> Traditionally, the US and the UK have taken a more relaxed approach to privacy. But the legislative and interventionist tendencies of Europe -- and of France and Germany in particular
Now, this is the first time in a decade that I couldn't avoid a smug face and tiny bit of affection formy home country..
Seriously: As others pointed out here, this is a targeted law against privacy breaches. If your company builds its business model on user tracking you'd better ask them to opt in.
I seriously cannot even understand the negative sentiment.
What's wrong with advertising geared towards your interests? Or do you enjoy watching ads on penis enlargements, gambling, whitening teeth and How To Get Rich While Sleeping?
It implies that someone has built a profile describing your interests from your behaviour. Many people find that creepy, and not worth targeted advertising. It's reminiscent of secret police behaviour with their networks of informants, and is not a distant memory in much of Europe.
It's not much different than any other recommendation system though. It's also funny how these ads exist because they work - i.e. the user actually does find them interesting, clicks on them, and discovers a product they pay money for because it brings them value.
> It's reminiscent of secret police behaviour with their networks of informants
That's a bit of a stretch.
Also I don't believe the vast majority of people care about an organisation generating a profile of your interests, otherwise services like GMail and Facebook would have failed.
Right, I agree that this 'secret police' comparison is off.
But your Facebook/GMail comparison is different as well: They are not useful/popular because of user tracking, they provide us with a free and (limited..?) useful service. I'd argue that's a bad thing as well, but I'd separate multiple levels of evil tracking:
1) You track me to sell my data and to profit from the ads. I gain nothing (you might be very lucky to guess that I want X and therefor save me from having to type "Where to buy X" into Google, but I'd not consider that useful in general).
2) You provide a free service that I'd gladly use. You track information about me to make a living, pay the costs etc.
1) is unacceptable for me, although it tends to be largely ignored in general and considered normal.
2) is on the edge and I'd like you to at least tell me about your tracking and make me aware of the general data you're collecting. It's up to me to opt-in (by using the service and agreeing to this tracking) or going elsewhere.
> You track me to sell my data and to profit from the ads. I gain nothing
Sure you do; you get to use Gmail and Facebook for free because they generate enough money from ads not to have to charge.
I can understand that there people like yourself that don't want to be tracked, that's cool, but if the majority of people don't care, should the system at least be opt-out? Or left up to the user to use the do-not-track features of browsers?
I'm not saying tracking must be forced on everyone, but this piece of legislation seems like a massive hammer to hit a very tiny nail.
You didn't understand my post. Might be completely my fault though, so let me add one last remark:
I presented two tracking reasons/models. You quote my model 1), which is about user tracking for your own sake only, without giving something in return. In other words: There's no direct connection between you selling out what you collect about me and my usage.
You talk about GMail/Facebook, which I presented as another, different example/model, 2). The quote does not apply here.
For these services I trade privacy for usage and I merely wish that the trade would be more transparent so that everyone and his mom can decide if they want to give up these details for your service or not. But - it's at least a "deal" of some sort: You give me something valuable/useful, I have to cope with your privacy invasion.
Ah sorry I see your distinction, I misread model 2), thought you were referring to gmail/facebook in model 1).
Yeah if a company is tracking me which results in me gaining nothing and them gaining income, that is quite annoying, I'm not disagreeing that in that case it's wrong. But I still don't think you are harmed in a way that requires such a sweeping piece of legislation. These sorts of rules may land up harming the free services you refer to in model 2).
If there was a way to target just the companies in model 1) without interferring too much in the user experience of all web-users, I'd be for it.
Wait, what, what's wrong with optimizing the brainwashing techniques applied to myself?
Yeah, I do prefer seeing ads for stuff I don't need and would never buy than ads for stuff I don't need but it's vaguely possible I might be brainwashed into buying. If I think I need something and I want to browse ads for that something, I will just find a relevant catalogue/industry magazine/whatever.
See, if someone finds a security bug that allows to change something in our computer's software, we freak out and go for patches. If someone finds a bug in our brains, we call that "ads custom-tailored for your needs."
"My interests" are hard to define without collecting far too much information about me.
Good example for "of interest" in my opinion:
If I shop with Amazon and bought Product A, B and C and your database of previous orders suggests that I'd like to buy the new Album of Justin Bieber: Fine, go ahead and suggest that to me.
In that case you used just the information that I sent to you and correlated that with a little bit of inventory/anonymous order history magic. I get recommendations from you because I am your customer already and provided you with a limited insight into "my interests".
Now - if you track me across sites, try to create a profile of me without my consent and my explicit knowledge and then try to sell this as being relevant, a good idea and targeting "my interests" I have some doubts that we're talking about the same thing.
For me, informed consent is the issue here. If I sign up for your website and then log in, I think it's probably fair game to target things to them. In fact, that's generally the point.
My real world analogy is an invisible store employee following you around, helping you shop, but also writing down every movement you make, and every conversation you have.
It's more than a little creepy if they do it without asking.
Simply denying aptitude is not an argument. Also, your initial comment only relies on reference to fringe advertising that (probably) nobody here would want to see.
- news isn't targeted at a particular person (unless you're using your own RSS aggregator, but then you're not (usually) giving anyone else information about what you're aggregating).
- news is generally opt-in, meaning that I choose to read bbc instead of NYTimes
There is no requirement to ask for permission to issue cookies if the cookies are "strictly necessary" for the task, such as for logging into a user account or using a one-click -style purchase. I have the impression that it will principally affect user-tracking systems like Google Analytics and those used in targeted advertising.
Something about the law is unclear to me: the ICO's summary of the law seems only to apply if you store state about the cookie. If you insert Google's javascript to issue an Analytics cookie, doesn't that make it Google's problem, since they are storing the data about the cookie? Which would be kind of harsh, since they have no control of the web page's behaviour. But the ICO report talks of there being site owner's responsibility if they cause the data gathering to happen, which suggests that is the problem of the Analytics javascript embedder.
Page 4, section "What will happen to me if I don’t do anything?":
> In light of this if the ICO were to receive a complaint about a website, we would expect an organisation's response to set out how they have considered the points above and that they have a realistic plan to achieve compliance.
So basically compliance isn't required, just a plan to achieve compliance.
"Our realistic plan is to implement an invasive po-pup sometime within the next 3 centuries."
Thats a good find. However "strictly necessary" is pretty vague. Tracking your own users on your site to optimise it for them would potentially be out of the question. Though if you sign up you could implicitly allow it with terms and conditions.
I'm still reading the ICO report. It does talk at some length about what kind of measures are needed to comply with the coming legislation, and emphasises that the rule is about privacy protection, and that uses of cookies that don't build up a picture of users aren't what it targets.
The legislation does look bad for startups whose business plan revolves around accumulating data on users or selling targeted ads, but the ICO report looks pretty aware of how cookies are used in practice and not at all the "ignorant intervention" that the article describes.
The ICO report says that is fine, provided that it is (i) sufficiently informative and (ii) you provide an update to existing users about the change in terms.
I'm wondering about the following: what if I wrote a bit of Javascript serving up a picture of a pile of cookies during normal use, which can be clicked on to to call up a pop-up window describing how my site makes use of customer-tracking software with a dialog allowing the user to switch to untracked mode. Untracked mode could be implemented by issuing -you guessed it- a cookie, but one which is only used to check that the user opts out, and so is "strictly necessary" for this approach.
It's sailing close to the wind: there's no positive act of consent; but by making it easy to see the state of privacy and change it, it is arguably more privacy-friendly than a T&C. I'm tempted to try it on my site and get feedback.
The ICO report also talks about use of browser settings to govern privacy.
One thing I don't get is how a site-owner is meant to know what cookies a 3rd party may send. If I add a Facebook "like" button to my site, does FB send a cookie? What if they don't now but decide to later. And if FB does decide to use cookies down the line, how do they ask your opt-in?
You can send cookies with any HTTP reply, so how do you know if that image you are hot-linking from a 3rd party site doesn't send back a cookie?
There seem to be so many technical vagaries that make this so tricky to implement properly.
This seems to be pretty hazy. The ICO report says we would advise anyone whose website allows or uses third party cookies to make sure that they are doing
everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device.
I see this also covers the use of Flash cookies, but I wonder about the use of Etags as a tracking mechanism.
If I recall correctly, some of these sites use cookies, Flash cookies and also unique Etags on an object in the browser cache to try to work around people blocking cookies from their domains.
Any technology causes client machines to store information for later access are within the scope of the law.
The exact wording is a person shall not store or gain
access to information stored, in the terminal equipment of a subscriber or user unless the requirements ... are met.
In practical terms though, all they're storing is a key. The actual data is held elsewhere. In the same way, an entity tag on a cached object is like a key to identify whether the object has been modified on the server since the last time it was sent.
How would it be possible to spot that it was being used for tracking a user rather than just part of the normal functioning of the browser?
That's really an enforcement problem, not a legislative problem.
Even so, I think the answer is clear: it depends on whether you store data that permits you to infer privacy-intruding things about the user. If you store a cookie that just encodes preferences and you store no persistent data about the cookie on your side, you should be fine. It's the making a relationship between client local state and your customer profiles that's key.
I don't get it, how do users login to the websites (like gmail) without using cookies ? Does this legislation target only permanent cookies that stay even after the user has logged out ?
According to the ICO report on the legislation I linked to, use of cookies needed to provide the user with a service they have requested is explicitly permitted. Likewise, if your use of the cookie does not violate privacy (i.e., you don't build up a user profile), it is OK.
AIUI it's not specific to http cookies, but applies to anything being used as a cookie. So flash cookies, html5 local storage etc all count as cookies for the purposes of this rule.
Now, this is the first time in a decade that I couldn't avoid a smug face and tiny bit of affection formy home country..
Seriously: As others pointed out here, this is a targeted law against privacy breaches. If your company builds its business model on user tracking you'd better ask them to opt in.
I seriously cannot even understand the negative sentiment.