back to article Advertisers say new cookie law met by browser settings

Advertising trade bodies have claimed that a new law passed this week by the European Parliament will not require website publishers to ask permission to put cookies on a user's computer. They argue that browser settings will imply consent. The European Parliament today voted to approve the European Commission's Telecoms …


This topic is closed for new posts.
  1. AndyS


    IAB, who want to push advertising, interpret the new law meaning that nothing needs to change.

    Well here's another interpretation. I think that, by visiting the Register, a cookie tracking my login details and, say, new preferences is essential the service being offered.

    I do not feel that a third party tracking cookie is essential.

    So, nothing needs to change in the provision between the 1st and 2nd party, but bolt ons that are not obvious or explicitly associated with the site I'm visiting (advertising and tracking cookies, for example) need my permission.

    What's more, I'm pretty sure that my interpretation is closer to that intended than the IAB's.

  2. Anonymous Coward
    Paris Hilton

    That said, the problem these days..

    ..isn't normal browser cookies. Those can be managed quite effectively by letting your browser delete private data on exit- which is less of an inconvenience than you'd imagine.

    The problem has now moved- people use flash cookies to track you, in some cases. A lot of people don't realise that flash allows a small amount of persistent local storage by default in many cases. The interface is relatively obscure, closed and crummy, and many folks don't realise that it even exists.

    Thus, any sort of fuss about browser cookies is actually useful to the sneaky malfeasants. As long as people don't get cross about the actual tracking mechanisms, the likelihood of decent management tools emerging is somewhat reduced.

    Aluminium hats on, everyone!

  3. Subban

    They are wrong.

    "has given his or her consent, having been provided with clear and comprehensive information"

    A login cookie is a prime example of a requested service, though a brief text when the box is ticked to "remember login" isn't going to hurt anyone and be simple to do.

    I have no idea what information literally any cookie on my computer holds though or what and who it tracks or relates too, so there sure as hell is not "clear and comprehensive information" available already, so they better had pull their socks up.

  4. Doug Glass

    Hear Ye!, Hear Ye!

    Buy this post I announce to the world that killing me is forbidden, Likewise, you shall commit no other crime of any kind against me, my family and to all those I choose to offer such protection.

    There, that's covered and I may now live in total harmony with all creatures and suffer no harm, or attempted harm, from any person or corporate entity ever again.

    Too bad not harming people isn't simply some sort of moral "law". Or given the context here, why isn't not harming the default position. Hmmmm ... I sort of always thought it was. Oh well, I guess I was wrong but no matter, I'm protected now.

    Really I am, I mean y'all going to do as I say right? Good, I thought so.

  5. Fluffykins Silver badge

    You want me to host your crud on my PC?

    Then you ASK.

    Your site may change. If you don't ask each time I won't know.

  6. Alexander Hanff 1

    How many times does it need saying?

    I have to say although I am not surprised the IAB are trying to spin these ammendments to 5(3) into something they are not; I am surprised that they have to be told by the Commission so many times that they are wrong.

    I have heard Commissioner Reding state explicitly over and over again for the past month that these new rules require "prior informed consent". The Commission is quite clear on this and we have a guarantee from the Commission (via multiple public speeches made by Commissioner Reding) that they will not shy away from taking infringement action against Member States who fail to enforce EU Law (such as the current action against the UK for allowing BT and Phorm to intercept consumer's Internet communications).

    I would advise any organisation (commercial or otherwise) to think very carefully before they start using the IAB as advisors on how to use cookies in the future in light of these ammendments. It is clear the IAB (and again Struan seems to be riding on this bandwagon) have a vested interest in misleading the public on the issue as the new rules are going to hit advertising companies hard. No longer are they permitted to use Opt-Out to capture almost 100% of the market, now they must prove the validity of their services by attracting consumers to Opt-In.

    Of course the advertising industry has been impotent for decades which is why they rely so heavily on Opt-Out models; so it is understandable that they might be a bit worried since they don't even have any confidence in their own business models to attract people to Opt-In.

    What else is there to say other than don't trust the industry or the media to give unbiased coverage on this issue as they all share the same bed. The new rules are a victory for consumer privacy and this scares a lot of people with vast bank balances built from the collection and selling of our personal data.

    And don't worry IAB, I am not going anywhere - see you in the ring.

    Alexander Hanff

  7. Alexander Hanff 1
    Thumb Up

    Opt-In 101

    I have devised a solution for the IAB's Cookie Woes free of charge -

    Alexander Hanff

  8. Richard IV


    I can go with this argument so long as browsers are set to not use cookies by default.

    1. Tom 35

      Cookies blocked by default

      That would make it opt-in. Advertisers HATE opt-in. Who is going to say "yes, more ads please".

      They want it to be opt-out, and they want to hide the opt-out option.

  9. Anonymous Coward
    Anonymous Coward

    Browser controls?

    ... they just don't work. When a site needs a cookie for log in reasons, no browser can differentiate between that cookie and the first party cookies set by Google-analytics or any other tracking or advertising provider. So much tracking is now done through subdomains, using domain cookies that asking for permission before setting such cookies can be the only way to interpret the new requirements.

    "I just can't see the national regulators wanting to prosecute just because a company uses cookies to select adverts without seeking prior consent." - Really? That seems to have put some shine onto the requirements. A cookie knowing which ad was displayed previously so that you don't get to see the same ad all the time is one thing. A cookie which tracks you round the internet and is used to index your profile is quite a different type of cookie.

    I can see a few people being happy with the first kind of cookie. The second kind is what saw the birth of a whole industry to keep our computer systems free from adware tracking cookies and I will be most upset once this legislation is in place if some tracker tries to get around me by having permission for one type of cookie and then stealing onto my computer with another kind.

    I do hope the UK regulators are aware of sneak-ware, including all the non-cookie tracking methods over which no browser has any control.

  10. Version 1.0 Silver badge

    Delete all cookies when the browser closes

    ... and run firefox with noscript.


  11. blackworx
    Paris Hilton

    Boot ==> Other foot

    If these marketing snakes' self-serving interpretation is correct and the law really does state that browser settings explicity imply user consent, then we need further legislation to make sure all browsers default to, as an absolute minimum, no 3rd party cookies. See how much the oily little satan-fellating gobshites like it then.

    Bottom line: who in their right mind, if ever explicitly asked: "Do you want to allow to track your online movements? Yes/No" is ever going to hit Yes?

    Christ, even those of us who know how to control cookies can't be arsed to do it right most of the time. How much chance does Granny Miggins have of knowing she's supposedly consented to these scum-sucking bottom feeders tracking her online movements?

    Paris because fellatio.

  12. BTUser

    Conveniently Ignored!

    Look at the provisions outlined here, which were conveniently ignored!



    Spam and cookies law in force today in UK

    OUT-LAW News, 11/12/2003


    Require businesses to gain prior consent before sending unsolicited advertising e-mail to individuals, except where there is an existing customer relationship;

    Require that the use of cookies or other tracking devices are clearly indicated and that people are given the opportunity to reject them. (Cookies are small text files used by most commercial web sites. The files are sent from a web server to a web site visitor's computer and are stored on the hard drive, so that when the user visits the web site again or visits another page of the site, the site will remember him);

  13. Anonymous Coward
    Thumb Down

    Proof by contradiction?

    1) Suppose that the correct interpretation is that browser settings imply consent.

    2) Now suppose I set my browser to reject the cookies I don't want to give consent to.

    3) The web site cannot now set those cookies. Therefore the law says, in effect:

    "It is illegal for you to set cookies if, and only if, it is impossible for you to set them"

    4) Therefore the law is completely unnecessary if interpretation (1) is correct.

    5) Therefore interpretation (1) was not the interpretation intended by the law makers.

  14. Anonymous Coward

    Bush Monkey Spanner

    This SetTopBox's browser software is fixed in ROM & allows cookies, but no cookie settings.

    At what point did I permanently agree to surveillance cookies on this machine? Retrospectively - when purchased?

  15. mike2R

    Stupid law

    "It would be better for everyone if the IAB Europe's view is right," said Robertson. "It is a pragmatic way to interpret a very bad law that otherwise damages the user experience on websites."

    Couldn't have put it better myself. If the EU really, really, really want to 'solve' this non-problem then they should mandate that browsers refuse cookies by default. Completely pointless of course, but at least it will cause less problems than the current idiocy.

  16. Richard 12 Silver badge

    Dear IAB

    “Is she talking about cookies that track users across websites to deliver better advertising..."

    Yes, she is. Tracking users is ipso facto spying on them, and advertising is never technically necessary.

    (Although it might be *commercially* required.)

  17. Elmer Phud
    IT Angle

    Wassa cookie then?

    "They argue that browser settings will imply consent"

    Which assumes that peope know what cookies are, that they exist and that folks are aware they can play with browser settings other than changing appearance and adding bookmarks.

    Advertisers rely on people not knowing what's going on with thier browser.

    And rely on people happy to use browsers without AdBlock.

    They need thier taget market as dumb as possible.

  18. Anonymous Coward

    A Cookie is...

    "Cookies are small text files which websites place on a visitor's computer. Sites can use cookies to identify users and publishers, advertisers and advertising intermediaries rely on them to select adverts for websites."

    No Shit Sherlock! This is an IT site you know!

    Now everyone, vote this comment down so that everyone will read it! HAHAHA

  19. John70


    And what about non-EU advertising companies. Will this ruling affect them?

    The advertisers should be forced to use .ads domain so we can block them out in one go.

  20. sotar

    It is quite clear!

    Unlike the IAB the wording seems quite clear to me.

    The change from


    is only allowed on condition that the subscriber or user concerned has given his/her prior consent, which may be given by way of using the appropriate settings of a browser or another application, after having been provided with clear and comprehensive information




    ... is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ...


    The replacement of 'prior' and 'after' with 'having' doesn't change the meaning. My Oxford English Dictionary gives a definition of 'having' as 1. A possession 2. The action or condition of having possession.

    It's clear that a user must be in possession of 'clear and comprehensive information' before their consent can be given.

    The relegation of using browser settings for giving consent also makes clear that the consent must come first and changing the browser settings is simply one method by which you give that consent.

    Lastly it is clear that implied consent for storage/access of information on a user's PC is only allowed if it is strictly necessary to carry out an explicit request by the user. So unless I go to a website and explicitly request to be tracked or advertised at, I can't see any reason why there should be tracking/advertising cookies on my PC.

  21. David Webb


    It'll just be added to the ToS that you agree to have 3rd party cookies set up when you register for the website (though what to do with sites where you don't register?).

    What about sites outside the EU but use location based adverts so show adverts from inside the EU? Tricky that.

  22. Field Marshal Von Krakenfart


    So no longer will we have to listen to bullshit from advertiser about people who use adblock are stealing.

    A quick reminder, PeerGardian, modified HOSTS file; adblock, noscript and Betterprivacy for Firefox; SuperAntiSpyware etc. etc.

    It's my computer, the battlefield belongs to me....

  23. Evil_Trev

    Did I read that right ?

    You know this bit...

    ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses)

    So someone thinks that malware authors are going to tell me about a cookie because the law says the must ? ehh?

  24. Graham Marsden

    How can you consent...

    ... when you don't even know a cookie is being stored?

    I have Firefox's cookie settings to "ask me every time" and I've found that even if I'm only looking something up on google, often I get a message that the top site on the search is asking to store a cookie on my computer!

    Why, for gods' sake? I haven't even *visited* the damn site and already it's trying to shove its cookie down my metaphorical throat.

    I only ever give most cookies "Allow for Session" permissions apart from the ones from obvious tracking/ advertising servers which I deny, I also use the Better Privacy add-on to get rid of Flash based cookies, yet still when I run Spybot or AdAware I get warnings of tracking cookies that have slipped through the net.

    Of course Advertisers are going to try to interpret these regulations in the way that's most favourable to them, what we need is TPTB telling them to stop playing silly buggers...

  25. Quirkafleeg


    It seems to me that the only sensible way to do this is for the browser to default to asking about each cookie. This, however, leads to a problem: there would need to be a way of getting cookie descriptions, either via HTTP headers (which is how cookies are sent – they are NOT files, even though a certain monopolist's browser might store them as such) or via an extra HTTP request.

    Otherwise, the only way that I can see (at the time of writing) that this would work is to just set the cookie(s) (subject to browser settings) and to provide a page which describes them and link to that page from any pages the accessing of which would cause the cookie(s) to be set.

This topic is closed for new posts.

Other stories you might like