comment-162920924)

The real problem about this Directive (it's not a law, European Union does not
make laws!), is how it will be converted in law by the single Countries; this
could be the real source of confusion.

The real purpose of this directive is forcing to ask explicit consent for
behavioral targeting purposes, not for simple analytics' cookies. We can't
create buzz based on a misunderstanding!

------
al_james
As a web-publisher, I find the general distaste of (advertising) tracking
cookies a little hard to swallow. At the end of the day, tracking cookies
exist because they allow the sites you visit (and probably don't pay for
directly) to earn more money (on average) across all their visitors.

Advertising is the life-blood of publishers on the Internet. Without
advertising (and by extension, tracking) many of the sites you enjoy every day
would cease to exist.

At least using cookies you CAN opt out (via browsing settings and plugins).
All that will happen is that the tracking networks will switch to browser
fingerprinting making tracking harder to control and more opaque.

~~~
Silhouette
Your post is one unsubstantiated claim after another.

Just because _you_ fund your content through ads, that doesn't mean someone
else can't use a different model. Sorry to be brutal, but if you can't find a
viable alternative model when ads aren't cutting it any longer, maybe your
content simply isn't worth that much and losing your site isn't a great loss
to anyone else.

Moreover, just because _you_ associate ads with tracking, that doesn't mean
everyone else does. The most lucrative advertising deals I know about are
between sites catering to particular interest groups and advertisers who also
cater to those groups and make a direct agreement with the site. It takes
actual work to set this up, but can be very lucrative for all concerned,
particularly without any middleman ad network taking a big cut of any money
changing hands. Many models from classic sponsorship deals to modern product
placement approaches are based on this idea.

> All that will happen is that the tracking networks will switch to browser
> fingerprinting making tracking harder to control and more opaque.

That's probably going to be illegal, too.

In any case, browser fingerprinting is becoming a hot topic for all the wrong
reasons. I expect near-future browsers will basically kill it as a technique
anyway.

~~~
al_james
> Just because you fund your content through ads

Me and 99% of the sites I have read today...

> The most lucrative advertising deals I know about are between sites catering
> to particular interest groups and advertisers

In my experience, the most lucrative advertising campaigns are based on
audience tracking and retargeting.

~~~
Silhouette
> Me and 99% of the sites I have read today...

99%? Really?

I'm just looking through my browser history, and I can't see _any_ site I've
visited today that appears to be funded only by the kind of targeted ads we're
discussing.

> In my experience, the most lucrative advertising campaigns are based on
> audience tracking and retargeting.

Perhaps you are fixating on certain types of campaign, then? Either that or
you have very limited experience of different possibilities, but from your
other comments, I doubt that is the case.

~~~
al_james
> and I can't see any site I've visited today that appears to be funded only
> by the kind of targeted ads we're discussing.

I think thats a key point. ALL banner advertising would be affected by this
change. All ad servers use cross domain cookie tracking of some kind. If not
to track user behaviour, its (for example) to track impressions to make sure
that you dont show the same ad to the same user more than a set number of
times. That is also a 3rd party cookie.

Without that ability it will be hard (impossible?) to rate limit campaigns to
users, thus increasing the cost effectiveness to the advertiser and eventually
hurting publishers as advertising money is diverted elsewhere.

In short, this rule would affect ALL banner adverts on all sites. So 99%, yes
(at least the _content_ sites I have read today).

~~~
Silhouette
> ALL banner advertising would be affected by this change.

No, it wouldn't. That's what several people in this discussion have been
trying to explain.

Banners hosted locally and not by a third party service probably won't be
affected at all.

Even banners hosted by a third party service won't be affected if they chose
their content based only on the nature of the site where the banner would
appear.

The only people who will lose out are the ad networks that track users as they
move around different sites, and their business model and working practices
are incompatible with my ethics (and, apparently, those of many other people,
including those governing at EU level).

We should lose the conditionals, by the way. This has already been approved at
EU level, and it _will_ therefore become law throughout the EU in due course
unless something dramatic happens. Given that the only people I've seen
objecting even slightly seem to be those who are currently doing exactly the
dubious things that these measures are intended to prohibit, "something
dramatic" seems unlikely.

> Without that ability it will be hard (impossible?) to rate limit campaigns
> to users, thus increasing the cost effectiveness to the advertiser and
> eventually hurting publishers as advertising money is diverted elsewhere.

Why can't the advertisers simply re-evaluate the rates they pay per impression
based on the expected cost/benefit under the new model?

Or just adopt one of the many pricing models that is based on actual results
like CPC, instead of assuming that CPM is always going to be the right answer?

~~~
al_james
>Banners hosted locally and not by a third party service probably won't be
affected at all.

So you have to install and manage your own local ad server to earn ad revenue
from your site? Many publishers large and small use ad servers e.g.
doubleclick, adtech to avoid this overhead.

>Why can't the advertisers simply re-evaluate the rates they pay per
impression based on the expected cost/benefit under the new model?

Yes, publishers loose out once again.

~~~
Silhouette
> So you have to install and manage your own local ad server to earn ad
> revenue from your site?

No, you just have to use a system that doesn't try to track users everywhere
they go.

> Many publishers large and small use ad servers e.g. doubleclick, adtech to
> avoid this overhead.

That's fine. Those ad servers are free to continue offering their facilities
to webmasters who would like to use them rather than setting things up
themselves. The only difference is that now the centralised services won't be
allowed to track everyone everywhere.

> Yes, publishers loose out once again.

You keep saying things like that, but I don't think you've ever explained
_why_ you think this is inevitable. I and several other posters in this
discussion have now presented you with numerous alternative ideas that still
allow sites to carry advertising that is fairly well-targeted without
violating the new rules that are going to apply after May. Those methods
funded numerous sites for several years before the current generation of
spyware-based ad networks took off, and given that hosting is far more
competitively priced now, I don't see why today's enthusiast sites shouldn't
be able to cover their costs if yesterday's could.

~~~
al_james
Ok, I think we will have to agree to disagree!

All nice in theory... the real world is very different.

------
wladimir
Well, I'm against internet regulation in general, but I don't agree this is
'stupid' or a big disadvantage.

Sites could simply stop tracking users with long-term cookies. In this case,
no warnings and popups need to be added. And everyone is happy...

~~~
gst
If you don't want to be tracked with a long-term cookie just configure your
browser to not accept long-term cookies or to delete all cookies on shutdown.
Problem solved.

~~~
blub
I think it's the responsibility of the website to do the best that it can to
protect the user's privacy, especially for those that don't know what a cookie
is or does. On the contrary, most websites do the minimum they can get away
with and try to squeeze every bit of data for profit.

Those companies can cry all they want but they get ZERO sympathy from me. I'm
sick of having to install three extensions to counter their hostile behaviour
towards my privacy.

~~~
olalonde
What responsibility? Man up and be responsible for yourself. If you don't
trust companies with your data just don't deal with them. Or use your anti-
cookie extensions! _You_ get ZERO sympathy from me.

I understand you feel companies have a hostile behavior towards your privacy.
But you're part of a minority. If people really cared that much about cookies,
the market would have responded accordingly and there wouldn't be any need for
this kind of regulation at all. Why impose your obsession with privacy to the
rest of us?

~~~
Silhouette
> If people really cared that much about cookies, the market would have
> responded accordingly and there wouldn't be any need for this kind of
> regulation at all.

That's naive.

For one thing, most people are not technically knowledgeable and don't
understand the extent to which they are being tracked.

For another, even those who would care about such issues can't spend their
entire lives becoming experts in every ethical, legal, regulatory and
financial field that might affect them. It simply isn't humanly possible,
which is one reason we have laws crafted by specialists but applying to
everyone.

Your argument only makes any sense if everyone _knows_ about what's going on,
_understands_ the implications, and _still_ doesn't care.

~~~
olalonde
> It simply isn't humanly possible, which is one reason we have laws crafted
> by specialists but applying to everyone.

You apparently haven't heard of the invisible hand.[1]

The role of experts is to educate and influence, not to impose their own
values. People should be allowed to chose what's best for them and put their
trust where they want, not be forced into putting their trust on bureaucrats.

[1] <http://en.wikipedia.org/wiki/Invisible_hand>

~~~
Silhouette
I think you're making my point for me. Right now, a lot of people simply don't
know what is going on or the implications it has for their privacy, so they
can't possibly make informed judgements about whether they are willing to
accept that behaviour. Any argument that some sort of market forces would
drive change is completely negated as long as you keep your market in the dark
about what is really going on.

------
patrickg
In 10,20 years people around the world may ask the europeans how they got such
a rather high privacy standard. While I don't agree to all of the regulations,
the tendency here is to make everything private by default and only disclose
what is needed. We should be able do decide ourself what to disclose without
having to install add-ons to block everything.

That said: I also use tracking, but anonymize as soon as possible. And: there
are enough laws that contradict regulations like these (such as the goverments
force the ISPs to store the communication data from the users).

~~~
nhebb
I won't be asking that until places like London get rid of all the police
cams. Although, apparently they are _highly_ effective:
<http://news.bbc.co.uk/2/hi/8219022.stm>

While I applaud the EU's efforts on this, it seems a bit of stepping over
dollars to pick up pennies. The bigger battles for privacy still need to be
fought.

~~~
Silhouette
> The bigger battles for privacy still need to be fought.

They do, but you have to start somewhere, and at least this is a step in the
right direction.

My personal view is that a privacy backlash is building. For the past decade
or so, we have lived under an unwelcome combination of commercial interests
who now have the technology to conduct mass surveillance and government
interests whose politics is governed by fear, which in turn drives the
surveillance state. I think it's becoming increasingly obvious that the
cost/benefit in both cases doesn't justify the price we're paying, and it's
starting to be the common guy or girl in the street who is asking questions
and not just the privacy advocates and civil liberties campaigners.

As debates like this one start to hit mainstream media like the BBC, the
political winds will shift, helped by the fact that many of the over-
reactionary post-9/11 government administrations have now been shown the door
so the political resistance is lower. As long as those of us who care can keep
building the momentum, and the global picture remains more one of hope as
dubious governments are falling than one of fear after a string of terrorist
attacks, I think we'll start to build a more reasonable regulatory framework
for protecting privacy when it's important to do so, without unduly disrupting
useful innovations.

------
obiwan421
I'm usually not a proponent of EU regulations, but i don't think telling
customers the truth should be considered harmful by any serious entrepreneurs.

Customers will probably be scared at first, but once they understand a bit
more about tracking (which are harmful, which are not), opt-in system will
definitely add to customer's confidence, and thus benefit to business in the
long term.

------
jujjine
_if you have to have a big warning sign just for a cookie that will remember
you for purely convenience so that it keeps you logged in. The user wont read
that detail – they will just think your a privacy nightmare and wont sign up_

The only times lay surfers have heard about cookies is in the news when severe
privacy invasions have occurred. To those that have never heard of it, it is
new, so they are cautious. Some parts of the industry have misused that
technology and now the whole industry is called to gain back the users trust.

The EU law's intention is to shift the responsibility from the companies to
the user, i.e. they will be the ones to decide weather they want to use
cookies or not. To make that decision they need to be informed about it's
positive and negative sides.

Regarding opt-out models, how many people will know about that? So if I'm not
aware of opting-out, is it my fault if some company goes berserk with my
privacy rights?

------
nodata
So don't track - and sell that to your customers and visitors as an advantage.

~~~
rahoulb
That's the issue - what's the definition of "track"?

I've not seen a decent discussion of this anywhere - the BBC site says
"shopping baskets are exempt" but what about session cookies? What about font-
size preferences or logins?

I've asked my MP (in the UK) to look into it...

~~~
nodata
I presumed tracking meant cookies which were used outside of one website. Good
point.

------
xsltuser2010
Is this about tracking via cookies only, or cookies in general ? Does it mean
I have to ask for consent to use ganalytics as well ?

~~~
gst
There are some lawyers in Germany that already now presume that Google
Analytics is illegal: [http://eu.techcrunch.com/2009/11/24/google-analytics-
illegal...](http://eu.techcrunch.com/2009/11/24/google-analytics-illegal-
germany/). And due to the German "Abmahnung" law (see
<http://en.wikipedia.org/wiki/Abmahnung>) it's rather easy for them to "fine"
you if you use it anyway: "One German lawyer that gets cited in the article
says the penalties could amount up to €50,000 (about $75,000) per website that
uses Google Analytics to keep track of its visitors’ usage patterns."

~~~
blub
Good. User tracking is antisocial and Google is one of the worst offenders.

~~~
biafra
They are not suing Google. They are suing website owners using Google
Analytics without consent from the users. They tried to reach an agreement
with Google first.

------
speleding
They will need member states to actually enforce this law. Until then it's a
dead letter like so many other EU laws that get ignored.

------
Tichy
There are already lawsuits in Germany against websites using AdSense or Google
Analytics. Also the Wordpress plugin Akismet (distributed spam filter) is
apparently a no go in the future.

Just some examples - so yes, I think this could definitely hurt EU startups,
or at least smaller projects that rely on adsense.

~~~
biafra
It is by no means against the law in Germany to use adsense or Google
Analytics. You just have to get the consent of the user before you are allowed
to have their personal information processed by a third party.

~~~
Tichy
I'm not a lawyer. Anyway, I have yet to see a web site anywhere on the
internet that asks the user for said content. So we'll just have to wait how
it plays out once web sites start doing that.

------
jsvaughan
It will be interesting if this actually works out worse for privacy; say the
site decides instead to remember you (for ad purposes) by ip address instead
of by cookie, so everyone from that ip address ends up in the same profile
target.

e.g. i visit a website to buy a birthday present for my wife, but later
everywhere she browses she suddenly sees adverts for the shop or product that
i bought.

~~~
al_james
They will use a combination of user-agent, IP address and other browser
profile information. This is surprising good at uniquely identifying most
computers.

It only really falls down when there are a large number of totally identical
machines in the same IP range, where the machines are locked down so plugins
(etc..) cannot be installed. E.g. a large office or university lab.

~~~
randallsquared
_They will use a combination of user-agent, IP address and other browser
profile information. This is surprising good at uniquely identifying most
computers._

But useless for the case he mentions where he cleared the cookies, but it
doesn't matter...

------
olalonde
Another case of well intentioned intellectuals trying to protect the poor
consumers from themselves but ending up hurting them.

------
prodigal_erik
See also <http://news.ycombinator.com/item?id=2300202>.

------
lwhi
A tongue in cheek example of what users might face:

[http://www.davidnaylor.co.uk/eu-cookies-directive-
interactiv...](http://www.davidnaylor.co.uk/eu-cookies-directive-interactive-
guide-to-25th-may-and-what-it-means-for-you.html)

------
iwwr
Try configuring your browser to ask for your permission every time a cookie
needs to be stored. Some websites have 4-5 cookies and clicking "accept" (or
"deny") several times over for a site is just unusable.

~~~
mike-cardwell
I use the Cookie Monster addon for Firefox. it provides a similar interface to
that provided by NoScript. It blocks cookies by default, and lets you
permanently/temporarily accept full cookies/session cookies, on a per domain
basis.

I can use news.ycombinator.com because the first time I came to this site
after installing Cookie Monster, I set it to accept session cookies from
ycombinator.com, and to permanently remember that setting. I don't need to let
ycombinator set long lived cookies, and I certainly don't need to let
clickpass.com set a cookie on my computer when I visit the
news.ycombinator.com login page.

------
loup-vaillant
I don't use cookies myself for my web site, but Apache logs a good deal of
data. I think this alone warrants a "privacy policy" page. I plan to set up
one soon.

~~~
berkes
You may be interested in Weinberg's (founder of DuckDuckgo) blog-entry on
privacy-aware logging. [http://www.gabrielweinberg.com/blog/2010/11/how-to-
not-log-p...](http://www.gabrielweinberg.com/blog/2010/11/how-to-not-log-
personally-identifiable-information.html)

------
tzumby
The point is not to prevent this law in EU but promote it in the US as well,
we have to level the fields but in the same time move towards better privacy.

------
ericflo
EU to the internet: You shall store no state!

~~~
naich
This is not about storing state, but using cookies to track users across
domains in order to build up a profile about the user. It is only the latter
that needs explicit permission under the new law.

~~~
naich
Of course, phrasing new regulations to cover only that specific application of
cookies while allowing any other legitimate or future uses is going to be
interesting. And by interesting I mean pretty much impossible.

------
zepolen
What if I write my app in such a way that makes it critical to use google
analytics cookie, otherwise it won't work?

What defines critical?

------
sunsai
This is another stupid face of Europe's health and safety madness. No wonder
the growth rate is going down day by day in EU. Due to all these unreasonable
regulations a lot of young start-ups have already moved to the US.

