Example 1: Amazon uses a cookie to keep track of login and a shopping cart. -> No popup since they are essential.
Example 2: foobar.blog.com uses cookies to track me (ad-banners and analytics). -> Popup to ask for my consent for those "useless" cookies.
Now I understand that the "useless" is somewhat debatable, but I very much welcome the discussion. This is not about breaking the web, and postpone this law is a good idea, but I look forward to start cleaning up the cookie mess. "Do not track" and "don't accept third-party cookies" get's us half the way, but since the web-industrie does not react to the european pursuit for high privacy standards, it might be a good time to suggest some laws to create pressure.
What law would I suggest? Primary cookies (example 1) are okay without a popup, secondary cookies (example 2) either expire on the same day, or need a popup to ask for permission to stay on my computer for longer than a day.
How many sites have Google Analytics or something similar? I would argue that analytics are as essential to the operation of an online business as shopping carts. Allowing a large portion of your website users to opt out of analytics effectively cripples you compared to competitors based out of countries without these restrictions.
Fair enough!
But let's separate between session-specific analytics, and lifetime analytics.
As a person concerned about privacy, I don't care much about "your" analytics about click-through and how long I stay on your site and what I click and what not, this is session specific, and helps you with your business.
However, this should be possible with "one-day" cookies.
You don't need to know that I was on your site a week ago, and that I happen to leave your site with a full cart for some reason, or that the last banner with food did not work on me, so this time you'll try the car-banners.
So you think that MixPanel, KissMetrics, Google Analytics and all the other advanced analytic services provide no essential value to both the site owner and the public?
A/B tests last more than a session (if you return to the site 30 minutes later after doing some research, you want to see the same site, right?). Cohort analysis requires tracking how people use your website for months or years to see the effect of changes on long-term activity and customer retention. Simply tracking the effectiveness of your own advertising efforts (how many and which campaigns contributed to this sale? what's the lifetime value of a customer from this source?) requires multi-session tracking. Many purchases happen days or weeks after someone initially clicked an ad leading to your site.
Now it's possible to do some of that kind of analysis without cookies, but it requires you building and running all the tracking and reporting on your own server. To expect even a tiny fraction of the site owners that can currently plug into KissMetrics/MixPanel/Google Analytics/Optimizely/etc. to build out the same capabilities in house is absurd.
None of this has to do with serving customized ads to you, yet you are arguing that companies in the UK should not be able to do any of that, and they won't be at a disadvantage compared to the rest of the world?
Sure, this would be a huge disadvantage. But that is no reason not to have a discussion about it. The HN community relys heavily on analytical services, and there is a bias against privacy advocates or anything that would bring change to how the web functions right now. The www does evolve, and some decisions from the past may have to be reverted.
Would such a change be difficult? Would it shift the burdon of analytics? Sure!
But be open minded: The real world is full of analytics, but for most of them you have to opt-in. When I go into a bank, I don't want the bank to know that I was rejected 10 times that same day somewhere else. I want a fair chance on my loan. I don't want my girlfriend to know that I browsed a webstore for some medication a week ago. Analytics provider could know all that. And they can reassure that they will not use that information, but the point here is to prevent the accumulation of it in the first place.
What would happen if someone would hack an analytics provider, and put all this stuff online? Type in an IP address, and I give you all I know about that IP adress. Nobody is doing it, because the data is anonymous, so it's hard to cash it in. But it certainly would destroy some lifes or marriages.
I believe the problem the legislator is trying to solve here it to prevent the crossreference that analytics- and ad-provider facilitate across different web-pages. And I believe this is a honorable goal.
Off topic: It used to be that your credit report was only updated every 24 hours so if you were denied credit at a bank your best bet would be to go to other banks that same day. I guess it's faster now though.
> How many sites have Google Analytics or something similar? I would argue that analytics are as essential to the operation of an online business as shopping carts.
I think you are overstating the case for Google Analytics in particular, as well as blurring the value of other non-intrusive methods.
Remember, this only affects UK companies dealing with UK visitors (or perhaps EU companies dealing with EU visitors). You still have complete control to stomp over all privacy concerns of US and other non UK (or non-EU) visitors. So you are not completely losing the value of Google Analytics, you just need an informed consent of a subset of your audience.
There is no completely accurate way to identify that subset other than asking every visitor for what country they reside in. To avoid ever violating this law, you would have to implement the changes for all visitors.
The spirit of the law is protecting the privacy of site visitors from being leaked to third parties, intentionally or otherwise, and gaining their informed consent before doing things with cookies that violate that privacy.
So the particular focus on third party cookies (be it 3rd party analytics tools and/or third party advert networks and/or 3rd party AB testing frameworks). These 3rd parties amass browsing habits and habits of visitors across multiple sites and topics. They use that information to build personalised profiles of an individual. This is done without the individual's consent. So the individual believes they've visited a set of independent websites, and they don't realise that some third party is watching over their shoulder. If they realise that is happening, and the implications of that, they would probably decline to participate, if they knew how.
So consider the use of cookies with that as a guide (but I am not a lawyer, if you are not absolutely certain, consult a lawyer).
I, for one, would be very surprised if a business got successfully sued for having a first-party cookie that clearly wasn't shared with any other site that was used to present a "Welcome back" message. Unless there was a third party script on the page watching for the appearance or non-appearance of that message.
I don't get what's so hard about the concept of "strictly necessary". If you take the cookie away and the site ceases to function such that the user cannot complete tasks they are there to do, then the cookie is strictly necessary. If the site continues to function, even if your business analytics are somewhat impaired, it's not strictly necessary and you need to gain the user's consent to set it.
Because the site may continue to function, but with reduced usability. I don't believe the new law says anything about analytics, just cookies which are not (waves hands) "strictly necessary". Just how much of a degradation in usability is acceptable is presumably a question for the lawyers.
There's a disconnect here. How does the absence of analytics mean the site continues to function with reduced usability? You could argue that over time the site's usability would not increase as much as it might be due to missing analytics data, but it won't be reduced just because the Google Analytics beacon isn't present on the page.
If you think that having analytics data is such a benefit to the user, explain to them why you want to track how they use your site and let them decide whether they're happy with that. That's all this law requires.
Again, the new law does not specifically mention "analytics" - the analytics issue is something that you yourself have come up with. If you read the guidelines, you'll notice that it states that consent does not need to be sought "where such storage or access is strictly necessary for the provision of [a service]". As I mentioned above, the provision of a service may have a usability component, for which cookies are necessary; however the service may work with degraded usability without such cookies. Would a degradation in usability make the cookies "strictly necessary", and if so, to what extent? This is something the new law does not address, and causes worry for web developers like me.
Be friendly when you deliver the cookies: the ICO is trying to do its best with vague legislation - they don't get to decide how the courts will interpret the legislation.
In response to step 3, "decide what solution to obtain consent will be best in your circumstances", there's a discussion on ux.stackexchange related to potential methods for obtaining consent: http://ux.stackexchange.com/questions/7318/what-ux-solutions...
I've been toying with not explicitly asking for consent, but prominently displaying the fact that data gathering is taking place with an icon, along the lines of the cookie monster eating tracking data. Clicking on the icon pops up a control that explains what tracking I'm doing, the usability consequences of switching off tracking, and gives an off switch for tracking. The off switch is implemented by another cookie, but since this cookie isn't tracked (i.e., I don't store any data about the cookie on my machine), it isn't covered by the privacy law.
Currently I have the freedom as a user to opt out of all cookies. But when & if this law even comes into play I wont be able to opt out of the endless pop-ups asking me to enable cookies.
I'm all for protecting user privacy, yet its not a problem. Most users understand how to use 'private browsing'. Yet a lot will be puzzled why a website wants cookies?
This will massively cripple the EU online industries. I'm shocked at the lackluster response from the industry it self.
Additionally the law is both overly specific and vague. It seems to pick out certain technical functions yet state a vague and broad solution.
Plus the laws fails to stop any really bad forms of tracking.
You certainly have the freedom as a user. However, imo, what's been missing since day 1 is any sort of moderately understandable UI for controlling this. Most people understand the basics of bookmarking. If we had some browser UI with 3 or 4 lights (red/green/yellow, etc) that we could click to allow some or all cookies on a per site basis, people would have a sense of control over all this stuff (just like they do bookmarking).
The problem comes in when 'cookies' are intermingled with the word 'privacy', and control over that is typically buried multiple levels away in swathes of technomumbo.
That's listed in 'under the hood', which non techies would probably shy away from. Even if I go there, I have to 'manage exceptions' and decide whether to 'block third party cookies from bet set' (while at the same time having to ignore exceptions if I want to block third party cookies).
I know this stuff inside and out and it's confusing to me. I understand the geek need for 'low-level controls to tweak everything how I want it!' but for goodness' sake - if we have a few up-front always visible controls in a user-friendly manner, the EU ministers could block cookies all day long, understand how to do it, and understand anyone else could do it too. It would not have the appearance of the black magic it does now.
Well, your example's from Chrome which has the worst options management ever. Quick, is cookie management part of "Basics", "Personal Stuff" or "Under the Hood"? Or maybe it's not in any of those at all, but in the spanner [wrench] icon dropdown? Is there any setting you might want to change for which it's clear which of those categories is most appropriate?
IIRC every new point version I'd get seemed to have moved things like cache info and cookie settings to different tabs, and renamed how things were labelled.
In FF5, "tell sites I don't want to be tracked" is a single checkbox under "privacy", but "advanced->network" has "tell me when a site wants to store offline data". Huh? I understand the tech differences, but it's just confusing, and again, hidden. Two or three minor additions to the nav bar allowing you to block or allow cookies would go a long way towards making users feel in control of this type of data.
Your choice to opt-out of cookies has the side-effect of sites breaking because they assume cookies are accepted. So you're pretty used to broken / non-working sites.
In that case, I don't see in your case why having a constant pop-up message on every page of a working site is worse than a mostly broken website.
Do broken websites still work well enough for you?
This won't massively cripply EU online industries. Cookies used by the core service are unaffected, so EU companies can offer the same service as normal.
The restrictions really affect cookie based traffic reports (so use weblogs or image beacons instead), A/B testing preferences, accepting money from advertisers to track visitors through your site.
This hardly cripples EU online industries, it might have a positive side-effect of site visitors being more amenable to paying for online services which are currently ad-supported, so as to opt-out of cross-site analytics and advertiser profiling cookies.
The consumer having the choice about their privacy is an issue that's only going to get more important over the next couple of years. If your business depends on building profiles of users without their consent, yes, those businesses need to adopt non-cookie methods of doing this, and/or consider being more upfront to the visitors, and explain clearly why these features are of benefit to the visitor.
The restrictions really affect cookie based traffic reports (so use weblogs or image beacons instead), A/B testing preferences, accepting money from advertisers to track visitors through your site.
The article says that anything which you could use instead to get basically the same end result a cookie, but which technically isn't one, is still covered by this legislation. If so, you would need to get consent for non-essential image-beacons as well, or weblogs(?) or whatever else you chose.
The definition of "cookies used by the core service" here is so far off its insane. Analytics packages like Google Analytics are not part of my "core service"?
It increases the burden on site owners collecting data about thing that are happening on their own site. Less data leads to less ability to make optimization decisions leads to a worse online experience for everyone who uses that site. If I can't A/B test my site how the hell am I supposed to improve it?
Additionally, for ad supported sites, don't be shocked to see revenue drop like a rock when sites can't fill any inventory with retargeted ads or other forms of more targeted advertising that pay a higher CPM. Less money = less resources = worse experiences.
> The definition of "cookies used by the core service" here is so far off its insane. Analytics packages like Google Analytics are not part of my "core service"?
If Google Analytics is a core service your site offers to visitors, then I suggest you have bigger problems that just this tiny change to UK Law.
On the other hand, if what you say is indeed true, surely you can come up with a compelling explanation to your visitors over why it is in the visitor's best interests to opt into to having a Google Analytics cookie added.
>It increases the burden on site owners collecting data about thing that are happening on their own site
That's only if you decide not to give the user a choice of whether to opt in to tracking or profile-building cookies. I don't think you should write that option off so quickly
Sites should always take the privacy issues of their visitors seriously. Now is a good time to sit down and consider it. No longer can you turn a blind eye and let third parties use your site to build profiles about visitors. Now you have to get their informed consent first.
> If I can't A/B test my site how the hell am I supposed to improve it?
You can A/B test your site. If you want to use a method that requires cookies, then get the visitor's consent first.
> Additionally, for ad supported sites, don't be shocked to see revenue drop like a rock when sites can't fill any inventory with retargeted ads or other forms of more targeted advertising that pay a higher CPM. Less money = less resources = worse experiences.
This is not surprising. The value of ads is based on the profiles they build up about each visitor to your site. You've been making money by quietly leaking their browsing history to these third party ad-networks. Now you are being asked to be more responsible.
You do have quite a unique definition of "the core service of the site".
All I can suggest at this point is that you need legal counsel to confirm your definition is compatible with the definition within this particular legislation. If that is indeed compatible, then I guess you probably have a good argument indeed for the need of the Google Analytic cookie, and that it is required for the service you offer visitors.
> I could also ride a horse instead of driving a car...
I'm sorry you feel this way about the right of your site visitors' privacy. It's a great shame you don't seem willing to respect that.
> you need legal counsel to confirm your definition is compatible with the definition within this particular legislation
Why bother, I would rather sacrifice operating in the entire UK than degrade the experience across the entire userbase. I would not be surprised if many other people made the same decision.
> I'm sorry you feel this way about the right of your site visitors' privacy. It's a great shame you don't seem willing to respect that.
Your condescending tone is noted and unappreciated. I would like to clarify that I am specifically speaking about tracking usage of the site for purposes of conversion optimization and usability improvements. I strongly disagree with your assumption of a reasonable right to privacy when you are using my website. If you choose to use my site what gives you the right to preclude me from tracking what you are doing on my website.
> I strongly disagree with your assumption of a reasonable right to privacy when you are using my website.
You're pretty much at an irreconcilable position with UK/EU legislation with this firm stance. Based on that, your preferred approach of sacrificing operations in the entire UK is a logical avenue for you.
Keep in mind the longer-term implications of that if other countries decide to adopt a visitor privacy-centric approach. The growing concerns about online privacy isn't showing much sign of dampening, so it's a risk you need to evaluate appropriately, and take the path that's best for your operation
In other articles I have read mention of allowing the user to opt in via the browser:
For example the directive suggests users can express consent through the use of browser settings, whereas the ICO guidance states, "At present, most browser settings are not sophisticated enough to allow you to assume that the user has given their consent to allow your website to set a cookie… We are advising organizations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way."
This would be pretty easy to do with an extension and something like OnePass or OpenAuth. My issue with that solution is the centralization. I like having multiple passwords, however, I also like having everything blacklisted and making the user whitelist websites.
We are still waiting on over half the EU to say that they will implement this. Can't wait to see what interesting ideas spring up.
At iubenda we are working to solve this problem once and for all, by embedding a simple widget which provides a small popup for allowing the unnecessary cookies.
We are working with our lawyers for designing an opt-in which is service-based, so that you need to "allow" Google Analytics just once for any website.
Stay tuned, we are working hard for fixing this issue.
Slightly over egging the pudding with the headline I think. The government has stated that they wont be enforcing this law until they've figured it out themselves.
Right? especially where you can no longer really trust ip based geolocation now that we've run out of ipv4 address, and they're allowing single address trading. What you could once reasonable guess was a us address based on the ip block, may now actually be owned by a uk organization.
As far as I understand, from an off-hand chat with a lawyer last year, UK law applies to businesses that have a record or filing in Companies House. http://www.companieshouse.gov.uk/
Ignoring this law means ignoring the privacy concerns of your users. If you're happy with that, you're part of the reason this law was introduced in the first place.
What privacy concerns? That they came to a site and stood around for 4 minutes and read some article?
Are my users concerned to go out too, and of their dress, and is that privacy also?
How would they like it if the first greeting in a shop was, Hello, we are watching you, we are here to serve you, and take as much money as we can from you.
Why do they not go after the people who actually do the tracking? Why do they not impose a legal obligation on google and ad agencies to not track, or on facebook or whatever. Why go after thousands of people. Not everyone is a programmer. Many website owners have no clue what a cookie is, which one is essential or otherwise, how to not store cookies, or delete them, etc.
The end effect is then that the web stops being free from all. The cooperation, with the resources to abide to such laws, once again take control. The man on the street can not any more simply get a template from some website and put some ads on it. He needs to pay some programmer which he probably can not afford.
What user has been hurt? What privacy has been infringed? What have we found out about anyone which was previously secret?
This is about control. Nothing else. As such, the people will do what they do best when met with ridiculous and far reaching laws, ignore them. Let them arrest us all!
> Why do they not impose a legal obligation on google and ad agencies to not track, or on facebook or whatever.
They do. As I understand it, this law applies just as well to the likes of Google, Yahoo and Facebook as it does to the sites that host their ads. There is some ambiguity over exactly who is responsible for gaining consent for 3rd party cookies — ICO have stated that this is a complicated area and more guidance may be forthcoming — but my approach is that I can't trust these third parties to cover my arse so I'll do it myself.
I think it was not so much that the community was ignored, but that the law was passed under unusual circumstances: usually the lobbyists inform the legislators, who defer to industry on the specifics. Here the lobbyists mostly hated the legislation, but legislators were more responsive to privacy activists because of widespread public concern. So the law is a triumph of democracy over technocracy.
And I think that's reflected in the legislation. The principles are OK, but the detail does not match up with practice. Hence the law is some way from being something workable.
Ah, judging by that report, the law really seems quite reasonable.
Basically, if the user explicitly requests some functionality, like creating an account or saving a preference, and you need a cookie to do that, you don't have to ask permission to set it.
If you want to do anything else with the cookie, you have to get informed consent and the practical way to do that is by making it part of the request e.g. adding an explanation and checkbox to the signup or preferences page. Naturally, the more you want to do with the cookie, the more you have to explain to the user.
So effectively, you get to track users in exchange for their engagement with your site, and you have to (gasp) tell them exactly how you are tracking them.
The solution is: a) stop using analytics and ads that set cookies or b) put an annoying dialog on your site.
I have to do some more research before I decide for sure where I stand on this issue, but I strongly suspect that the tech community is indulging in a little entitlement here.
As important as cookie tracking is to web developers, the vast majority of voting citizens do not believe they are deriving any value from it and do believe that it is a potential threat to their privacy. These beliefs seem reasonable to me.
It may be a financial blow to web businesses but I don't think it hurts any of the things that make the web valuable to people at large.
This is the kind of democracy that people scream for here: listening to citizens and citizens only. It kind of sucks when you are the corporate special interest being trampled on.
actually, it hurts consumers, alot. without cookies, we won't have google analytics, or any of the major analytics packages. we therefore wouldn't know about things like screen resolutions, etc. so we'd have to design to the lowest common denominator possible, because we wouldnt know that only 1% of visitors have 800x600 screens now.
we also wouldnt be able to track conversion goals, which you seem to think is some kind of profiteering, but it's not just for ecommerce checkouts used in tutorials. for example i can use it to find out where people are hitting snags adding events to a community events calendar which i wouldnt consider a corporate special interest at all.
and what do we do about frameworks that automatically set a session cookie? they arn't just used on corporate websites.
also, i think you'll find that most corporate special interests try to minimize the numer of cookies set anyway, because when you compound a few bytes of cookies saved over a million visits, it's a large savings on bandwidth bills. not so much for cheaply developed local sites for non-profits and community groups.
> we won't have google analytics, or any of the major analytics packages.
weblogs analytics packages have been around since the beginning of the Web.
> we therefore wouldn't know about things like screen resolutions, etc.
You don't need cookies to record browser capabilities. A smidgen of JavaScript and an endpoint of some sort, and you are there.
> so we'd have to design to the lowest common denominator possible, because we wouldnt know that only 1% of visitors have 800x600 screens now.
This is a hysterial overreaction. Or think about concepts like Media Queries, and Responsive Design. (You can haterz the name, but the principle is useful and appropriate).
> we also wouldnt be able to track conversion goals,
Don't your conversion goals have completion pages? Are you not able to add meta information to your links that record this information? Third party tools mostly require JavaScript anyway, so there's nothing impossible there.
> and what do we do about frameworks that automatically set a session cookie?
Don't store information in the corresponding server-side session that isn't essential to providing a service.
> think you'll find that most corporate special interests try to minimize the numer of cookies set anyway
My anecdotal evidence differs from yours. I find the use of random third party analytics and ad tracking tools, plus on page cookies mean they set loads of cookies. Winnowing that down to a small number, like one per type/duration would help. Corporate interests in the UK don't care about saving bytes.
It's possible to identify a user based on only browser characteristics with a pretty high success rate. While in the white paper they mainly talk about using it to re-set cookies, there's no reason a site couldn't collect all of this information and sell it to 3rd-party advertisers. At that point they've gotten mostly the same results, and completely circumvented the law.
Writing laws that regulate the internet is extremely difficult.
logs based analytics packages are inaccurate. a single ip could represent 1 person, or 10, or an entire nation behind a proxy or nat.
feature detection is done in javascript, but sent only once, as long as you set... a cookie. i don't want to run and execute any more than i need to. sure it's not a big deal, but it's an example about how this effects things that benefit consumers, and no 'corporate interest'
Responsive designa and media queries have gotten a lot of 'ink' lately, but I think they're over estimated. There's a sweet spot for text length, and other elements in design. Knowing wether or not you can hit them for the particular users of your site are important. (There are other issues, but they're outside the scope of this argument)
I'm unaware of any quality packages that would let you do thigns like tracking conversion goals without cookies, session or otherwise.
and on sessions cookies. how doe we decide what's essential? is a csrf token essential? does this allow me to set the session cookie on first visit? do i need to dump my csrf protection for no logged in visitors?
Honestly, I fight tooth and nail to keep designers from specifying 3rd party packages that require cookies at all. right now, my employer's website sets 4 total, 3 for google analytics (used to be urchin) and 1 for vary-on headers for caching. would the cookie we use for caching be illegal? it's not essential to the visitor, but with all the bots hitting our page that would never respond to prompts, we'd have to dynamically serve pages with each load. (yes we do need a better caching plugin for wordpress...)
that all said. my previous post was a response to how this only hurts corporate interests, and that in reality it does affect society at large negatively.
> logs based analytics packages are inaccurate. a single ip could represent 1 person, or 10, or an entire nation behind a proxy or nat.
Cookie-based, javascript-based and/or image-based tracking mechanisms are also inaccurate, in different ways. You just pick the inaccuracy you're prepared to live with.
> feature detection is done in javascript, but sent only once, as long as you set... a cookie. i don't want to run and execute any more than i need to.
So you agree it's a valid alternative. Your preference that it only execute once doesn't absolve your responsibility for the privacy of your visitors to your website.
If indeed you believe it's in the best interests of the visitor to use a Google Analytics cookie, explain it to them and gain their informed consent.
> I'm unaware of any quality packages that would let you do thigns like tracking conversion goals without cookies, session or otherwise.
Well, you have time to research it. Perhaps there's a nice opportunity there for it. Some of it will be about brushing off and updating techniques in use before cookies became widespread reliable.
> and on sessions cookies. how doe we decide what's essential? is a csrf token essential? does this allow me to set the session cookie on first visit?
I am not a lawyer, you need to consult one if the answer to this isn't clear to you.
Ask yourself what is the purpose of a CSRF token. Ask yourself is this in the visitor's interests to have this present. If you explained it's purpose to the visitor, and the potential side-effects of both having and not-having this cookie set, would you feel like you needed a shower immediately after?
My opinion is that a CSRF token is fine when it's only used for the purpose it is intended. If you are unsure, you should consult a lawyer.
> would the cookie we use for caching be illegal?
Is caching a core part of the purpose/service/offering that you offer to customers? If not, but you feel it is necessary for a better quality of service from you, then figure out a way to explain it to your site visitors, and let them make a decision on whether they want to benefit from it's advantage. If they don't want it, then fine, they get a slightly slower experience.
> that all said. my previous post was a response to how this only hurts corporate interests,
Human beings and their privacy should come before artificial entities and their balance sheet.
> and that in reality it does affect society at large negatively.
I disagree. I think protecting the privacy of individuals is a positive thing. I like the idea of informed consent, particularly for things that breach my privacy without my knowledge. All you are being asked is to be upfront and seek the consent of your site visitors before sharing their information with a third party.
> Human beings and their privacy should come before artificial entities and their balance sheet
but we're not talking about things that violate privacy. We're talking about things like preventing cross site request forgeries, and having to ask permission to do it, we're talking about things like providing a faster experience, taking up less computing power, and possibly making the world a little greener, and having to ask permission of each visitor to do it.
> All you are being asked is to be upfront and seek the consent of your site visitors before sharing their information with a third party.
It doesn't talk about third parties at all. This discussion isn't even about how it affects ad networks.
> Well, you have time to research it. Perhaps there's a nice opportunity there for it. Some of it will be about brushing off and updating techniques in use before cookies became widespread reliable.
there is no opportunity, the same information just simply is NOT there. You get an ip, and standard headers, and the request made. thats it. you can't query things like screen resolution, browser capabilities, what version of flash you need to target at minimum. you also lose flexibility. you need to be forwarding logs on to a central processor, or even have access to your logs in the first place, which many people do not.
Imagine some schmuck who adds a plugin to wordpress who gets fined, even though he doesnt know what a cookie is, because the plugin stores it's state in a cookie (think tabs and what not) these arnt strictly necessary to the operation of the site, so it's a fine for him.
Which bring me to another question, how the hell can they even enforce this? you can't really automate it. there will be too much variation in consent popups and in page elements, and who even knows what solutions. Someone would have to go site by site in the uk and check. and then, how would you know what sites ARE subject to this? UK sites arnt just limited to .co.uk. the company i work for has .com as their tld. Does every uk admin need to register the sites they run?
This all seems alot to ask just to block people from running google analytics. Afterall, do you think any ad networks that actually set cookies and track people are going to be in the EU at all? they're not really subject to these laws.
"The new rule is intended to add to the level of protection afforded to the privacy of internet users. It follows therefore that the more intrusive your use of cookies is, the more priority you will need to give to considering changing how you use it."
> It doesn't talk about third parties at all. This discussion isn't even about how it affects ad networks.
The document you reference also contains this:
"However, some uses of cookies can involve creating detailed profiles of an individual’s browsing activity. If you are doing this, or allowing it to happen, on your website or across a range of sites, it is clear that you are doing something that could be quite intrusive – the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent."
it even goes on to offer:
"It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale."
If it's really essential to the primary functionality of the site, then code it as part of the primary functionality of the site and you will be following the law.
If you need to run usability experiments, you will need explicitly consenting participants.
Things will be harder to do. You will probably have to invent some clever new ways to do things that used to be trivial. And yes, users may lose out on some stuff, but they are probably willing to make the sacrifice.
As usual, it's the consumer's job to tell you what they want and it's the business's job to figure out how to give it to them. But instead of voting with their dollar, they are voting with their vote.
The google/doubleclick faction is being demonized somewhat by this. This will affect pretty much every company that has any sort of web presence beyond a static 'hello world' page.
Perhaps this will be a short term boon for freelancers to get to revisit existing sites and make them 'compliant' (a mini y2k all over again) but almost any interesting feature or functionality someone would produce is going to use tracking/cookies of some sort, both to provide value to the company and to the end user (collectively, "the public").
And yeah, I guess many of us feel 'entitled' to keep using something which we've been using as a global standard for the past 15+ years.
It may very well affect every web company and it may deprive them of something they've taken for granted for a long time. Asserting that you should continue to have something simply because you have had it for a long time is precisely what I mean by entitlement.
No "standard" was ever agreed to by the overwhelming majority of the web population who don't understand the web on a technical level.
The tech industry used to be pretty good at self-regulating user privacy, but over the last decade that has gone out the window. No serious effort has been made to bring the lay person in on the debate over their privacy rights. The industry has taken advantage of public ignorance to continually change the rules in whatever way was needed to exploit the latest opportunity.
And now we are starting to see the fallout from that. The public is willing to slow innovation to ensure that it does not happen at the expense of privacy. Sometimes they may be more strict than necessary, but they will be erring on the right side.
And I agreed I feel a sense of entitlement about it.
"The public is willing to slow innovation"
I really don't think 'the public' has any more say in this than they did about how cookies work. They're as clueless about how politics and laws work as they are about technical matters.
I really don't think 'the public' has any more say in this than they did about how cookies work. They're as clueless about how politics and laws work as they are about technical matters.
And web developers have every incentive to keep it that way.
See my other comment about how browser UI is bad and hides this stuff. making more user friendly UIs would keep this in the realm of the technical and free market, and out of the hands of lawmakers, and I'd be fine with that.
as idiotic and frustrating as this is, I find it amusing to note this includes direct.gov.uk,
edit: the ICO's website now has a horrific warning at the top of it, which it didn't yesterday.
edit2, ICO's website has google analytics & an asp.net session ID yet their warning states "One of the cookies we use is essential for parts of the site to operate and has already been set." this would lead me to think that a cookie for a session key "essential" therefore admissible? ...
this has got me a bit confused and the absurdity of trying to put a blanket policy on something as global as the net and something somewhat not-geo-specific as domains and sites, confounds me
they should start by banning foreign hosting of uk ccTLDs...
Rejoice while you still have time people cause the internet as we know it today will be no more. With so many attempts to alter the internet's status quo, is hard to believe none of them will go through. I dont want to sound pesimistic but I believe is the truth whether we like it or not. Things are about to change, for worse imo and most people are quite indifferent.
Indeed, it is time to write off the Web. I didn't like the Web anyway; I was happy back in 1991, with email, usenet, FTP, Archie, Gopher and Veronica. That was all we needed. The early Web looked interesting at first, but after a few years it became quickly overwhelmed by commercialism. The past years have even been worse, with the big-brotheresque webtracking of individuals and the erosion of online privacy. I wonder what will appear when the Web finally has become unusable.
