back to article Almost entire EU now violating Brussels cookie privacy law

The deadline for the implementation of a European privacy law on cookies passed with a whimper at midnight last night, after just two Member States issued a full notification to Brussels. Meanwhile, 19 of the 27-bloc countries that make up the European Union ignored the 25 May deadline on implementing the full, or indeed …


This topic is closed for new posts.
  1. Simon Lacey

    I'm probably mistaken

    But don't most modern browsers allow you to block cookies by default, requiring user confirmation to allow them? If so, what is Vaizey asking for?

    1. Andy Fletcher

      Of course they do

      but this directive assumes (unfortunately correctly) that Average Joe Internet User wouldn't know what a cookie was if it jumped out of his screen and bit him on the face. It also assumes (obviously incorrectly) that cookies are, by default, the evil wrong doings of the dark side. It's most likely all kicked off due to some politician having to explain an embarrasing cookie to his wife or something.

      1. Mark 65


        This is yet another law that is there to pamper and pander to the stupidity of the end user. "I can't work out how to change cookie settings so that means you should write a law to protect me". Utter bullshit. Yet more support for the notion that there needs to be a driving test for the internet.

  2. Anonymous Coward

    Denmark failed miserably, som uch for it being law.

    However, if is hosted outside the EU does the site still have to comply?

    In other words what counts, the domain or the location of the hosting site?

    1. Mark 65


      Location of the hosting is what defines the law the site should operate under in my opinion. There are other factors such as who owns the site and where they reside i.e. your site hosted in Hong Kong or US with domain may not break local law which should render it ok but it doesn't mean it pans out that way.

      However the TLD for the country can pull your name resolution as they control that and their Government can control them. You can host your site wherever but Nominet can still pull your registration if told to.

  3. Charlie Clark Silver badge

    Not just cookies

    The law covers other things like the right of customers to change telephone companies in under 24 hours. As important as the data protection and privacy issues are is there any chance of more coverage of these pro-competition aspects of the law?

    The main reason for the Commission wanting to see rapid adoption of the law is that, because the internet famously knows no borders, as soon as one country implements it the gate is opened for litigation. Oh, and the Commission has a pretty large remit when it comes to enforcing competition law.

  4. Just a geek

    Oh goody. Another law that will only affect those who obey the law

    This law is half baked and pointless. The people you want to block cookies from are the very people who won't pay attention to the law then you have the whole issue of sites outside europe carrying on doing what they want.

    The official guidance from is laughable. It's clear that even they don't understand it and are almost cerainly violating it.

  5. Cyberspy

    Are EU countries embarrassed by this?

    The underwhelming response from the rest of the EU suggests that the member countries aren't to keen on this law either. Not surprising really, when it seems to have been written by some unnamed bureaucrat who lives in a hole and has never really used the internet.

    Anyway, it seems to have passed into our law but:

    * Is it the location of the person/company who owns the web site, or the location of the web server that determines if this law has to be followed.

    * Given that there are millions of sites in the UK and europe, how is it going to be enforced? The cost of litigating against every site who refuses to obey will make Greece's debt look like petty cash.

    * As this is a european law, that I can't see being replicated across the world, has anyone considered the costs to EU business from lost customers, or the loss to the EU of businesses who just move abroad.

    Yet another example of ridiculous bureaucracy from europe, that it seems, yet again, we are forced to follow while most EU countries ignore.

  6. Anonymous Coward


    ... who exactly is going to do anything about it?

  7. Cyberspy
    Big Brother

    Number 10 is Big Brother

    You would have expected government sites to have followed these rules, even if the rest of us are not interested. however as clearly not followed the rules - Google tracking cookies and - shock horror - third-party cookies from YouTube & Facebook, abound.

    As they haven't asked permission to set these cookies, it must mean they are 'spying' on us and abusing our privacy, like some Orwellian Big Brother!

  8. Benny
    Thumb Down

    cookie lifetime

    So, what happens if you already have a cookie from a site, that say expires 10 years from now?

    Do sites have to delete the cookie if I visit again, then re-issue me one if I agree?

    Just seems like another pointless law so someone somewhere can say that they understand this interweb thing.

    1. Anonymous Coward
      Anonymous Coward


      It's a well made law, it will allow the bureaucracy to increase in size to make sure it's followed, like all good self perpetuating bureaucracies it's just giving itself more wasteful work to get fatter with.

  9. MH Media


    Maybe we should report Number 10 to the ICO or whatever numpty Eurocommittee is handling this farce.

  10. Anonymous Coward

    ICO leads the way

    For a nice example of how we can all comply with the spirit of the EU directive simply visit the Information Comissioners website

    Come on people, it's not a waste of pixels it's essential to allow us to protect our privacy. Get re-writing your websites.

    1. Hackzilla


      It's a great example of how everyone ignoring this.

      Or do you think the ASP.NET_SessionId doesn't count?

      Personally I think the browsers should deal with this, and not create more red tape.

      1. Anonymous Coward

        ASP.NET_SessionId probably does not count

        or does it...

        There is an exclusion for those cookies 'strictly necessary for the service requested'. Does microsofts tag count?

        BTW, change their cookie contents ICOCookiesAccepted value from "true" to "false" and it doesn't re-request permission.

    2. Dan 55 Silver badge

      Leading the way... sort of.

      It says: "You may delete and block all cookies from this site, but parts of the site will not work." Block cookies from the site in the browser and you'll find out that the part of the site that doesn't work is the box to say you've accepted cookies... it's always there.

      That could have been done better.

  11. NathanDubya

    The humanity.

    In a recent interview, one victim cried out "In the physical world, I'm Bob, but online, I'm the gloabally unique identification... it's 32bits, so I won't give you my full ID, but friends call me EA34. It's not fair that my online self is tracked. Somewhere, somebody out there knows that I, EA34, like Delia Smith books, and dog porn"

  12. Anonymous Coward
    Thumb Down

    Handy loophole

    Looks like the ICO has already worked out the loophole and I expect most websites will do something similar if they are actually forced to comply (which seems doubtful).

    Just say "we need your permission to use cookies X, Y and Z on this site but if you don't give it the site won't work".

    1. Oninoshiko

      Welcome to the Internet.

      I wouldn't call that a loophole, I would call that reasonable notification.

      "If you don't let us put cookies, our page will not work." This is a function of how many sites work. Your browser can also just reject the cookies, but the sites will not work properly. You can just clear out the cookies when you are done, many browsers can do this as well.

      The reality is, for an interactive site as we have come to expect, some tracking is required, this is because the protocols we are using are stateless. Cookies are a work-around, which make the interactive web possible. That is why comments like this and, to a lesser degree, this directive silly.

      The UK response is actually much better then the EU one. This is a browser problem, not a site problem.

      Make all browsers default to (with the option of changing) clearing cookies every hour (even if they are not set to expire). This would limit the costs to site operators, limit inconvenience to end users, and put it squarely back in the hands of the end users (who should not have to trust a third party to ensure their privacy).

  13. Anonymous Coward

    Bring it on

    In the staggeringly unlikely event of someone coming after one of the European sites I run, I'll simply move the hosting to Switzerland.

  14. XMAN

    Waste of time

    It's a waste of time because the biggest offenders (like Google) will just continue doing what they do and then just blame it on a 'technical error of a single employee' when they get caught. And of course they'll get let off like they always do.

  15. Anonymous Coward

    Private cookies

    "Almost entire EU now violating Brussels cookie privacy law"

    Who told you you can eat my cookie?

    Put that cookie down, NOAW!

  16. rob hindle

    The blind leading - who?

    If I have Google Analytics on my site it is my responsibility to ask user’s permission. A lot of website owners with analytics installed may not know it's installed (the website designer did it as contingency for when the client asks for stats). Even if they know they have GA will they know it uses cookies? I assumed it would but only confirmed that just now.

    The ICO have implemented this requirement on their own site. It’s intrusive and basically says accept or the site won’t work. If every site were to do what the ICO have it would make a laughing stock of the web – and the moron legislators who thought up this crackpot scheme.

    I just checked the EC website, they do drop cookies (ec_exit_survey, EuropaSearchSessionID) but don't ask permission.

    This is a case of the blind not even able to lead themselves.

    The legislation just needs to say - at installation or first use (or even start of session) browser software must explicitly ask the user whether cookies should be allowed, if the user says no then switch on the cookie blocker.

  17. marketingops

    Force unethical means of tracking

    Unfortunately, by implemening a law to prevent tracking visitors behaviour on a website using cookies (the only legitimate method) the EU are forcing website owners down the unethical route.

    Those of us who operate in the EU are now at a commercial disadvantage with our US or other competitors and we will look for ways of redressing the balance.

    Browser footprints are eminently trackable and unique and this is a steathy, backdoor, and probably controvertial means of tracking your visitors. It's already used by certain web analytics organisations and is more of a concern than cookies because it is not easily within your control as a visitor to stop. see (

    In otherwords, introducing this law could in fact erode privacy it was intended to protect.

  18. Simon.W

    correct interpretation?

    Stated in yesterday's Reg article;

    In the case of data <embiggened><superbold>not</superbold> related to the service currently accessed by the user</embiggened>, the new rules require Member States to ensure users have given their consent before such data is stored or accessed

    Today's Reg statement;

    The European privacy law came into force this morning requiring websites within the EU to obtain a visitor's consent to install a cookie in their browser.

    Which is corrrect? If the website being accessed by the user drops cookies solely to do with the service the website is providing then (reading the first statement) no consent is needed!?

    However, today, it seems that all cookies require consent.

  19. Anonymous Coward
    Anonymous Coward

    EC website still not compliant

    A day after the deadline, and the EC's own website ( is still non-compliant. This law needs a high profile example - the EC should waste no time in prosecuting themselves.

This topic is closed for new posts.

Other stories you might like