Hacker News new | past | comments | ask | show | jobs | submit login
The stupid cookie law is dead at last (silktide.com)
200 points by silktide on Jan 31, 2013 | hide | past | web | favorite | 66 comments



The cookie law is in no way dead, the ICO is just doing what every other 'compliant' site has always done.

New policy for the ICO site:

> Cookies set on arrival to the site. New cookies banner displayed. Banner explains that the website uses cookies and that cookies have been set, tells users they can change their cookie settings (via a new cookies page), or continue to use the site.

I always thought the "set first and offer the user to kindly f' off if they don't like it" method was not in the spirit of the law, but that is the one that sites have adopted. There was never any realistic possibility of prosecution in that scenario, so i see this move as just the ICO accepting reality.


Rather than what Silktide are saying, this change just seems to be bringing their own website into line with their last-minute clarification (or rather u-turn) on implicit consent.

The ICO spent a year banging on about how you need explicit consent, and lots of people ran around implementing various solutions that make people click buttons and are generally incredibly annoying. Then, about 12 hours before the law came into effect, the ICO said "Actually, you know what? Implicit consent is fine."

On the off-chance anyone is still interested in this sort of thing, I wrote a small implicit consent script after the ICO clarified their position: http://radiac.net/projects/cookieuse/


I was wondering when another sensationalist blog post would pop-up from Silktide.

Last May, the ICO acknowledged that in certain cases, implied consent would be appropriate and this is judged on the basis of the type of cookies that a site is looking to set plus the information that is made available to a user on its site regarding cookies.

The ICO considers that due to having had explicit consent on their site for a number of months, and due to the information generally available on their site, it was ok to switch to an implied consent approach. The cookies that are set when you go on the ICO websites do not include any third party advertising cookies.

For other sites, it is not guaranteed that an implied consent will be appropriate where for example third-party advertising cookies are set and very little information is provided generally (for example in a specific cookie policy).

As such, it is still for each website to consider whether in their own specific circumstances, it is appropriate to have an explicit consent or whether implied consent is ok. I appreciate that this creates ambiguity but as I understand it, it reflects the present position.

I still think the overall aim of the policy in terms of educating users as to the nature of cookies is a good one. That aim is one that is of course not particularly aimed at anyone who browses this website I wouldn't have thought.


> the type of cookies

The ones with text inside them, or the other ones with text inside them? I don't understand how you decide between good and evil cookies.

> The ICO considers that due to having had explicit consent on their site for a number of months, and due to the information generally available on their site, it was ok to switch to an implied consent approach

Why is there a temporal component ( a couple of months ), surely new visitors come all the time? Why is the content relevant? According to their stats, 10% of the users explicitly consented. Switching to implied consent on that basis makes no sense.

> it is not guaranteed that an implied consent will be appropriate

I'm pretty sure it's not OK to say 'You might be breaking the law, but we'll let you know once we decide to prosecute'. 'Very little information' is a terrible metric; there's an implication that quality is also necessary. If I populate my user-tracking page with mathematical proofs, I've encoded information on that page - potentially a lot. It doesn't mean anything.

> I appreciate that this creates ambiguity

I appreciate that you didn't create this law (I hope). Ambiguity is bad. And expensive. All this backtracking they've been doing, it wastes my time, it wastes some civil servant's time, and it accomplishes nothing. It seems like these policies should be like trademarks; subject to dilution if they aren't suitably enforced. If Disney decided to give everyone two years to use their logo free and clear, or they only prevented 'content-free' uses, they would lose that mark.


"I don't understand how you decide between good and evil cookies."

It's all in the intended use.

Good cookies: Session cookies for ecommerce and other transactional style web interaction

Bad cookies: Advertisers tracking cookies that track users across multiple sites without their knowledge or consent.

See?


How about "session cookies for ecommerce and other transactional style web interaction, that track users across multiple sites without their knowledge or consent"? Are these good or bad?

We can decide on a case by case basis whether any particular use of cookies is good or bad, but coming up with a generic rule to do so is fraught with difficulties.


Well those would be bad, as they've clearly strayed well beyond necessary use of cookies as a mechanic of the website operating and into tracking people without their knowledge or consent.

What about "Tracking people without their knowledge or consent" being A Bad Thing is hard to understand?

The original poster said " in certain cases, implied consent would be appropriate and this is judged on the basis of the type of cookies that a site is looking to set". Your example clearly goes beyond.


"...necessary use of cookies as a mechanic of the website [operation]..."

My shopping cart cookie that tracks you across multiple websites is necessary because it keeps my prices lower than my competition giving me the competitive advantage and my customers a better price on the things they want.

Your turn.


Nope, you're still tracking someone without their consent, your reason is nothing to do with the technical operation of your website.

Keep trying though, this is entertaining.


By tracking the user across many websites we can give personal recommendations of new products the user might like based on their surfing habits. For instance depression is correlated with erratic surfing behaviour. By making use of these types of relationships we can offer our customers what they need when they need it.

Another good feature is what we call multisite one-click shopping. Having to enter address, credit number, cvc etc on lots of websites is daunting for the customer and can hurt conversions.

/s


Cool, all sounds useful, so you have no issue asking for the user's permission to do this?

Because it's still not technically necessary for the functioning of whatever it is that the user is trying to do on your particular site.

These are all fine business reasons but (AFAICT) the entire intent of the law is that business reasons are not good enough to track people without their explicit knowledge and permission that that is what you're doing.

(yes of course they fouled up on the coding and execution of the law, bureaucrats were involved)


Yet again, semantics matter.

You didn't originally say "technically necessary," but my argument is not with you. It's with half-baked legislation. Does the legislation make the distinction? You use the phrase "technically necessary for the functioning of..." and the business guys in the company will continue to argue that yes, this is technically necessary for the functioning of their company/website/business etc.

Ask the engineers whether these things are "technically necessary" to facilitate the business plan, because the business plan is the entire reason the company exists. The answer is yes. I'd suspect the workaround is that you just don't do business with people who don't want to be tracked.

Are we going to start legislating every detail of business?


"the business guys in the company will continue to argue that yes, this is technically necessary for the functioning of their company/website/business etc."

Except it's not.

"Ask the engineers whether these things are "technically necessary" to facilitate the business plan, because the business plan is the entire reason the company exists. The answer is yes."

The Business plan is irrelevant. You're clutching at (false) straws here and you know very well what I mean by technically necessary for the functioning of the site, the law and/or guidelines even talk about implied consent covering only what is needed to allow the interaction between a site (the site you are ON, not a third party) and the user). In any other circumstances you have to ask. I don't understand what you find so hard about this - are you setting the cookie to enable the user to have a session on your site? Cool. Are you using it to track their movement? Not cool. End.

"Are we going to start legislating every detail of business?"

Where it starts to impinge on personal privacy, I hope so, yes.


> The ones with text inside them, or the other ones with text inside them? I don't understand how you decide between good and evil cookies.

Yes, of course, on a basic level, there is no difference between cookies but I think it's reasonable to say that they can achieve different purposes, particularly in terms of the information that they can allow third parties to collect on a user.

> Why is there a temporal component ( a couple of months ), surely new visitors come all the time? Why is the content relevant? According to their stats, 10% of the users explicitly consented. Switching to implied consent on that basis makes no sense.

Of course there will be new visitors who will have no idea about the opt-in approach previously taken by the ICO. You are quite right to identify that to those users, the previous opt-in approach was irrelevant. Rather than focusing on individual users, to me, the ICO's approach is to identify what steps a site is taking to educate its users in general.

In reality, I'm sure a large proportion of users will click whatever box they are told to if it means they can access a site or remove a banner but that doesn't mean that a site should be excused of its obligation to at least provide information to those users who may want to learn more about the cookies being set.

In terms of content, I should have been clearer, I meant content providing clear information on the types of cookies being set.

> I'm pretty sure it's not OK to say 'You might be breaking the law, but we'll let you know once we decide to prosecute'. 'Very little information' is a terrible metric; there's an implication that quality is also necessary. If I populate my user-tracking page with mathematical proofs, I've encoded information on that page - potentially a lot. It doesn't mean anything.

Yes, any law should provide clear limits to its effect to people can know when they are breaking it. From what I have read, the ICO is likely to adopt a consultative approach to enforcement in terms of letting a site know that they consider that the site could do more to educate its users as to the cookies that are being set when a user visits. By information, I mean relevant information in the form of a policy clearly explaining to users the cookies that will be set when a user visits the site.

> I appreciate that you didn't create this law (I hope). Ambiguity is bad. And expensive. All this backtracking they've been doing, it wastes my time, it wastes some civil servant's time, and it accomplishes nothing. It seems like these policies should be like trademarks; subject to dilution if they aren't suitably enforced. If Disney decided to give everyone two years to use their logo free and clear, or they only prevented 'content-free' uses, they would lose that mark.

Heh, no, I did not create this law. I agree that ambiguity is bad, and that responsible businesses who sought to implement solutions before the ICO's u-turn on implied consent last May have incurred expenses unnecessarily which is not how laws are meant to operate.

The elephant in the room is that in certain quarters, the UK's approach to interpretation/enforcement falls short of that required to comply with the terms of the Directive. Whilst this may be the case, I'm sure sites would prefer to be subject to the ICO's softer approach at this stage than have to implement a full opt-in and be subject to harsh enforcement.

Your proposal might make a degree of sense - however, a trade mark owner's rights would generally not be revoked for lack of enforcement. A grant of trade mark rights as you mention would be subject to an implied licence which Disney could arguably revoke at any time. At worst, if they did not take action against an unlicensed use, they could be deemed to have acquiesced in the usage, and be prevented from taking enforcement action subsequently. This may be a more appropriate analogy than simply having the underlying rights (mark or legislation) removed.

I'm not particularly positive about the law itself and acknowledge that it is adding confusion and additional costs to businesses in terms of compliance. My only concern is that posts like the Silktide one are unnecessarily bias against the law and are essentially just preaching to the converted (developers/IT professionals etc are aware of how cookies work and what purposes they achieve).

The position I laid out above is only really my interpretation of the ICO's current stance. Although completely anecdotally, only last week, some colleagues who I would consider to be your average internet user were commenting on how weird it was that adverts in relation to sites that they had previously visited were appearing on other sites. If the cookie law means even a small proportion of users are educated about cookies, I think this is a good thing.


>>> "Yes, of course, on a basic level, there is no difference between cookies but I think it's reasonable to say that they can achieve different purposes, particularly in terms of the information that they can allow third parties to collect on a user."

And the arbitrator of this decision is: Some lawyer? This is why this entire law is so fantastically absurd.


Technically under the directive, any storage of information on the user's system should have the full consent of the user, with the exception of information which is strictly necessary for the functioning of the service requested by the user (see 2009 amendment to the original directive[1]).

Consequently, it's not necessarily at the determination of a lawyer, but I think the ICO has acknowledged that this is a difficult proposition so is taking a softer approach to enforcement.

At the very least the distinction could very easily be drawn between cookies which facilitate the sharing of information on the user's usage of multiple sites, to cookies which deal solely with the user's usage of the site where the cookie is set.

[1] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2...


> Technically under the directive, any storage of information on the user's system should have the full consent of the user

Isn't consent assumed by the fact that they've configured their browser to accept cookies?


No, consent is not assumed. From my understanding, most browsers are generally set up to accept cookies automatically. If it was the other way round, and users had to physically change their settings, this could be an appropriate opt-in.

The E-Privacy Directive specifically contemplates browser solutions as being a potential solution, however, I understand that at this stage, there isn't an acceptable implementation.

If for example a browser on first load asked what I wanted to do with cookies during that session, that might be acceptable.

I suspect browser makes are hesitant to work towards a solution because it would obviously be a blanket policy when it may be more appropriate for a more nuanced one dependent on each each site's cookie usage.

You can obviously configure cookies in your browser settings but I imagine for most users this option is overly complex for them to understand.


> You can obviously configure cookies in your browser settings but I imagine for most users this option is overly complex for them to understand.

Can't one argue the same thing for setting up your website to be compliant with this law?

The fact that the easy and free solution is to just tell users to turn off all cookies in their browsers makes any laws of this type a waste.


Sorry for the brevity, but the only thing I can think of is: A-fucking-men. This is a colossal waste of time and resources, and it's a completely distraction from other -real-, -actual- privacy concerns that every day citizens should have. This is not one of them, and there is already a solution.


Actually that would be a good potential solution to have cookies on browsers automatically disabled but one that advertising networks and companies that rely heavily on advertising revenue (Google for example) are lobbying hard against for obvious reasons. As a result, I don't think this option will make an appearance anytime soon.


> I still think the overall aim of the policy in terms of educating users as to the nature of cookies is a good one.

If only users could turn off cookies in their web browser and leave the rest of us alone.


Browsers already have the ability to ask the user if they want to accept a cookie. So all this law did was reproduced browser functionality that has existed all the way back to Netscape.

That all being said however, I'm not entirely sure it is "dead." The current legal standing from my understanding is a grey area...


No, the law also prohibited use (without permission) of such things as flash cookies and cookie-like things stored in HTML5's web storage, HTTP ETags, IE userData storage, Silverlight isolated storage, etc. The browser has no control over these things, only standard HTTP cookies for which it is responsible.


The browser has full control over HTML5 storage.


Yes, but browser's user generally doesn't (in easily accessible way).


No it doesn't.

It's impossible for ordinary users to distinguish between privacy invading tracking cookies and regular functional site cookies.

Also, this doesn't form "informed consent". Users have no idea what the data is used for, and this is the key to this law.

It's not about "cookies", that is just FUD. It's about being able to opt-in to very specific forms of gathering personal data.

Browser functionality is neither opt-in nor informed.


At least on Chrome, they are displayed precisely in the same manner as cookies.


The user doesn't have the same fine-grained control. In the case of HTTP cookies you can control whether session cookies are permitted independently of whether persistent cookies are allowed. I believe no such control exists in the domain of local storage.


The law allows you to use standard browser technology, however the default browser settings do not meet the minimum standards of "actually getting consent from the user".


This is just more disinformation and FUD from the anti-privacy marketing clowns at Silktide. Nothing has changed when it comes to the EU rules on tracking cookies.

Of course it doesn't help that the UK's authority tasked with enforcing the law is utterly incompetent.


How exactly am I spreading Fear, Uncertainty or Doubt here? (I wrote that article, and run Silktide).

We have no problem with privacy - quite the opposite, I wish it were being taken seriously - but this law is not remotely about that. If you look at the ICO's latest report they say their audit of sites like Facebook and Google was done purely "visually". They are literally evaluating privacy by looking for banners or legal pages, and not at say the technology or intent behind it.

This event is newsworthy because their site - which is clearly going to be looked at as an exemplar of best practice - is changing from explicit opt-in to implicit. Essentially we're now back to 2009, when sites were expected to include privacy policies that explain if they use cookies.


Thank goodness for that. Countless hours have been lost debating how best to implement this pointless law, and the amount of business lost due to unsightly and confusing consent banners must have been huge.


I think it might have been Derek Sivers who wrote a great essay about how in business the best policy is often just to ignore silly rules and regulations (except the really serious ones) until someone pulls you up on it. I took that to heart, and that was ultimately the best policy with this.

The ICO had dropped enough hints that they'd be lenient and go after the big boys and most evil violators first that 99% of sites were wasting their time panicking about implementing this stuff.. yet panic they did.


yes given that my employer a FTSE 100 publisher must have spent a huge amount time and money on this stupid law - can we claim this back against our tax bill.


Well, yes. Generally and imprecisely speaking, expenses are deducted from revenues and the net is what's taxable. Your employer will end up paying a little less corporation tax because of it. Whether it's a net loss for the government is another matter, as what isn't paid in corporation tax might be paid in national insurance and individual income taxes.

Could your employer sue the government for their compliance costs? Almost certainly not.


Yes very cute but that only gets a $TAXRATE percentage refund on the wasted money. The rest is gone.


A similar law is still going strong in The Netherlands. As of this year, most Dutch sites greet you with an annoying pop-up.


The best (worst) thing about this whole law is that these sites used to work fine without cookies, but now no longer do. In effect, while making a sincere (and successful!) attempt making cookie use more transparent, thereby enhancing user privacy, they unintentionally made cookie use more pervasive, thereby hurting user privacy.

I think that's a net negative.


Annoyance, related to privacy. I vote for being "annoyed".


In the abstract, I agree. Only somebody who does not understand cookies would say such a thing in this context however (like our Dutch politicians).

You, the website visitor, are running a program called a browser. This browser sends and receives data from servers that host the web sites you visit. Some of that data contains a request to store a piece of information on your computer. Your browser stores that piece information, and later when you visit the site again, it sends the same piece of information back to the site.

Note that cookies are not some evil technology created by website owners to track you. It is YOU who is running the software that stores the cookie. If you don't want cookies, DON'T STORE THEM. This is easily done in any competent browser.

By analogy, if you don't want people to store things in your basement, don't give them the keys to your basement! The current Dutch law is: after you already gave them the access to store cookies on your computer, the law forces that person to ask you again if they are allowed to store cookies. Not only does it not keep any bad people out and thus gives a false sense of security, it's also annoying.

The correct action to take is to educate people on the existence of cookies, and how to disable them completely or disable them for specific ranges of sites. This is less annoying for both the users and the site owners, and more importantly it also works for foreign sites that the Dutch law has no power over, like Google analytics & Facebook like buttons that track you all over the internet (which is a much bigger privacy concern than uitzendinggemist.nl or nos.nl). While they're at it they might as well sponsor efforts to make browsers less identifiable through other means than cookies, and support projects like Tor. Of course that's not going to happen, because the current security theater reminds millions of Dutch citizens every day that they are being protected by their politicians through messages in annoying popups.


The basement analogy is flawed. It's like a proxy holding your keys and giving them to anyone that asks, without your knowledge.

Education wasn't going to happen without notices like these.


Yes, I wanted to keep it simple. The fact is that that proxy (the browser) is the problem, and is also where the solution lies, not in the subset people that Dutch law happens to apply to who make use of that proxy to obtain your keys.


Making them tell you they want the keys and give you a reason isn't all bad.

But yes, the proxy ought to do more to encourage people. One problem is that two of the major browsers (Firefox and Chrome) are funded by a company that makes all its money from tracking and advertising (google), and it's pretty unlikely they would turn off third-party cookies by default, which I think would be a good start.


I wouldn't be against a law that requires browsers to make third party cookies opt-in. Note also that the current law has no effect on Google's tracking whatsoever.


All analogies are flawed and quickly break down. They're only designed as a linguistic aid to help explain a concept by likening the unfamiliar to the familiar. They're not designed to describe the concept itself.


This entire argument boils down to "if you don't want to get raped, don't wear short skirts in public".

People shouldn't have to take protective action in order to not get stalked by advertisers and marketers.

Such activities require opt-in and informed consent, and standard browser functionality doesn't even come close to supporting that.

Oh, I agree that the current law doesn't solve the problem.

But "educating the people" is a completely backward solution. The opaque stalking of people by the likes of Facebook and Google should be outlawed completely, and heavily enforced.


> This entire argument boils down to "if you don't want to get raped, don't wear short skirts in public".

This is a ridiculous comparison. Lets not go that way.

> Such activities require opt-in and informed consent, and standard browser functionality doesn't even come close to supporting that.

Yes, as I said that's where the problem lies, so that's what should be altered. This can either be done by education, or by making the browser more resilient (e.g. let the browser do opt-in for all cookies or at least cookies sent via stuff embedded in other web pages like Google analytics and Facebook like buttons). The current solution of forcing Dutch websites to display popups is a farce as I explained because (A) it doesn't actually protect your privacy in any meaningful way (B) it's annoying. By giving a false sense of privacy it actually makes the problem worse.

Privacy laws should be about protecting privacy in general, not about a specific technology like cookies. There are plenty of genuine applications of cookies (keeping you logged in to HN for example), and there are plenty of ways for Facebook to track you without using cookies that they would happily switch to if this law applied to them (but note that those methods cannot be used to keep you logged in to HN because they are not secure so that might give somebody else access to your account -- but Facebook doesn't care about 100% reliability for tracking purposes, 99% is enough).


Again with the disinformation.

First, the law doesn't force websites to display popups, the law forces informed consent.

The pop-ups are hack on top of existing sites which I agree quite clearly doesn't work. Also, there has been a clear failure by those enforcing the law in constructively thinking about the way in which such consent should be given.

Second, the law is very explicitly not about cookies nor any kind of specific form of technology. It's about invasive tracking, and other applications of cookies are in no way affected by the law. If Facebook finds a way to track people without cookies, it will still be covered by the law. The misleading name "cookie-law" is product of the anti-privacy lobby.

The law in it's current form may not have the desired result, but please stop pretending it's law created by ignorant politicians that don't understand cookies, because that is simply untrue, and it poisons any constructive debate just as much as my admittedly over the top comparison.


   This entire argument boils down to "if you don't want to get raped, don't wear short skirts in public".
That's a pretty spot-on analogy and I, for one, am impressed by the depth and nuance you've bought to this discussion.


The point of the analogy is "blaming the victim", which imho is spot-on.

But yeah, I could have chosen more tasteful and less over the top comparison. My apologies.


Shame is that at many sites it’s not really opt-in. If you disagree, you get a lecture on why the site is obliged to track you and then you can accept anyway or leave. A cookie wall, if you will.

Examples:

* http://tweakers.net

* http://nos.nl

* http://uitzendinggemist.nl

NOS (public news broadcaster) and Uitzending Gemist (public television catch up) are interesting cases because apparently they’re actually required by law to collect user statistics.


Be that as it may, you can still be tracked without cookies (HTTP or similar) just by looking at the browser's fingerprint. This method is less reliable which is why it hasn't been used in preference to cookies.

Requiring explicit permission to store cookies on a user's browser is more likely to encourage privacy-invading companies to use the browser's fingerprint instead. This fingerprint can be loosely tied to a real world identity, and across sites too. The user wouldn't have any knowledge of such happening and they also wouldn't have any degree of control over it. At least presently it's trivial to block the most common form of tracking: HTTP cookies.


One thing that is still unclear to me about the Dutch law:

Is the Dutch law only for .nl domains? Domains hosted in NL? Sites owned by Dutch companies?


The Dutch law applies to any company doing business in the Netherlands. So it applies to Facebook and Google as well as local Dutch sites, because they have offices here and accept money from Dutch users/advertisers.

It's almost just like in the real world...

(Also, there's plenty of jurisprudence for that when for instance it comes to online gambling.)


"Doing business" is also complicated.

We're a Dutch not-for-profit, running under a US .org domain name, with some servers hosted in Germany, and our visitors come from everywhere.

Right now the decision is only to annoy Dutch visitors (based on IP), but I've been waiting to implement it until there is some clarity.


What's the penalty for non-compliance in NL?


Maximum penalty is a fine of up to around 450.000 euros.


It is nearly always the case that the country the servers are in, and the country the owners (persons/companies) are in is the relevant law.

Imagine a dutch company with servers in the netherlands, witha .com address. Why would they be exempt from dutch law?


Why would a Dutch company operating a .com on a US server, or an American company operating a .com (or .nl for that matter) on a Dutch server not be exempt?

I'm not arguing either way, and truthfully I'm not sure how I feel about it, but it gets hard to determine jurisdiction when you're talking about an entity (owner + domain + site files/server) being split across multiple jurisdictions.


Your server don't have to be in the US to operate a .com (or in netherlands to operate a .nl).

Sometimes laws can be written as "a person/company shall not cause personal data to be stored without users consent" (say). So if you, in the Netherlands, programme your server in the US to store personal data without consent, then you might be breaking the law. (Since you have caused a computer to do that.)


IIRC its an EU directive (ePrivacy), which each member state has to implement. Hopefully, everyone will see sense with directive.


I'm sorry but hasn't this been the case for a good while now? I remember seeing this on the Guardian last year:

http://www.guardian.co.uk/technology/2012/may/26/cookies-law...

And isn't that why sites like The Guardian, BBC etc. have been using a banner anyway?


It's significant because they're the regulator, and now they're changing to do what everyone else is, instead of telling everyone else to do what they've been doing.


Well at least they realised they were being a bit thick; they could have just kept on blindly enforcing it. I think it really hit home when they lost a serious percentage of their analytics data.


A "serious amount of their analytics data" was already lost to US.com




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: