As Ian Clarke (original designer of Freenet) put it:
"It is the responsibility of every citizen to ignore dumb laws."
And I would add that the whole world would crawl to a halt and descend into total chaos if everyone followed every law in the books. Too many laws are plain incoherent, inconsistent and impossible to follow.
The EU doesn't make (much) real law per se. Unlike the USA, the EU doesn't really have a criminal system, or federal laws etc. The EU makes member states (which are countries and states) implement a law. This law would only apply to owners of websites. They don't block websites.
No, that's not true. Where a company is domiciled has nothing to do with these regulations - they apply to any company which has users in the EU. And yes, they will apply in a slightly different form as interpreted to each member state.
And yes, this is a somewhat ridiculous situation; but in practice it's not really likely to be a problem, unless you've got a major presence in an EU market.
In practice, the UK at least is extremely unlikely to pursue any non-UK companies for breaching the UK interpretation of these regulations (which is very light-touch anyway); if only because of the difficulty in taking effective action.
Other member states might take a more or less proactive approach in pursuing action; and other countries have a different take on the regulations anyway.
Basically, if I was a small-ish non-EU based website with EU customers I'd be keeping an eye on this to see where it goes, but I wouldn't take any action yet.
If I was a large non-EU-based site with tens of thousands or millions of EU customers, I'd be paying quite a lot of attention; what I did about it would depend on my risk profile.
Will cause _gaq to simply add an array with a single element, a string that says "_link", and then return false, preventing the site from completing the default action. This is because ga.js never loads, so it never executes the queue of functions and never converts gaq.push into a non-native function. So, you'll click the link, and nothing happens.
(I actually abhor the practice of doing this this way, because it's so easily breakable, but this is the "recommended" way of faciltating cross domain tracking)
If you use one of the "official" Google opt-out plugins, it'll load ga.js, but it'll block any information from being sent about you to Google, it'll block Google Analytics cookies from being sent, and it won't break any site functionality.
The list is very conservative this way, but I add a bunch of sites myself and uncommenting google-analytics and other tracking sties is perfectly safe and doesn't break anything - even google. And for cookies there's cookie monster.
It's a terrible thing, good only for lawyers. Nobody understands what cookies are anyway, most people think they are tiny little programs that steal their privacy in some magical way.
And nobody cares about that level of technical detail either, and why would they?
If the gov't is so keen on regulating Web stuff, they should have a regulatory body that reviews and audits Facebook's and Google's internal handling of user data, to make sure thay actually don't abuse them secretly.
This cookie thing doesn't make any difference for privacy protection at all.
Definitely, it is not. Users already "opt-in" by configuring their client to accept cookies. Users could be more aware of that and use their clients appropriately if they don't wish to be tracked, but instead there will be this new layer of complexity by which a users opts in. Users (much like they have with their browser security settings) will grow accustomed to blindly opting in like they always have because it makes the thing they're trying to use work. Only now, we have an extra bit of work to do.
My point is that cookies are, and always have been, an optional feature of the web. If you go back a decade or so, you might remember annoying IE dialogs warning you that "a website is trying to put a cookie on your computer, do you accept?" While cookies may be used for nefarious purposes, they are essential to many, many legitimate features of the web like maintaining a user session, and to an end user, their importance has trained them to automatically click "Accept."
They are so ubiquitous that browsers typically accept them by default now, but they are still an optional feature. This EU mandate could have been just as well fulfilled by required browser vendors to have the accept cookies warning turned on by default and let users turn it off at their peril. Instead, it has just added another chunk of compliance for web workers to adhere to. Users are still going to be the same ol' users who click "Accept" because they want to get into whatever they were trying to get into. Only now, there's a lot more room for lawsuits.
Most people don't understand the difference between "Google" and a "Browser" , cynically, I don't hold much hope people will care what browser cookies are.
I've already had to explain to my parents that cookies aren't evil, the sites they visit (BBC/Google etc) are mainstream and fine.
As an EU resident and webmaster of several sites for myself and clients. I see little benefit to my visitors other than causing me a lot of grief over trying to follow guidelines and hoping my implementation doesn't break them.
I was speaking to a client about it today, he hasn't seen anything about it and I doubt many small business owners have seen (or cared) much about it.
I hope it will raise awareness, but my cynical expectation is that the "Accept" button will become one people press habitually to get rid of an annoying banner. Sites abusing the Facebook Like button as a gateway to content are a proof of concept that this might happen.
Considering web browsers already have cookie controls built in it seems a bit silly incur such an enormous cost in implementing a completely redundant feature.
I think the effort would be better spent on publishing transparent descriptions of what data collected and what it is used for than for designers to each create their own non-standard dialog boxes. The cookie issue could be "fixed" (to the extent possible with pointless legislation) with a link to an EU-published HOWTO on configuring a web browser.
If left to owners/managers/developers to implement the opt-in we risk having a variety of ways for doing the same thing. Some good, some not so good and some just bad.
A less painful solution would be to try and solve this at the browser level where the experience for end users would at least be consistant. Like a blend of DNT & private browsing mode that had extremely restrictive criteria for cookie usage - if any.
Something like [Ghostery] would be a nice starting point.
Of course the better solution would be to erase Article 5(3) and start again. Good intentions, bad directive.
Does anyone know of a decent and up to date guide on what is/is not allowed? The official guidance is typically not much help and my searches reveal a lot of stuff out of date and other sites that are more interested in selling me cookie analysis - so I'm taking their advice with a grain of salt.
The interpretation of the law is up to the individual countries. I've only been watching what's been happening in the UK. Until last week the guidance from the Information Commissions' office has been 'you need explicit opt-in' if you want to set cookies that aren't vital to your site's work (example, cookies set when a user is shopping and puttnig items into their cart are deemed vital, Google Analytics is not).
However last week the ICO issued new guidance saying that implied consent is OK
So would a lot of people, but the official guidance makes it clear that they are not considered vital as far as these legal rules are concerned.
The "essential cookies are OK" criteria relate to the functionality the user has explicitly asked for, not to functionality that the site operator needs to run the site in a commercially viable fashion. Thus things like session cookies to record that you have logged in or what's in a shopping cart are OK, but things like analytics aren't allowed to piggy-back on top.
There seems to be some doubt about how seriously anyone in the UK is going to take these rules, though. Even the ICO can't get its opinion straight, and it's the government body responsible for enforcement. As I understand it, we're already taking this whole mess far more seriously than most countries in the EU, in that some web sites run by large organisations have made some effort to comply with the rules, while even that might not be true in most places that are theoretically affected.