New policy for the ICO site:
> Cookies set on arrival to the site.
I always thought the "set first and offer the user to kindly f' off if they don't like it" method was not in the spirit of the law, but that is the one that sites have adopted. There was never any realistic possibility of prosecution in that scenario, so i see this move as just the ICO accepting reality.
The ICO spent a year banging on about how you need explicit consent, and lots of people ran around implementing various solutions that make people click buttons and are generally incredibly annoying. Then, about 12 hours before the law came into effect, the ICO said "Actually, you know what? Implicit consent is fine."
On the off-chance anyone is still interested in this sort of thing, I wrote a small implicit consent script after the ICO clarified their position: http://radiac.net/projects/cookieuse/
Last May, the ICO acknowledged that in certain cases, implied consent would be appropriate and this is judged on the basis of the type of cookies that a site is looking to set plus the information that is made available to a user on its site regarding cookies.
The ICO considers that due to having had explicit consent on their site for a number of months, and due to the information generally available on their site, it was ok to switch to an implied consent approach. The cookies that are set when you go on the ICO websites do not include any third party advertising cookies.
As such, it is still for each website to consider whether in their own specific circumstances, it is appropriate to have an explicit consent or whether implied consent is ok. I appreciate that this creates ambiguity but as I understand it, it reflects the present position.
I still think the overall aim of the policy in terms of educating users as to the nature of cookies is a good one. That aim is one that is of course not particularly aimed at anyone who browses this website I wouldn't have thought.
The ones with text inside them, or the other ones with text inside them? I don't understand how you decide between good and evil cookies.
> The ICO considers that due to having had explicit consent on their site for a number of months, and due to the information generally available on their site, it was ok to switch to an implied consent approach
Why is there a temporal component ( a couple of months ), surely new visitors come all the time? Why is the content relevant? According to their stats, 10% of the users explicitly consented. Switching to implied consent on that basis makes no sense.
> it is not guaranteed that an implied consent will be appropriate
I'm pretty sure it's not OK to say 'You might be breaking the law, but we'll let you know once we decide to prosecute'. 'Very little information' is a terrible metric; there's an implication that quality is also necessary. If I populate my user-tracking page with mathematical proofs, I've encoded information on that page - potentially a lot. It doesn't mean anything.
> I appreciate that this creates ambiguity
I appreciate that you didn't create this law (I hope). Ambiguity is bad. And expensive. All this backtracking they've been doing, it wastes my time, it wastes some civil servant's time, and it accomplishes nothing. It seems like these policies should be like trademarks; subject to dilution if they aren't suitably enforced. If Disney decided to give everyone two years to use their logo free and clear, or they only prevented 'content-free' uses, they would lose that mark.
It's all in the intended use.
Session cookies for ecommerce and other transactional style web interaction
Advertisers tracking cookies that track users across multiple sites without their knowledge or consent.
What about "Tracking people without their knowledge or consent" being A Bad Thing is hard to understand?
The original poster said " in certain cases, implied consent would be appropriate and this is judged on the basis of the type of cookies that a site is looking to set". Your example clearly goes beyond.
My shopping cart cookie that tracks you across multiple websites is necessary because it keeps my prices lower than my competition giving me the competitive advantage and my customers a better price on the things they want.
Keep trying though, this is entertaining.
Another good feature is what we call multisite one-click shopping. Having to enter address, credit number, cvc etc on lots of websites is daunting for the customer and can hurt conversions.
Because it's still not technically necessary for the functioning of whatever it is that the user is trying to do on your particular site.
These are all fine business reasons but (AFAICT) the entire intent of the law is that business reasons are not good enough to track people without their explicit knowledge and permission that that is what you're doing.
(yes of course they fouled up on the coding and execution of the law, bureaucrats were involved)
You didn't originally say "technically necessary," but my argument is not with you. It's with half-baked legislation. Does the legislation make the distinction? You use the phrase "technically necessary for the functioning of..." and the business guys in the company will continue to argue that yes, this is technically necessary for the functioning of their company/website/business etc.
Ask the engineers whether these things are "technically necessary" to facilitate the business plan, because the business plan is the entire reason the company exists. The answer is yes. I'd suspect the workaround is that you just don't do business with people who don't want to be tracked.
Are we going to start legislating every detail of business?
Except it's not.
"Ask the engineers whether these things are "technically necessary" to facilitate the business plan, because the business plan is the entire reason the company exists. The answer is yes."
The Business plan is irrelevant. You're clutching at (false) straws here and you know very well what I mean by technically necessary for the functioning of the site, the law and/or guidelines even talk about implied consent covering only what is needed to allow the interaction between a site (the site you are ON, not a third party) and the user). In any other circumstances you have to ask. I don't understand what you find so hard about this - are you setting the cookie to enable the user to have a session on your site? Cool. Are you using it to track their movement? Not cool. End.
"Are we going to start legislating every detail of business?"
Where it starts to impinge on personal privacy, I hope so, yes.
Yes, of course, on a basic level, there is no difference between cookies but I think it's reasonable to say that they can achieve different purposes, particularly in terms of the information that they can allow third parties to collect on a user.
> Why is there a temporal component ( a couple of months ), surely new visitors come all the time? Why is the content relevant? According to their stats, 10% of the users explicitly consented. Switching to implied consent on that basis makes no sense.
Of course there will be new visitors who will have no idea about the opt-in approach previously taken by the ICO. You are quite right to identify that to those users, the previous opt-in approach was irrelevant. Rather than focusing on individual users, to me, the ICO's approach is to identify what steps a site is taking to educate its users in general.
In reality, I'm sure a large proportion of users will click whatever box they are told to if it means they can access a site or remove a banner but that doesn't mean that a site should be excused of its obligation to at least provide information to those users who may want to learn more about the cookies being set.
In terms of content, I should have been clearer, I meant content providing clear information on the types of cookies being set.
> I'm pretty sure it's not OK to say 'You might be breaking the law, but we'll let you know once we decide to prosecute'. 'Very little information' is a terrible metric; there's an implication that quality is also necessary. If I populate my user-tracking page with mathematical proofs, I've encoded information on that page - potentially a lot. It doesn't mean anything.
Yes, any law should provide clear limits to its effect to people can know when they are breaking it. From what I have read, the ICO is likely to adopt a consultative approach to enforcement in terms of letting a site know that they consider that the site could do more to educate its users as to the cookies that are being set when a user visits. By information, I mean relevant information in the form of a policy clearly explaining to users the cookies that will be set when a user visits the site.
> I appreciate that you didn't create this law (I hope). Ambiguity is bad. And expensive. All this backtracking they've been doing, it wastes my time, it wastes some civil servant's time, and it accomplishes nothing. It seems like these policies should be like trademarks; subject to dilution if they aren't suitably enforced. If Disney decided to give everyone two years to use their logo free and clear, or they only prevented 'content-free' uses, they would lose that mark.
Heh, no, I did not create this law. I agree that ambiguity is bad, and that responsible businesses who sought to implement solutions before the ICO's u-turn on implied consent last May have incurred expenses unnecessarily which is not how laws are meant to operate.
The elephant in the room is that in certain quarters, the UK's approach to interpretation/enforcement falls short of that required to comply with the terms of the Directive. Whilst this may be the case, I'm sure sites would prefer to be subject to the ICO's softer approach at this stage than have to implement a full opt-in and be subject to harsh enforcement.
Your proposal might make a degree of sense - however, a trade mark owner's rights would generally not be revoked for lack of enforcement. A grant of trade mark rights as you mention would be subject to an implied licence which Disney could arguably revoke at any time. At worst, if they did not take action against an unlicensed use, they could be deemed to have acquiesced in the usage, and be prevented from taking enforcement action subsequently. This may be a more appropriate analogy than simply having the underlying rights (mark or legislation) removed.
I'm not particularly positive about the law itself and acknowledge that it is adding confusion and additional costs to businesses in terms of compliance. My only concern is that posts like the Silktide one are unnecessarily bias against the law and are essentially just preaching to the converted (developers/IT professionals etc are aware of how cookies work and what purposes they achieve).
The position I laid out above is only really my interpretation of the ICO's current stance. Although completely anecdotally, only last week, some colleagues who I would consider to be your average internet user were commenting on how weird it was that adverts in relation to sites that they had previously visited were appearing on other sites. If the cookie law means even a small proportion of users are educated about cookies, I think this is a good thing.
And the arbitrator of this decision is: Some lawyer? This is why this entire law is so fantastically absurd.
Consequently, it's not necessarily at the determination of a lawyer, but I think the ICO has acknowledged that this is a difficult proposition so is taking a softer approach to enforcement.
At the very least the distinction could very easily be drawn between cookies which facilitate the sharing of information on the user's usage of multiple sites, to cookies which deal solely with the user's usage of the site where the cookie is set.
Isn't consent assumed by the fact that they've configured their browser to accept cookies?
The E-Privacy Directive specifically contemplates browser solutions as being a potential solution, however, I understand that at this stage, there isn't an acceptable implementation.
If for example a browser on first load asked what I wanted to do with cookies during that session, that might be acceptable.
I suspect browser makes are hesitant to work towards a solution because it would obviously be a blanket policy when it may be more appropriate for a more nuanced one dependent on each each site's cookie usage.
You can obviously configure cookies in your browser settings but I imagine for most users this option is overly complex for them to understand.
Can't one argue the same thing for setting up your website to be compliant with this law?
The fact that the easy and free solution is to just tell users to turn off all cookies in their browsers makes any laws of this type a waste.
If only users could turn off cookies in their web browser and leave the rest of us alone.
That all being said however, I'm not entirely sure it is "dead." The current legal standing from my understanding is a grey area...
It's impossible for ordinary users to distinguish between privacy invading tracking cookies and regular functional site cookies.
Also, this doesn't form "informed consent". Users have no idea what the data is used for, and this is the key to this law.
It's not about "cookies", that is just FUD. It's about being able to opt-in to very specific forms of gathering personal data.
Browser functionality is neither opt-in nor informed.
Of course it doesn't help that the UK's authority tasked with enforcing the law is utterly incompetent.
We have no problem with privacy - quite the opposite, I wish it were being taken seriously - but this law is not remotely about that. If you look at the ICO's latest report they say their audit of sites like Facebook and Google was done purely "visually". They are literally evaluating privacy by looking for banners or legal pages, and not at say the technology or intent behind it.
The ICO had dropped enough hints that they'd be lenient and go after the big boys and most evil violators first that 99% of sites were wasting their time panicking about implementing this stuff.. yet panic they did.
Could your employer sue the government for their compliance costs? Almost certainly not.
I think that's a net negative.
You, the website visitor, are running a program called a browser. This browser sends and receives data from servers that host the web sites you visit. Some of that data contains a request to store a piece of information on your computer. Your browser stores that piece information, and later when you visit the site again, it sends the same piece of information back to the site.
Note that cookies are not some evil technology created by website owners to track you. It is YOU who is running the software that stores the cookie. If you don't want cookies, DON'T STORE THEM. This is easily done in any competent browser.
By analogy, if you don't want people to store things in your basement, don't give them the keys to your basement! The current Dutch law is: after you already gave them the access to store cookies on your computer, the law forces that person to ask you again if they are allowed to store cookies. Not only does it not keep any bad people out and thus gives a false sense of security, it's also annoying.
The correct action to take is to educate people on the existence of cookies, and how to disable them completely or disable them for specific ranges of sites. This is less annoying for both the users and the site owners, and more importantly it also works for foreign sites that the Dutch law has no power over, like Google analytics & Facebook like buttons that track you all over the internet (which is a much bigger privacy concern than uitzendinggemist.nl or nos.nl). While they're at it they might as well sponsor efforts to make browsers less identifiable through other means than cookies, and support projects like Tor. Of course that's not going to happen, because the current security theater reminds millions of Dutch citizens every day that they are being protected by their politicians through messages in annoying popups.
Education wasn't going to happen without notices like these.
But yes, the proxy ought to do more to encourage people. One problem is that two of the major browsers (Firefox and Chrome) are funded by a company that makes all its money from tracking and advertising (google), and it's pretty unlikely they would turn off third-party cookies by default, which I think would be a good start.
People shouldn't have to take protective action in order to not get stalked by advertisers and marketers.
Such activities require opt-in and informed consent, and standard browser functionality doesn't even come close to supporting that.
Oh, I agree that the current law doesn't solve the problem.
But "educating the people" is a completely backward solution. The opaque stalking of people by the likes of Facebook and Google should be outlawed completely, and heavily enforced.
This is a ridiculous comparison. Lets not go that way.
> Such activities require opt-in and informed consent, and standard browser functionality doesn't even come close to supporting that.
Yes, as I said that's where the problem lies, so that's what should be altered. This can either be done by education, or by making the browser more resilient (e.g. let the browser do opt-in for all cookies or at least cookies sent via stuff embedded in other web pages like Google analytics and Facebook like buttons). The current solution of forcing Dutch websites to display popups is a farce as I explained because (A) it doesn't actually protect your privacy in any meaningful way (B) it's annoying. By giving a false sense of privacy it actually makes the problem worse.
Privacy laws should be about protecting privacy in general, not about a specific technology like cookies. There are plenty of genuine applications of cookies (keeping you logged in to HN for example), and there are plenty of ways for Facebook to track you without using cookies that they would happily switch to if this law applied to them (but note that those methods cannot be used to keep you logged in to HN because they are not secure so that might give somebody else access to your account -- but Facebook doesn't care about 100% reliability for tracking purposes, 99% is enough).
First, the law doesn't force websites to display popups, the law forces informed consent.
The pop-ups are hack on top of existing sites which I agree quite clearly doesn't work. Also, there has been a clear failure by those enforcing the law in constructively thinking about the way in which such consent should be given.
Second, the law is very explicitly not about cookies nor any kind of specific form of technology. It's about invasive tracking, and other applications of cookies are in no way affected by the law. If Facebook finds a way to track people without cookies, it will still be covered by the law. The misleading name "cookie-law" is product of the anti-privacy lobby.
The law in it's current form may not have the desired result, but please stop pretending it's law created by ignorant politicians that don't understand cookies, because that is simply untrue, and it poisons any constructive debate just as much as my admittedly over the top comparison.
This entire argument boils down to "if you don't want to get raped, don't wear short skirts in public".
But yeah, I could have chosen more tasteful and less over the top comparison. My apologies.
NOS (public news broadcaster) and Uitzending Gemist (public television catch up) are interesting cases because apparently they’re actually required by law to collect user statistics.
Requiring explicit permission to store cookies on a user's browser is more likely to encourage privacy-invading companies to use the browser's fingerprint instead. This fingerprint can be loosely tied to a real world identity, and across sites too. The user wouldn't have any knowledge of such happening and they also wouldn't have any degree of control over it. At least presently it's trivial to block the most common form of tracking: HTTP cookies.
Is the Dutch law only for .nl domains? Domains hosted in NL? Sites owned by Dutch companies?
It's almost just like in the real world...
(Also, there's plenty of jurisprudence for that when for instance it comes to online gambling.)
We're a Dutch not-for-profit, running under a US .org domain name, with some servers hosted in Germany, and our visitors come from everywhere.
Right now the decision is only to annoy Dutch visitors (based on IP), but I've been waiting to implement it until there is some clarity.
Imagine a dutch company with servers in the netherlands, witha .com address. Why would they be exempt from dutch law?
I'm not arguing either way, and truthfully I'm not sure how I feel about it, but it gets hard to determine jurisdiction when you're talking about an entity (owner + domain + site files/server) being split across multiple jurisdictions.
Sometimes laws can be written as "a person/company shall not cause personal data to be stored without users consent" (say). So if you, in the Netherlands, programme your server in the US to store personal data without consent, then you might be breaking the law. (Since you have caused a computer to do that.)
And isn't that why sites like The Guardian, BBC etc. have been using a banner anyway?