As numerous commenters have noted, this article twists/omits facts, blows things out of proportion, and doesn't talk about the benefit to consumers.
Tracking is currently a hot topic in the US as well, where a different approach, labeled Do Not Track is being pursued. I happen to be at the thick of it, so I thought I'd add that to the discussion.
Do Not Track (http://donottrack.us/) is fundamentally an opt-out from tracking rather then an opt-in, which makes it much harder to claim that it will threaten the ad industry, startups, puppies, or anything else [1]. It is an HTTP header which, if enabled, signals to advertisers and other trackers to stop tracking you across multiple third-party websites. First-party tracking is OK.
The Do Not Track option has already been implemented in Firefox 4. As of yesterday it is an Internet-Draft[2], and on the legislation side, Congresswoman Speier recently introduced a bill to give the Federal Trade Commission powers to enforce Do Not Track.[3]
I'm a computer scientist and this is my first major foray into the policy arena, and having worked with most of the people/entities involved in this effort, I have to say I've been pleasantly surprised how the disparate parts of the technology/policy/regulatory machinery started to work together.
I don't want to get into which approach is better, but just wanted to describe how we're doing it in the US. Feedback welcome.
I'm always skeptical of a legal solution to a technical problem, but I wonder how this is to keep me safe from trackers on foreign soil? Wouldn't these companies just move there server a country over? What if our ISP allowed us to block traffic from those who don't comply with the don't track header, would that solve our problem?
Excellent question. One solution for this would be to prohibit US-based first-parties from doing business with noncompliant third-parties (similar to what you propose, but doesn't cut across different layers, so less messy, less potential for abuse). It is similar to how some other laws work, and it would be up to the FTC to make this rule.
This could be a good complementary way to tell the i.e. content provider you don't want to be tracked so it'd be no need to issue warnings.
Otherwise this measure is bland as it'd totally rely on the way the legislation is implemented or in the trackers' good faith.
Liability should be owned by the one providing the service you're consuming. The same way as they'd if I were paying them with my credit card in their commerce, I'm giving them my personal information as a retribution but instead of my credit card number.
It also gives flexibility back to site owners. If you business model depends on tracking (so much that a visitor who opts out of tracking costs you money) they are free to redirect the user away or throw up a paywall.
The general gist seems to be, that if you use a cookie to track the communications between you and the user (à la sessions), no problem. But if you are using a cookies to track where and/or what the user has been doing across sites then you need to make said user aware.
Thanks for posting the link - upvoted. However, I'm interpreting it a little differently. Consent is not just required for tracking across sites according to point 50 of that document. Their example of something that would require consent is storage of language preferences. That has nothing to do with cross site tracking.
The bit in question: "For example, pursuant to the last sentence of this Article a data subject may not
benefit from information and the right to oppose the processing of his/her data if a cookie collects his
language preferences or his location (e.g. Belgium, China) as this kind of cookies could be presented as
having as objective the facilitation of the transmission of a communication"
I think this regards storing the users locale information in a cookie .. you wouldn't need to store this in a cookie if you can store it on your server which links the locale information via a session cookie.
I don't think that kind of difference matters in the eyes of those who created the directive. I believe if you store a cookie that is later used to recover locale information stored on your server, that would not exempt you from the consent and refusal provisions. But I could be wrong.
[Edit] In any event, I agree with you that the article blows this issue completely out of proportion.
> I don't think that kind of difference matters in the eyes of those who created the directive.
Note: what matters is the difference in the eyes of those who interpret the directive. In this sense, the actual verbiage (and not authorial intent) is paramount.
The linked document looks to me like a recommendation to alter the tabled amendment - and as things currently stand then language preferences and the like will not be exempt. Hence clause 51 stating "to prevent this we propose the following amendment to the article ..."
But I've only skimmed through it and it's making my head hurt.
You are not wrong. Some examples: A login for your site needs no concent. A session to store some status-message to a user ("comment posted!") is allowed just fine. But Google (analytics) must provide a warning before it is allowed to track people, because it tracks people across domains and sites.
edit: I wrote opt-in but meant to say "provide a warning"
Google Analytics is a third party service that is tracking users' behaviour around the Internet, quite possibly without their knowledge or consent. It doesn't matter what the original site operator can see. Google can see everything. This is exactly the kind of shady behaviour that this law is supposed to prohibit, and Google getting screwed on this point appears to be in keeping with both the letter and the spirit of the law.
And stupid enviromental laws don't allow excessive mining and require costly procedures when handling waste. It hands the advantage to China, and other less restrictive countries.
'This is how its always been done' is not reason enough. Many sites require you to accept terms&conditions. Another checkbox really won't matter.
I can't figure out how this will hit EU startups. Actually, this is promoting transparency and I really like it. I won't be suspicious if the site is gathering some data from me or not; if it is, it'll just display a friendly warning.
This is actually beneficial for users; and the ones who refuse are probably not the users you are looking for.
"It clearly makes UK companies less competitive because sites we build will need to be plastered with warnings – and our competitors will not. It is a well known fact that at each stage of a signup process you lose customers – if you have to have a big warning sign just for a cookie that will remember you for purely convenience so that it keeps you logged in. The user wont read that detail – they will just think your a privacy nightmare and wont sign up."
If I read it correctly, the law addresses the cross-site cookies particularly, which I have been keeping disabled in all my browsers ever since the option was introduced (Accept cookies ... Only from sites I visit). And honestly, I don't care about "startups" that are trying to take advantage of ad cookies (edit: and Facebook tracking me via its ubiquitous thumb, and so on). Let alone that I use an ad blocker, too. Fuck that, you know.
In theory yes, but in practice not really. Consumer doesn't care, doesn't know.
On a side note, In theory if you are EU company you cannot use a CRM which hosts your data outside of the EU. For a USA CRM company only way to get around this "Safe Harbor Policy". Do you know how many SaaS CRMs apply Safe Harbor Policy? AFAIK Only 1, SalesForce.
But obviously there are thousands of Europan users of these CRM companies which violate this EU law.
I'm not sure about CRM specifically, but certainly various serious companies are aware of the EU data protection rules and take specific steps to comply. For example, I've been looking at off-site back-up for one of my companies recently, and while talking to Mozy they confirmed unambiguously and with specific details that any data from my company (in the UK) that was backed up using their service would be held in various protected ways in specific data centres within the protected area.
If you're in a business like that, where people are trusting you with that kind of sensitive information, I think you expect that serious customers are going to ask and they're going to need straight answers. I would agree that this is a barrier to entry for start-ups, but I think if you're trying to enter that kind of market but you aren't in a position to provide that level of service, you're already dead anyway.
Many would probably just not care, but the global players (Amazon, eBay..) would have to comply. Potentially it can affect everyone, just like introduction of EU RoHS directive phased out much of lead-containing products worldwide.
Both the EU and US regulations will backfire badly. They both interfere with site optimization and advertising targeting, and both site optimization and advertising targeting impact profits.
Rather than taking the hit to their bottom line, publishers will adjust by making explicit user opt-in mandatory. Since explicit opt-in is nice and unambiguous, the targeting itself can then be a lot more invasive.
I really don't understand the desire to mess with the current system we have today, which works well enough. The small percentage of users who truly care about tracking have simple and effective technical solutions available to them. Publishers turn a blind eye to these unprofitable users, since their numbers are small. Finally, since most ad targeting currently falls in a policy 'grey area', the ad industry self-polices reasonably well.
At least there's going to be some interesting startup opportunities in detecting tracking circumvention and forcing compliance.
The current system does not work. Tracking people around the Internet is shady behaviour any way you cut it, and a lot of people don't like it.
A lot more people don't even know about it, which is why the effect on sites today is still relatively small. Try sampling a population who have been fully informed about what is going on and see the reaction you get.
Ultimately, businesses do not have carte blanche to engage in whatever shady practices they like in the interests of increasing profits. This is why we have laws and why we punish businesses that break those laws.
If publishers who want to spy on everyone make opt-in mandatory in response to measures like this, they will just create a market for publishers who are willing to share their content with ads based on that content alone rather than on tracking individual visitors' personal details. This worked well enough to establish things like Google ads in the first place, after all.
I have about as much sympathy for any company hit by these measures as I have for cigarette companies who are forced to display a warning about the proven health implications of their product in big letters on the packet.
Try sampling a population who have been fully informed about what is going on and see the reaction you get.
I've yet to see a 'fully informed' sample from anyone. While people don't like getting tracked, they don't like getting tracked in contrast to an imaginary situation where they can access all the same content with no tracking whatsoever, which simply isn't possible.
Whenever people complain about ad targeting, you should think of the guy who spends all his time grousing about taxes while still wanting the government to pay his for roads and his Medicare and his Social Security. Same thing.
Ultimately, businesses do not have carte blanche to engage in whatever shady practices they like in the interests of increasing profits.
Of course. This is why online businesses will end up doing what, for example, a credit card provider or a magazine publisher does - they'll tell you that they're going to sell your information six ways as a condition of receiving the service, and the public will say 'well, I want the service, so what choice do I have?' Unless, of course, the government makes the very practice of ad targeting illegal, in which case the content goes behind a paywall where the poor don't get to read it.
If publishers who want to spy on everyone make opt-in mandatory in response to measures like this, they will just create a market for publishers who are willing to share their content with ads based on that content alone...
Now this argument is like the guy who thinks the government can balance its budget and lower taxes just by getting rid of some sort of vague unspecified 'waste'.
You are more than welcome to try to make real money through contextual advertising alone. Unless you own a search engine or are churning out made-for-AdSense content tailored specifically to search queries, you will fail. Brand advertisers doesn't do much contextual, so say goodbye to agency CPMs. The contextual stuff itself performs horribly when users aren't explicitly in 'search' mode. Why do you think those 'three weird tips to losing belly fat' ads are everywhere instead of Google AdSense? Yes, even that spray-and-pray CPA stuff outperforms contextual. Now picture all your brand advertising going away and trying to subsist solely on the pittance you get from education loan and car insurance ads. Now picture doing this while trying to produce quality content. Good luck.
I get that people don't like advertising, and I get that they don't like analytics. People expect the web to be like a backlit newspaper, and when they find out that their reading material is reading them back, they're disconcerted. However, they're just going to have to get over it, because that's the real price of 'free'. The alternative is paying for it, which helps turn the internet into a place for the privileged.
I've yet to see a scenario that's going to end up better than the muddling-through we're doing now. You can effectively opt-out just by installing an extension, as can anyone else who really, truly cares about a website knowing they're a college-educated male between the ages of 25 and 34. Stop trying to fix the world, you're simply going to make it worse.
Your entire post seems to imply that there is no way for ad networks to target advertisements without tracking users from site to site.
However, if someone is visiting a site about, say, cats, it is still possible to show them ads for pet-care with no tracking required. If they then visit a site about data structure, then you show them ads about, say, data structure text-books, but the advertiser can't reliably detect that they are the same person who just visited the site about cats, so can't show them another pet care ad.
Tracking users might slightly improve the targeting of ads, but not by much - saying it will make companies in the EU unprofitable is extreme hyperbole.
Of course, the draft directive may not actually be effective, especially as IPv6 rolls out and NAT becomes progressively less necessary and common. IPv6 address + browser header fingerprinting could easily be almost as accurate as cookies to track users, and it doesn't require storing any information.
I guess my problem with this whole debate is that I'm struggling to think of a single site I visit at all regularly that offers this hypothetical content I wouldn't want to lose, yet which couldn't/doesn't have alternatives available other than pseudo-spyware advertising.
Most of the good small-scale sites I visit are related to some particular topic, perhaps a hobby or a particular technical subject. That means they already have a ready-targeted audience without any tracking whatsoever, so if there are any related products to advertise at all, they are pretty much a marketer's ideal channel. I don't know the operators of most of the sites I use personally, of course, but a few of those I do know get guaranteed rates from specialist advertisers based on real contracts that would make the average CPM-based ad-networked blogger cry.
Larger-scale sites tend to have more options open to them anyway once their user base has reached critical mass. You get to the scale of corporate sponsorship, serious donation volumes, and eventually the kind of mainstream advertising campaigns you see with mass media, major sports events, etc.
Obviously there are lots of other kinds of sites, but mostly run by people or organisations for their own reasons that don't necessarily involve profit.
What's left? Small-scale sites that need to make a significant amount of money yet have no particular speciality nor offer any particularly original and valuable content that others aren't contributing for free?
By the way, I don't accept your analogy between this situation and taxes at all, but I have no interest in getting into a superficial political debate that I don't think is particularly relevant.
Also by the way, I don't have much problem with prohibiting this kind of tracking outright either. Privacy laws are, IMNSHO, not nearly strong enough in most jurisdictions today. Far too many people wind up suffering significant harm in one form or another as a result, and if the trend for tracking everyone all the time continues along its current path, things will surely become much worse. If a few minor web sites have to be lost for preventing massive, organised surveillance of everyone's private lives, then I'm sorry but I consider that a small price to pay.
I would genuinely be interested in seeing examples of significant harm from web analytics or behaviorally-targeted advertising. Right now the most common (and frequently made) argument against FTC regulation of these fields is that no one has been able to bring forward an individual that's actually suffered harm, so your comment about "far too many people wind up suffering significant harm in one form or another" makes me cock an eyebrow.
'Mainstream advertising campaigns' for larger publishers are absolutely and completely reliant on third-party tracking and targeting - for frequency capping, serving verification, and demographic targeting. If these tools go away, the branded ad spend stays on television.
The New York Times is the most obvious example of a publisher (and journalism the most obvious sector) that'd be negatively impacted by Do Not Track. They're making significant revenue from their online business right now, but they also have very significant expenses. It costs money to run a news organization capable of international reporting and investigative journalism. 'Minor websites' are not the issue here - it's the major websites that are concerned.
I'm calling it a night, but I'll wrap up with a couple of quotes from the Online Publishers Association (which includes the NYT and every other major American news organizations) comment on the FTC's "Protecting Consumer Privacy in an Era of Rapid Change" preliminary report:
Online publishers should have the right to offer their content and services on any lawful terms that are explicitly communicated to consumers and withhold access from those who do not agree to such terms. To require otherwise would burden publishers’ First Amendment speech with free riders who enjoy the benefits of access to valuable content without
providing fair value in exchange.
[D]efault rules that prevent fair value exchanges of digital content for user data could harm consumer welfare by reducing incentives for some publishers to invest in the production of content and/or creating incentives for publishers to charge or charge more for content that they would otherwise make available for free or at a lower cost.
> I would genuinely be interested in seeing examples of significant harm from web analytics or behaviorally-targeted advertising.
I think advertising itself is more of an annoyance than a serious harm in most cases, though I would certainly regard targeting certain profiles with advertising for certain products as abuse. That is mainly where the target is unlikely or unable to make sound judgements, for example where children, adults with learning difficulties, those suffering from a recent emotional trauma, or those who are recognisably not well-informed about things like legal, medical or financial matters are involved.
However, what really worries me is that it's not only advertising that can be driven by this kind of personal profiling, and the effects in other cases can be far greater than the irritation of seeing yet another toy advert because you just uploaded some baby photos.
For example, here in the UK, there was a lot of media attention a couple of days ago, because it looks like car insurers are going to be forced to stop offering different prices to male and female customers just because of their gender. The insurers, of course, have been profiling, and argue that on average young male drivers are more expensive in terms of the accidents they have and the resulting cost. However, while there may be some correlation there, that doesn't imply a causative effect in any individual case, and it doesn't change the fact that there are many safe male drivers who are paying more and many dangerous female drivers who are paying less. Since all drivers are required by law to have insurance in my country, this sort of profiling has effectively meant that many good male drivers have been charged thousands of pounds of basically unescapable tax, just for fitting a naively constructed risk profile.
Is it such a leap to wonder what would happen if health insurance companies were able to start profiling on grounds that were not directly clinically relevant, particularly in countries where private health insurance is the norm?
What about profiling and employer blacklists: sorry, we can't give you the job, because even though you appear on the surface to be an excellent and highly qualified candidate, we've analysed your friendship network and several of your regular contacts have photos up on Facebook that our automated analysis software thinks show them being excessively drunk, which means that statistically there is a relatively high chance of you also having your work performance impaired for alcohol-related reasons. Oh, and just to save you some time, don't bother applying for any other jobs where your hard-earned specialist skills and useful experience would be relevant, because we know that the other four big name employers all check the same databases we do.
> I'm calling it a night, but I'll wrap up with a couple of quotes from the Online Publishers Association
As far as I'm aware, no-one is saying that publishers can't offer content on their own terms. The publishers will simply have to be transparent and up-front about what those terms really are now, and compete accordingly. Moreover, where there are monopolies or essential services involved, consumer protection regulation may be warranted in the same way that state-sanctioned monopolies, such as our railway and postal networks, are sometimes subject to pricing constraints dictated to them other than by market forces.
The article does NOT describe the situation. The situation is different and is explained by this part of the Directive:
"This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service"
And by the further comments to the text, clearly reducing the so claimed 'stupidity'.
The real problem about this Directive (it's not a law, European Union does not make laws!), is how it will be converted in law by the single Countries; this could be the real source of confusion.
The real purpose of this directive is forcing to ask explicit consent for behavioral targeting purposes, not for simple analytics' cookies.
We can't create buzz based on a misunderstanding!
As a web-publisher, I find the general distaste of (advertising) tracking cookies a little hard to swallow. At the end of the day, tracking cookies exist because they allow the sites you visit (and probably don't pay for directly) to earn more money (on average) across all their visitors.
Advertising is the life-blood of publishers on the Internet. Without advertising (and by extension, tracking) many of the sites you enjoy every day would cease to exist.
At least using cookies you CAN opt out (via browsing settings and plugins). All that will happen is that the tracking networks will switch to browser fingerprinting making tracking harder to control and more opaque.
> At least using cookies you CAN opt out (via browsing settings and plugins). All that will happen is that the tracking networks will switch to browser fingerprinting making tracking harder to control and more opaque.
It's been a little while since I talked to a specialized lawyer about this, but if I remember correctly, the same regulations would apply to this tracking strategy.
Your post is one unsubstantiated claim after another.
Just because you fund your content through ads, that doesn't mean someone else can't use a different model. Sorry to be brutal, but if you can't find a viable alternative model when ads aren't cutting it any longer, maybe your content simply isn't worth that much and losing your site isn't a great loss to anyone else.
Moreover, just because you associate ads with tracking, that doesn't mean everyone else does. The most lucrative advertising deals I know about are between sites catering to particular interest groups and advertisers who also cater to those groups and make a direct agreement with the site. It takes actual work to set this up, but can be very lucrative for all concerned, particularly without any middleman ad network taking a big cut of any money changing hands. Many models from classic sponsorship deals to modern product placement approaches are based on this idea.
> All that will happen is that the tracking networks will switch to browser fingerprinting making tracking harder to control and more opaque.
That's probably going to be illegal, too.
In any case, browser fingerprinting is becoming a hot topic for all the wrong reasons. I expect near-future browsers will basically kill it as a technique anyway.
I'm just looking through my browser history, and I can't see any site I've visited today that appears to be funded only by the kind of targeted ads we're discussing.
> In my experience, the most lucrative advertising campaigns are based on audience tracking and retargeting.
Perhaps you are fixating on certain types of campaign, then? Either that or you have very limited experience of different possibilities, but from your other comments, I doubt that is the case.
> and I can't see any site I've visited today that appears to be funded only by the kind of targeted ads we're discussing.
I think thats a key point. ALL banner advertising would be affected by this change. All ad servers use cross domain cookie tracking of some kind. If not to track user behaviour, its (for example) to track impressions to make sure that you dont show the same ad to the same user more than a set number of times. That is also a 3rd party cookie.
Without that ability it will be hard (impossible?) to rate limit campaigns to users, thus increasing the cost effectiveness to the advertiser and eventually hurting publishers as advertising money is diverted elsewhere.
In short, this rule would affect ALL banner adverts on all sites. So 99%, yes (at least the content sites I have read today).
> ALL banner advertising would be affected by this change.
No, it wouldn't. That's what several people in this discussion have been trying to explain.
Banners hosted locally and not by a third party service probably won't be affected at all.
Even banners hosted by a third party service won't be affected if they chose their content based only on the nature of the site where the banner would appear.
The only people who will lose out are the ad networks that track users as they move around different sites, and their business model and working practices are incompatible with my ethics (and, apparently, those of many other people, including those governing at EU level).
We should lose the conditionals, by the way. This has already been approved at EU level, and it will therefore become law throughout the EU in due course unless something dramatic happens. Given that the only people I've seen objecting even slightly seem to be those who are currently doing exactly the dubious things that these measures are intended to prohibit, "something dramatic" seems unlikely.
> Without that ability it will be hard (impossible?) to rate limit campaigns to users, thus increasing the cost effectiveness to the advertiser and eventually hurting publishers as advertising money is diverted elsewhere.
Why can't the advertisers simply re-evaluate the rates they pay per impression based on the expected cost/benefit under the new model?
Or just adopt one of the many pricing models that is based on actual results like CPC, instead of assuming that CPM is always going to be the right answer?
>Banners hosted locally and not by a third party service probably won't be affected at all.
So you have to install and manage your own local ad server to earn ad revenue from your site? Many publishers large and small use ad servers e.g. doubleclick, adtech to avoid this overhead.
>Why can't the advertisers simply re-evaluate the rates they pay per impression based on the expected cost/benefit under the new model?
> So you have to install and manage your own local ad server to earn ad revenue from your site?
No, you just have to use a system that doesn't try to track users everywhere they go.
> Many publishers large and small use ad servers e.g. doubleclick, adtech to avoid this overhead.
That's fine. Those ad servers are free to continue offering their facilities to webmasters who would like to use them rather than setting things up themselves. The only difference is that now the centralised services won't be allowed to track everyone everywhere.
> Yes, publishers loose out once again.
You keep saying things like that, but I don't think you've ever explained why you think this is inevitable. I and several other posters in this discussion have now presented you with numerous alternative ideas that still allow sites to carry advertising that is fairly well-targeted without violating the new rules that are going to apply after May. Those methods funded numerous sites for several years before the current generation of spyware-based ad networks took off, and given that hosting is far more competitively priced now, I don't see why today's enthusiast sites shouldn't be able to cover their costs if yesterday's could.
If you don't want to be tracked with a long-term cookie just configure your browser to not accept long-term cookies or to delete all cookies on shutdown. Problem solved.
I think it's the responsibility of the website to do the best that it can to protect the user's privacy, especially for those that don't know what a cookie is or does. On the contrary, most websites do the minimum they can get away with and try to squeeze every bit of data for profit.
Those companies can cry all they want but they get ZERO sympathy from me. I'm sick of having to install three extensions to counter their hostile behaviour towards my privacy.
What responsibility? Man up and be responsible for yourself. If you don't trust companies with your data just don't deal with them. Or use your anti-cookie extensions! You get ZERO sympathy from me.
I understand you feel companies have a hostile behavior towards your privacy. But you're part of a minority. If people really cared that much about cookies, the market would have responded accordingly and there wouldn't be any need for this kind of regulation at all. Why impose your obsession with privacy to the rest of us?
> If people really cared that much about cookies, the market would have responded accordingly and there wouldn't be any need for this kind of regulation at all.
That's naive.
For one thing, most people are not technically knowledgeable and don't understand the extent to which they are being tracked.
For another, even those who would care about such issues can't spend their entire lives becoming experts in every ethical, legal, regulatory and financial field that might affect them. It simply isn't humanly possible, which is one reason we have laws crafted by specialists but applying to everyone.
Your argument only makes any sense if everyone knows about what's going on, understands the implications, and still doesn't care.
> It simply isn't humanly possible, which is one reason we have laws crafted by specialists but applying to everyone.
You apparently haven't heard of the invisible hand.[1]
The role of experts is to educate and influence, not to impose their own values. People should be allowed to chose what's best for them and put their trust where they want, not be forced into putting their trust on bureaucrats.
I think you're making my point for me. Right now, a lot of people simply don't know what is going on or the implications it has for their privacy, so they can't possibly make informed judgements about whether they are willing to accept that behaviour. Any argument that some sort of market forces would drive change is completely negated as long as you keep your market in the dark about what is really going on.
Be that as it may, most of the sites I (at least) enjoy every day use the free content for advertising model. Very few of the sites would be able to make the transition to another business model that did not rely on advertising.
But that point (that sites give away free content for advertising) doesn't have much to do with blub's point (that many sites use hostile, non-privacy friendly tactics for advertising).
Basing your site revenue on advertising doesn't require trackig across sites/domains, supercookies written in flash, circumvention of user-defined browser privacy settings, etc (which is probably what blub is talking about). Honestly it doesn't even require cookies or retaining IP logs, though I don't think anyone here is arguing that those are malicious.
That's why your comment is a fallacy. Websites providing me content for free, and websites respecting the privacy of their users are not mutually exclusive concepts.
In an ideal world, yes. However, in the real world, most high paying advertising campaigns are retargeting based, thus requiring cross domain tracking. Excluding such tracking limits you to lower paying campaigns and remnant backfill. Most publishers are simply forced to accept such policies otherwise their earnings would reduce significantly.
I think most people would perfectly be able to do this, they just don't care. So why force privacy on them if they don't care about privacy? Even with this warning message I guess that 99% of the users will just click it away without reading it.
Not having the technical expertise does not mean not caring about privacy. A lot of technical people make that mistake. The users click it away without reading it because they don't understand it.
Hence, people might feel that a level of privacy should be provided by law, not by optional technical doodads.
You think most people understand the concept of cookies in the browser and how to change the settings for them?
Maybe people don't care about privacy as an abstract concept, I think people do care about possible outcomes - say my partner borrows my machine and starts seeing ads for the surprise holiday I was planning.
Not really. You can achieve similar dubious goals with various other techonologies that are not so readily disabled, or that are usually implemented independent of the browser itself anyway (e.g., "Flash cookies").
In 10,20 years people around the world may ask the europeans how they got such a rather high privacy standard. While I don't agree to all of the regulations, the tendency here is to make everything private by default and only disclose what is needed. We should be able do decide ourself what to disclose without having to install add-ons to block everything.
That said: I also use tracking, but anonymize as soon as possible. And: there are enough laws that contradict regulations like these (such as the goverments force the ISPs to store the communication data from the users).
I won't be asking that until places like London get rid of all the police cams. Although, apparently they are highly effective:
http://news.bbc.co.uk/2/hi/8219022.stm
While I applaud the EU's efforts on this, it seems a bit of stepping over dollars to pick up pennies. The bigger battles for privacy still need to be fought.
> The bigger battles for privacy still need to be fought.
They do, but you have to start somewhere, and at least this is a step in the right direction.
My personal view is that a privacy backlash is building. For the past decade or so, we have lived under an unwelcome combination of commercial interests who now have the technology to conduct mass surveillance and government interests whose politics is governed by fear, which in turn drives the surveillance state. I think it's becoming increasingly obvious that the cost/benefit in both cases doesn't justify the price we're paying, and it's starting to be the common guy or girl in the street who is asking questions and not just the privacy advocates and civil liberties campaigners.
As debates like this one start to hit mainstream media like the BBC, the political winds will shift, helped by the fact that many of the over-reactionary post-9/11 government administrations have now been shown the door so the political resistance is lower. As long as those of us who care can keep building the momentum, and the global picture remains more one of hope as dubious governments are falling than one of fear after a string of terrorist attacks, I think we'll start to build a more reasonable regulatory framework for protecting privacy when it's important to do so, without unduly disrupting useful innovations.
We can find numerous examples where there are things (like the cameras you mention) that contradict the privacy regulations. But I hope that we don't get into a "well, it's all hopeless" mode. Thanks for the good pointer.
I'm usually not a proponent of EU regulations, but i don't think telling customers the truth should be considered harmful by any serious entrepreneurs.
Customers will probably be scared at first, but once they understand a bit more about tracking (which are harmful, which are not), opt-in system will definitely add to customer's confidence, and thus benefit to business in the long term.
if you have to have a big warning sign just for a cookie that will remember you for purely convenience so that it keeps you logged in. The user wont read that detail – they will just think your a privacy nightmare and wont sign up
The only times lay surfers have heard about cookies is in the news when severe privacy invasions have occurred. To those that have never heard of it, it is new, so they are cautious. Some parts of the industry have misused that technology and now the whole industry is called to gain back the users trust.
The EU law's intention is to shift the responsibility from the companies to the user, i.e. they will be the ones to decide weather they want to use cookies or not. To make that decision they need to be informed about it's positive and negative sides.
Regarding opt-out models, how many people will know about that? So if I'm not aware of opting-out, is it my fault if some company goes berserk with my privacy rights?
That's the issue - what's the definition of "track"?
I've not seen a decent discussion of this anywhere - the BBC site says "shopping baskets are exempt" but what about session cookies? What about font-size preferences or logins?
There are some lawyers in Germany that already now presume that Google Analytics is illegal: http://eu.techcrunch.com/2009/11/24/google-analytics-illegal.... And due to the German "Abmahnung" law (see http://en.wikipedia.org/wiki/Abmahnung) it's rather easy for them to "fine" you if you use it anyway: "One German lawyer that gets cited in the article says the penalties could amount up to €50,000 (about $75,000) per website that uses Google Analytics to keep track of its visitors’ usage patterns."
They are not suing Google. They are suing website owners using Google Analytics without consent from the users. They tried to reach an agreement with Google first.
There are already lawsuits in Germany against websites using AdSense or Google Analytics. Also the Wordpress plugin Akismet (distributed spam filter) is apparently a no go in the future.
Just some examples - so yes, I think this could definitely hurt EU startups, or at least smaller projects that rely on adsense.
It is by no means against the law in Germany to use adsense or Google Analytics. You just have to get the consent of the user before you are allowed to have their personal information processed by a third party.
I'm not a lawyer. Anyway, I have yet to see a web site anywhere on the internet that asks the user for said content. So we'll just have to wait how it plays out once web sites start doing that.
It will be interesting if this actually works out worse for privacy; say the site decides instead to remember you (for ad purposes) by ip address instead of by cookie, so everyone from that ip address ends up in the same profile target.
e.g. i visit a website to buy a birthday present for my wife, but later everywhere she browses she suddenly sees adverts for the shop or product that i bought.
They will use a combination of user-agent, IP address and other browser profile information. This is surprising good at uniquely identifying most computers.
It only really falls down when there are a large number of totally identical machines in the same IP range, where the machines are locked down so plugins (etc..) cannot be installed. E.g. a large office or university lab.
They will use a combination of user-agent, IP address and other browser profile information. This is surprising good at uniquely identifying most computers.
But useless for the case he mentions where he cleared the cookies, but it doesn't matter...
Try configuring your browser to ask for your permission every time a cookie needs to be stored. Some websites have 4-5 cookies and clicking "accept" (or "deny") several times over for a site is just unusable.
I use the Cookie Monster addon for Firefox. it provides a similar interface to that provided by NoScript. It blocks cookies by default, and lets you permanently/temporarily accept full cookies/session cookies, on a per domain basis.
I can use news.ycombinator.com because the first time I came to this site after installing Cookie Monster, I set it to accept session cookies from ycombinator.com, and to permanently remember that setting. I don't need to let ycombinator set long lived cookies, and I certainly don't need to let clickpass.com set a cookie on my computer when I visit the news.ycombinator.com login page.
I don't use cookies myself for my web site, but Apache logs a good deal of data. I think this alone warrants a "privacy policy" page. I plan to set up one soon.
The point is not to prevent this law in EU but promote it in the US as well, we have to level the fields but in the same time move towards better privacy.
This is not about storing state, but using cookies to track users across domains in order to build up a profile about the user. It is only the latter that needs explicit permission under the new law.
Of course, phrasing new regulations to cover only that specific application of cookies while allowing any other legitimate or future uses is going to be interesting. And by interesting I mean pretty much impossible.
This is another stupid face of Europe's health and safety madness. No wonder the growth rate is going down day by day in EU. Due to all these unreasonable regulations a lot of young start-ups have already moved to the US.
Tracking is currently a hot topic in the US as well, where a different approach, labeled Do Not Track is being pursued. I happen to be at the thick of it, so I thought I'd add that to the discussion.
Do Not Track (http://donottrack.us/) is fundamentally an opt-out from tracking rather then an opt-in, which makes it much harder to claim that it will threaten the ad industry, startups, puppies, or anything else [1]. It is an HTTP header which, if enabled, signals to advertisers and other trackers to stop tracking you across multiple third-party websites. First-party tracking is OK.
The Do Not Track option has already been implemented in Firefox 4. As of yesterday it is an Internet-Draft[2], and on the legislation side, Congresswoman Speier recently introduced a bill to give the Federal Trade Commission powers to enforce Do Not Track.[3]
I'm a computer scientist and this is my first major foray into the policy arena, and having worked with most of the people/entities involved in this effort, I have to say I've been pleasantly surprised how the disparate parts of the technology/policy/regulatory machinery started to work together.
I don't want to get into which approach is better, but just wanted to describe how we're doing it in the US. Feedback welcome.
[1] http://cyberlaw.stanford.edu/node/6592
[2] http://cyberlaw.stanford.edu/node/6633
[3] https://speier.house.gov/index.cfm?sectionid=48&itemid=6...