You can break EU cookie rules ... if your site breaks without cookies Website operators can only take advantage of an exemption from new cookie laws if site users specifically request a service or function and that service would not work without the serving of the cookie, EU data protection regulators have warned. After changes to the EU Privacy and Electronic Communications (e-Privacy) …
They certainly have!
It's not going to stop tracking because those that knew little about cookies just auto click the accept buttons when they appear. What's changed is that those of us who clear our cookies get hassled every day.
Laws should be made by people that have a clue
"What's changed is that those of us who clear our cookies get hassled every day."
worse than that ... there are some people offering "cookie compliance" services ... problem is that they set a cookie to say you've opted out but that is from a "third party" site so those of us who by default refuse to accept thrid part cookies get hassled on *every* page
This post has been deleted by its author
"Our site doesn't allow you to opt out of cookies because the only way to do this would be to set a cookie on your machine to say you have opted out of cookies. Thus as our 'compliance to cookies directive' would not work without cookies we therefore claim an exemption from the requirement to allow users to opt out of cookies"
There you are .... job done!
You can make your site in such a way that it only sets cookies when it needs to, and asks if there isn't one present.
There's no real need for the front page of most sites to set a cookie at all. They can remember user prefs if there's already a cookie, they set one without asking if a cookie-reliant feature is used.
The only class you can't set without permission are cookies that track behaviour either within or without the site. Your page can operate perfectly fine without these. It may make your life harder in terms of analytics etc, but that's exactly the point of the legislation - you shouldn't just go opting everyone's behaviour into your analytics engine without permission.
"Seeing as I've been building them for 15 years I have a pretty good idea, and know that most users do not want a barrage of messages asking them to accept a cookie which is simply trying to store something like a shopping basket ID."
And since a shopping site breaks without that cookie you don't need to present that barrage of messages.
Really? Whenever I see one, I use AdBlocker's element selector to add it to the filter rules. Bam, gone.
Now if only I could do something about sodding El Reg's banner pop-up on my phone. Didn't anybody think to try the main site on Android's browser? It works well, except for that persistent cookie popup...
Can someone explain the quote "just because you consent to a website remembering your details once it does not mean that in the future you may not wish to visit that site again anonymously."?
Too many "not"s in there for me :(
Unravelling the double-negatives, I think I get:
"just because you consent to a website remembering your details once it does not mean that in the future you may wish to visit that site again and be remembered." - which is patently nonsense!
No, it means "just because you consent to a website remembering your details once, it does not mean that in the future you may not wish to visit that site again anonymously"
Or... Even though on one visit you consent to a website remembering your details, at a later date you may want to visit the site anonymously.
e.g. Maybe I'm happy for a retailer to recognise who I am when I visit their site. But maybe one time I go there for a peek at dildos, or iProducts - on this occasion I might want to be anonymous for that visit.
Exactly, if that is what this is all about it is fundamentally ridiculous as you can use your private browsing to anonymise that visit, cookies may still be stored for that browser session only and will not be connected to your non-anonymous visit.
I understood this legislation as being useful to prevent inter-website tracking of users without consent namely with third party cookies, social linking services and advertisers can aggregate information about users across websites, where they've been, what they've been doing, and use that information to target advertising. and the legislation covers any client-side storage method that can be utilised to do so, if this is not the case it is flawed by that I mean other methods can be used.
Session tracking can be done through the URL but is much much less secure and user preferences can be stored server side. If you don't want your current usage to be linked to an account you have like Danny says just use private browsing you will have a new identity for the website until you go back to your normal settings.
Even with this legislation in place, the technology itself is not the problem, the problem is aggregating data, even if anonymised, the trail itself leaves clues as to someones true identity and this tracking can be done at protocol level at various places throughout the internet stack.
Adding a few popup windows to confirm acceptance of a cookie is a nice little placebo and really the legislation is too roundabout to be effective in solving anything.
"I understood this legislation as being useful to prevent inter-website tracking of users without consent namely with third party cookies,"
Not really. Read El Reg's cookies doc [ http://www.theregister.co.uk/Profile/cookies/ ]. Now these popups on El Reg are El Reg asking for permission to set cookies, yes? It seems to be assumed that if you give theregister permission to store cookies, you're also happy to give permission to other sites and advertisement servers (doubleclick.net for example).
What is happening now is just the icing on a wonderfully bodged cake. And is it any wonder big sites didn't implement any sort of cookie policy until the last moment? I bet the geeks at El Reg, BBC, et al looked at the directive and thought, collectively, "you're shitting me, right?".
Years ago I had a website ordering form that tracked the order process using a rather hideous method. A hash key that was transmitted from one page to the next through a series of CGI forms in a hidden field, that connected to a temporary file on the server containing the information the server needed to know. Every request was a PUT request to the next CGI in the chain. A cron job deleted those temporary files that had not been touched after a certain period of time.
But yes, that was horrible.
In a related note, where does this latest bit of Eurocrap leave users of Google Analytics?
Paying for something that they're not allowed to use, that's how it leaves them.
Although, I guess all they'd have to do is use the google cookies in a load-balancing regime, at which point they'd be 'necessary' for the operation of the site.
What happens when Google converts their cookies from 3rd party to 1st party? They have the DNS infrastructure to do it, but I'd certainly hate to manage that system.
I've only seen one that has so far offered me a choice of which cookies to accept - all the others have said 'we need them, so you're going to get them' or words to that effect.
The one that behaved was BT - which offered a popup with a slider offering either 'necessary', 'nice to have' or 'tracking' options.
"Website operators can only take advantage of an exemption from new cookie laws if site users specifically request a service or function and that service would not work without the serving of the cookie, EU data protection regulators have warned."
So the whole process was a waste of taxpayers money!
Site owners just now claim that they must serve the cookie, and done.
... because this EU update contradicts the most recent ICO advice.
A plea to the legislators - please focus this law on the things that actually cause real concern to a significant number of users, and then give clear advice on what to do.
At the moment, it looks very much as though you could not facilitate festivities in a facility for fermenting foaming beverages.
The government needs to stop legislating technology and instead focus on behavior.
The whole idea of laws around use of cookies is asinine. You have to get very specific in order to target the groups you are trying to stop instead of harming regular people.
A better law would have simply stated:
"No one may track people without their explicit consent unless you are a government entity"
Add in a fine schedule and call it a day. As it stands, browser manufacturers simply need to come up with a new name for local data storage and access in a browser and poof all those. Police laws go out the window and it will take 10 years for the legislators to fix it.
They already exist, they're called called DOM Storage, Indexed DB, and Web SQL Database.
Flash cookies only got dragged into the debate because they're commonly called Flash cookies, but the proper name is Local Storage Object. If people didn't commonly call them Flash cookies then the EU wouldn't have even been aware that they existed.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
