back to article Privacy watchdogs: Silence isn't cookie consent

Advertisers are wrong to say that websites can comply with a new law governing internet cookies by relying on a user's cookie settings, Europe's privacy watchdogs have said. The Article 29 Working Party has published its interpretation of the new law. Prior consent is required, according to the privacy watchdogs. However, …


This topic is closed for new posts.
  1. Trevor_Pott Gold badge


    For you I play this; the world's smallest violin.

    1. Anonymous Coward

      Huh ?

      May I request an anti-violin and unrealistic tune ?

  2. jake Silver badge


    Who allows cookies from J. Random Stranger?

  3. Paul 4

    What they realy don't like

    Is that most people will say no.

  4. Mike Cardwell

    HTML5 - Local Storage

    Is this really just for cookies? If so, it's a little short sited. Local storage in HTML5 anybody? Most adverts require JavaScript in order to work anyway, so there's nothing stopping the advertisers JavaScript from storing data locally in the web browser, and then fetching it later when another advert is loaded from JavaScript on the advertisers domain. All without using cookies.

  5. Anonymous Coward
    Anonymous Coward

    Advertisers have been getting away

    with this for YEARS. I never asked for cookies and never wanted cookies. I do not want to give advertisers ANY information and I certainly do not want them serving me ads.

    If I want something, I'll look for it.

    This just redresses the imbalance. After all, if these people were playing fair to start with, there would be no need for this action to be taken.

    I agree with Paul4, the advertisers are sh*tting themselves because the majority will say NO.

    They can say bye bye to their new cars.

  6. Anonymous Coward

    Briliant if its upheld and enforced

    If this is upheld and actually policed, then it's fantastic news. Just think - all those zillions of ccokies that are of no practical value to you at all will be gone. Poof!! Google will love this - NOT!

    Af for...

    "The Directive currently does not require an opt-in for cookies. In practice such a requirement would mean that users would have to confirm every single cookie placed on their PCs, leading to a permanent disruption of their Internet experience," said [...] the Internet Advertising Bureau Europe.

    So ...errr ....stop asking for permission and stop setting the cookies? Sounds like a very simple solution to me. In fact, it's less work for all concerned :-)

    Of course, they won't want to do this resulting in loads of web sites dropping their ads because they are distrupting the user experience and turning customers away. Hey! We have a result :-)

    I'm sure I'm not alone in the view that while I realise that advertising exists, it really rattles me that the advertisers try and kid us that they are doing us a favour, and that we really want this stuff. Even though they know they are not kidding anyone, they still persist with this line. Now if only we had an opt-in law for junk snail mail. I'd vote for that.

  7. Anonymous Coward


    "leading to a permanent disruption of their Internet experience"

    This is coming from an ADVERTISER.

  8. Anonymous Coward

    Waste of time

    It won't do them much good with me, either way; as far as I can, I try to boycott things I've seen aggressively advertised.

  9. Woodgar

    Do Not Want

    "Advertisers and publishers would rather not ask that question if they can avoid it because the answers could damage their businesses."

    I think that says it all.

  10. Harry

    "The Directive currently does not require an opt-in for cookies"

    That sounds like a very good reason for *changing* the directive, rather than arguing about whether it does or doesn't imply something that may or may not be interpreted by courts in the same way that the originator intended.

    I'd go strongly for the concept that a first party site (ie, the site you're actually visiting) can save a cookie unless you've expressly told it not to -- but that a *third* party site (eg a spyware site, or any content accessed through the URL of a different subdomain) cannot, unless it has your explicit, annually renewed and not subsequently revoked, consent

    Furthermore, I'd suggest it is high time that information about users (whether stored in a cookie or otherwise) be confidential (being prohibited from being sold or used by any other party) and communicated only within the single subdomain.

    Similarly, third party sites which obtain any information about the user on the first party site must separately sandbox the information for each of the sites to ensure that such information is only used in relation to the transactions with the same first party site, and again being prohibited from being sold or used by another party.

    1. CD001



      Furthermore, I'd suggest it is high time that information about users (whether stored in a cookie or otherwise) be confidential (being prohibited from being sold or used by any other party) and communicated only within the single subdomain.


      Ordinarily about all you'd actually store on the cookie is a hash value or similar - what goes into the cookie isn't _really_ that important - the issue is what the site does with any user information or profile it has associated with that cookie.

      You simply store all the tracking data you like in the session - you don't have to get consent from the user because the session is essential to run the site (unless you're just a search engine maybe) and you've still got all your lovely profiled data. Of course, this doesn't hold true for third party adverts.

      Having your browser delete cookies on exit pretty much avoids this whether it's data in a cookie or otherwise. However, it was recently shown that it's possible to get an almost unique system fingerprint based on the data send by the browser over HTTP though, so this isn't entirely safe.

  11. shawnfromnh

    false beliefs

    First off this is only going to cut into ad agency profits as in Google and the likes. Second I rarely will even consider buying anything and never online. Third if an ad is irritating I make a point NEVER to buy that product and even telling my friends not to buy from them.

    Hell they want to sell to internet users then do static ads with a logo and a saying like Do the Dew or Got the munching then have some Cheetos. Heavy ads are a deterrent to sales and if I had a business I'd create obnoxious irritating ads for my competitors and put them on the internet and drive their sales down.

  12. Anonymous Coward


    Does this law extend to 'Flash cookies' too? 'Cos it should.

  13. phen

    Easily achievable, most unwelcome

    Imagine a world where your browser was set to "Ask me about every cookie", but you couldn't change it. That's basically what this proposal boils down to.

    The real answer is to redesign how cookies are handled at the browser level. A default policy of "No to all cookies" coupled with a NoScript style button that allowed you to grant specific sites the ability to read and/or write specific cookies from a selectable list of user inspectable cookies, is a step in the right direction. Of course, it's still difficult to say what a cookie is for just by reading it, so this is only part of the answer (although sorting them by domain helps if the domain is named something like, say double-click ;).

    The obvious benefit is that cookie makers (ad bakers?) don't have to be trusted to obey such policies. They can't abuse them because the local browser is in charge. It is opt in by design, rather than social contract.

  14. Tom 35

    Do you want us to track you?

    99.9% will say no.

    You can block cookies, but most people will just keep the default (I expect most people don't even know what they are) and allow cookies. This is what they count on. If it becomes opt-in their whole business model is shot.

    And don't forget that they use things other then normal cookies, like flash. Flash LSOs can act just like a cookie and there is no built in access to settings, you have to go to a website,

    or download 3rd party software like the firefox Better Privacy addon.

  15. RW

    @ Phen

    "Imagine a world where your browser was set to "Ask me about every cookie", but you couldn't change it. That's basically what this proposal boils down to."

    No, it doesn't boil down to that at all. It boils down to "Advertisers! Stop tracking online browsing with cookies!"

    Advertising, like politics, spin doctoring, counterfeiting, and the forging of art and antiquities, is just another form of professional lying. We all know that advertisements and their claims (both implicit and explicit) are complete nonsense, and no right-thinking individual pays the slightest attention to most adverts. Except, perhaps, to see what specials the grocery stores have this week.

    The real suckers in all this are the businesses that pay for advertising. I doubt it does them any good whatsoever. After all, historically the Hershey chocolate company never advertised their signature "Hershey Bar", and sales were good. And condoms, which all adults outside convents know about, weren't advertised until 1970 (in the US). Yet sales were good and brand awareness, while not exactly widespread, certainly existed.

    What all this leaves is a black hole regarding financing. I'd really prefer a micropayment system, myself, and be done with cookies, ads, and all the rest of the advertising companies' infrastructure.

    1. phen

      A difference of policy and implementation

      The fact that this policy requires your explicit opt in, will in practice mean that either:

      A) The ad companies will have to track your unwillingness to be tracked.

      B) They'll have to ask you every time.

      Choosing B will allow them to pester you into eventually giving in just to shut them up. Option A will allow them to track you while claiming they're only doing it to ensure your wishes are met.

      The internet isn't a country of its own with a police force that will stop you doing things some body somewhere says you shouldn't. The only laws that are followed are those that are technically imposed.

      The best a policy can hope for is to push the offenders into a different legal jurisdiction where the laws are more lax. Unfortunately, the laws there will often be more lax in other areas too.

  16. Anonymous Coward


    "Advertisers had argued that because browser software can block cookies, any user who does not block cookies is effectively giving consent."

    This is the sort of reason I don't let advertising anywhere near my computer. A hosts file, 64-bit IE8 and adblock+ block list seem to do the trick. And if I ever ACTUALLY want to see something that I've blocked, I can just disable the one that caught it.

    --Now I just need to find a decent way to get rid of those new fangled inlined ads...

  17. Steve Roper

    No problem

    Just a little bit of extra HTML in 8 pt Arial in the footer just below the copyright and ToS links:

    "This website uses cookies to enhance user experience. Use of this website constitutes consent to store one or more cookies in your browser. If you do not agree please <a href="about:blank">click here</a>."

This topic is closed for new posts.

Other stories you might like