I'm probably mistaken
But don't most modern browsers allow you to block cookies by default, requiring user confirmation to allow them? If so, what is Vaizey asking for?
The deadline for the implementation of a European privacy law on cookies passed with a whimper at midnight last night, after just two Member States issued a full notification to Brussels. Meanwhile, 19 of the 27-bloc countries that make up the European Union ignored the 25 May deadline on implementing the full, or indeed …
but this directive assumes (unfortunately correctly) that Average Joe Internet User wouldn't know what a cookie was if it jumped out of his screen and bit him on the face. It also assumes (obviously incorrectly) that cookies are, by default, the evil wrong doings of the dark side. It's most likely all kicked off due to some politician having to explain an embarrasing cookie to his wife or something.
This is yet another law that is there to pamper and pander to the stupidity of the end user. "I can't work out how to change cookie settings so that means you should write a law to protect me". Utter bullshit. Yet more support for the notion that there needs to be a driving test for the internet.
Location of the hosting is what defines the law the site should operate under in my opinion. There are other factors such as who owns the site and where they reside i.e. your site hosted in Hong Kong or US with .co.uk domain may not break local law which should render it ok but it doesn't mean it pans out that way.
However the TLD for the country can pull your name resolution as they control that and their Government can control them. You can host your site wherever but Nominet can still pull your .co.uk registration if told to.
The law covers other things like the right of customers to change telephone companies in under 24 hours. As important as the data protection and privacy issues are is there any chance of more coverage of these pro-competition aspects of the law?
The main reason for the Commission wanting to see rapid adoption of the law is that, because the internet famously knows no borders, as soon as one country implements it the gate is opened for litigation. Oh, and the Commission has a pretty large remit when it comes to enforcing competition law.
This law is half baked and pointless. The people you want to block cookies from are the very people who won't pay attention to the law then you have the whole issue of sites outside europe carrying on doing what they want.
The official guidance from uk.gov is laughable. It's clear that even they don't understand it and are almost cerainly violating it.
The underwhelming response from the rest of the EU suggests that the member countries aren't to keen on this law either. Not surprising really, when it seems to have been written by some unnamed bureaucrat who lives in a hole and has never really used the internet.
Anyway, it seems to have passed into our law but:
* Is it the location of the person/company who owns the web site, or the location of the web server that determines if this law has to be followed.
* Given that there are millions of sites in the UK and europe, how is it going to be enforced? The cost of litigating against every site who refuses to obey will make Greece's debt look like petty cash.
* As this is a european law, that I can't see being replicated across the world, has anyone considered the costs to EU business from lost customers, or the loss to the EU of businesses who just move abroad.
Yet another example of ridiculous bureaucracy from europe, that it seems, yet again, we are forced to follow while most EU countries ignore.
You would have expected government sites to have followed these rules, even if the rest of us are not interested.
http://www.number10.gov.uk/ however as clearly not followed the rules - Google tracking cookies and - shock horror - third-party cookies from YouTube & Facebook, abound.
As they haven't asked permission to set these cookies, it must mean they are 'spying' on us and abusing our privacy, like some Orwellian Big Brother!
So, what happens if you already have a cookie from a site, that say expires 10 years from now?
Do sites have to delete the cookie if I visit again, then re-issue me one if I agree?
Just seems like another pointless law so someone somewhere can say that they understand this interweb thing.
It says: "You may delete and block all cookies from this site, but parts of the site will not work." Block cookies from the site in the browser and you'll find out that the part of the site that doesn't work is the box to say you've accepted cookies... it's always there.
That could have been done better.
In a recent interview, one victim cried out "In the physical world, I'm Bob, but online, I'm the gloabally unique identification... it's 32bits, so I won't give you my full ID, but friends call me EA34. It's not fair that my online self is tracked. Somewhere, somebody out there knows that I, EA34, like Delia Smith books, and dog porn"
Looks like the ICO has already worked out the loophole and I expect most websites will do something similar if they are actually forced to comply (which seems doubtful).
Just say "we need your permission to use cookies X, Y and Z on this site but if you don't give it the site won't work".
I wouldn't call that a loophole, I would call that reasonable notification.
"If you don't let us put cookies, our page will not work." This is a function of how many sites work. Your browser can also just reject the cookies, but the sites will not work properly. You can just clear out the cookies when you are done, many browsers can do this as well.
The reality is, for an interactive site as we have come to expect, some tracking is required, this is because the protocols we are using are stateless. Cookies are a work-around, which make the interactive web possible. That is why comments like this and, to a lesser degree, this directive silly.
The UK response is actually much better then the EU one. This is a browser problem, not a site problem.
Make all browsers default to (with the option of changing) clearing cookies every hour (even if they are not set to expire). This would limit the costs to site operators, limit inconvenience to end users, and put it squarely back in the hands of the end users (who should not have to trust a third party to ensure their privacy).
If I have Google Analytics on my site it is my responsibility to ask user’s permission. A lot of website owners with analytics installed may not know it's installed (the website designer did it as contingency for when the client asks for stats). Even if they know they have GA will they know it uses cookies? I assumed it would but only confirmed that just now.
The ICO have implemented this requirement on their own site. It’s intrusive and basically says accept or the site won’t work. If every site were to do what the ICO have it would make a laughing stock of the web – and the moron legislators who thought up this crackpot scheme.
I just checked the EC website, they do drop cookies (ec_exit_survey, EuropaSearchSessionID) but don't ask permission.
This is a case of the blind not even able to lead themselves.
The legislation just needs to say - at installation or first use (or even start of session) browser software must explicitly ask the user whether cookies should be allowed, if the user says no then switch on the cookie blocker.
Unfortunately, by implemening a law to prevent tracking visitors behaviour on a website using cookies (the only legitimate method) the EU are forcing website owners down the unethical route.
Those of us who operate in the EU are now at a commercial disadvantage with our US or other competitors and we will look for ways of redressing the balance.
Browser footprints are eminently trackable and unique and this is a steathy, backdoor, and probably controvertial means of tracking your visitors. It's already used by certain web analytics organisations and is more of a concern than cookies because it is not easily within your control as a visitor to stop. see (https://panopticlick.eff.org/).
In otherwords, introducing this law could in fact erode privacy it was intended to protect.
Stated in yesterday's Reg article;
In the case of data <embiggened><superbold>not</superbold> related to the service currently accessed by the user</embiggened>, the new rules require Member States to ensure users have given their consent before such data is stored or accessed
Today's Reg statement;
The European privacy law came into force this morning requiring websites within the EU to obtain a visitor's consent to install a cookie in their browser.
Which is corrrect? If the website being accessed by the user drops cookies solely to do with the service the website is providing then (reading the first statement) no consent is needed!?
However, today, it seems that all cookies require consent.