we also wouldnt be able to track conversion goals, which you seem to think is some kind of profiteering, but it's not just for ecommerce checkouts used in tutorials. for example i can use it to find out where people are hitting snags adding events to a community events calendar which i wouldnt consider a corporate special interest at all.

and what do we do about frameworks that automatically set a session cookie? they arn't just used on corporate websites.

also, i think you'll find that most corporate special interests try to minimize the numer of cookies set anyway, because when you compound a few bytes of cookies saved over a million visits, it's a large savings on bandwidth bills. not so much for cheaply developed local sites for non-profits and community groups.

weblogs analytics packages have been around since the beginning of the Web.

> we therefore wouldn't know about things like screen resolutions, etc.

You don't need cookies to record browser capabilities. A smidgen of JavaScript and an endpoint of some sort, and you are there.

> so we'd have to design to the lowest common denominator possible, because we wouldnt know that only 1% of visitors have 800x600 screens now.

This is a hysterial overreaction. Or think about concepts like Media Queries, and Responsive Design. (You can haterz the name, but the principle is useful and appropriate).

> we also wouldnt be able to track conversion goals,

Don't your conversion goals have completion pages? Are you not able to add meta information to your links that record this information? Third party tools mostly require JavaScript anyway, so there's nothing impossible there.

> and what do we do about frameworks that automatically set a session cookie?

Don't store information in the corresponding server-side session that isn't essential to providing a service.

> think you'll find that most corporate special interests try to minimize the numer of cookies set anyway My anecdotal evidence differs from yours. I find the use of random third party analytics and ad tracking tools, plus on page cookies mean they set loads of cookies. Winnowing that down to a small number, like one per type/duration would help. Corporate interests in the UK don't care about saving bytes.

http://www.eff.org/deeplinks/2010/01/help-eff-research-web-b...

It's possible to identify a user based on only browser characteristics with a pretty high success rate. While in the white paper they mainly talk about using it to re-set cookies, there's no reason a site couldn't collect all of this information and sell it to 3rd-party advertisers. At that point they've gotten mostly the same results, and completely circumvented the law.

Writing laws that regulate the internet is extremely difficult.

feature detection is done in javascript, but sent only once, as long as you set... a cookie. i don't want to run and execute any more than i need to. sure it's not a big deal, but it's an example about how this effects things that benefit consumers, and no 'corporate interest'

Responsive designa and media queries have gotten a lot of 'ink' lately, but I think they're over estimated. There's a sweet spot for text length, and other elements in design. Knowing wether or not you can hit them for the particular users of your site are important. (There are other issues, but they're outside the scope of this argument)

I'm unaware of any quality packages that would let you do thigns like tracking conversion goals without cookies, session or otherwise.

and on sessions cookies. how doe we decide what's essential? is a csrf token essential? does this allow me to set the session cookie on first visit? do i need to dump my csrf protection for no logged in visitors?

Honestly, I fight tooth and nail to keep designers from specifying 3rd party packages that require cookies at all. right now, my employer's website sets 4 total, 3 for google analytics (used to be urchin) and 1 for vary-on headers for caching. would the cookie we use for caching be illegal? it's not essential to the visitor, but with all the bots hitting our page that would never respond to prompts, we'd have to dynamically serve pages with each load. (yes we do need a better caching plugin for wordpress...)

that all said. my previous post was a response to how this only hurts corporate interests, and that in reality it does affect society at large negatively.

Cookie-based, javascript-based and/or image-based tracking mechanisms are also inaccurate, in different ways. You just pick the inaccuracy you're prepared to live with.

> feature detection is done in javascript, but sent only once, as long as you set... a cookie. i don't want to run and execute any more than i need to.

So you agree it's a valid alternative. Your preference that it only execute once doesn't absolve your responsibility for the privacy of your visitors to your website.

If indeed you believe it's in the best interests of the visitor to use a Google Analytics cookie, explain it to them and gain their informed consent.

> I'm unaware of any quality packages that would let you do thigns like tracking conversion goals without cookies, session or otherwise.

Well, you have time to research it. Perhaps there's a nice opportunity there for it. Some of it will be about brushing off and updating techniques in use before cookies became widespread reliable.

> and on sessions cookies. how doe we decide what's essential? is a csrf token essential? does this allow me to set the session cookie on first visit?

I am not a lawyer, you need to consult one if the answer to this isn't clear to you.

Ask yourself what is the purpose of a CSRF token. Ask yourself is this in the visitor's interests to have this present. If you explained it's purpose to the visitor, and the potential side-effects of both having and not-having this cookie set, would you feel like you needed a shower immediately after?

My opinion is that a CSRF token is fine when it's only used for the purpose it is intended. If you are unsure, you should consult a lawyer.

> would the cookie we use for caching be illegal?

Is caching a core part of the purpose/service/offering that you offer to customers? If not, but you feel it is necessary for a better quality of service from you, then figure out a way to explain it to your site visitors, and let them make a decision on whether they want to benefit from it's advantage. If they don't want it, then fine, they get a slightly slower experience.

> that all said. my previous post was a response to how this only hurts corporate interests,

Human beings and their privacy should come before artificial entities and their balance sheet.

> and that in reality it does affect society at large negatively.

I disagree. I think protecting the privacy of individuals is a positive thing. I like the idea of informed consent, particularly for things that breach my privacy without my knowledge. All you are being asked is to be upfront and seek the consent of your site visitors before sharing their information with a third party.

but we're not talking about things that violate privacy. We're talking about things like preventing cross site request forgeries, and having to ask permission to do it, we're talking about things like providing a faster experience, taking up less computing power, and possibly making the world a little greener, and having to ask permission of each visitor to do it.

> All you are being asked is to be upfront and seek the consent of your site visitors before sharing their information with a third party.

that's certainly not how the pdf on the ico site says. (http://www.ico.gov.uk/~/media/documents/library/Privacy_and_...)

It doesn't talk about third parties at all. This discussion isn't even about how it affects ad networks.

> Well, you have time to research it. Perhaps there's a nice opportunity there for it. Some of it will be about brushing off and updating techniques in use before cookies became widespread reliable.

there is no opportunity, the same information just simply is NOT there. You get an ip, and standard headers, and the request made. thats it. you can't query things like screen resolution, browser capabilities, what version of flash you need to target at minimum. you also lose flexibility. you need to be forwarding logs on to a central processor, or even have access to your logs in the first place, which many people do not.

Imagine some schmuck who adds a plugin to wordpress who gets fined, even though he doesnt know what a cookie is, because the plugin stores it's state in a cookie (think tabs and what not) these arnt strictly necessary to the operation of the site, so it's a fine for him.

Which bring me to another question, how the hell can they even enforce this? you can't really automate it. there will be too much variation in consent popups and in page elements, and who even knows what solutions. Someone would have to go site by site in the uk and check. and then, how would you know what sites ARE subject to this? UK sites arnt just limited to .co.uk. the company i work for has .com as their tld. Does every uk admin need to register the sites they run?

This all seems alot to ask just to block people from running google analytics. Afterall, do you think any ad networks that actually set cookies and track people are going to be in the EU at all? they're not really subject to these laws.

That document has this:

"The new rule is intended to add to the level of protection afforded to the privacy of internet users. It follows therefore that the more intrusive your use of cookies is, the more priority you will need to give to considering changing how you use it."

> It doesn't talk about third parties at all. This discussion isn't even about how it affects ad networks.

The document you reference also contains this:

"However, some uses of cookies can involve creating detailed profiles of an individual’s browsing activity. If you are doing this, or allowing it to happen, on your website or across a range of sites, it is clear that you are doing something that could be quite intrusive – the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent."

it even goes on to offer:

"It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale."

If you need to run usability experiments, you will need explicitly consenting participants.

Things will be harder to do. You will probably have to invent some clever new ways to do things that used to be trivial. And yes, users may lose out on some stuff, but they are probably willing to make the sacrifice.

As usual, it's the consumer's job to tell you what they want and it's the business's job to figure out how to give it to them. But instead of voting with their dollar, they are voting with their vote.

Perhaps this will be a short term boon for freelancers to get to revisit existing sites and make them 'compliant' (a mini y2k all over again) but almost any interesting feature or functionality someone would produce is going to use tracking/cookies of some sort, both to provide value to the company and to the end user (collectively, "the public").

And yeah, I guess many of us feel 'entitled' to keep using something which we've been using as a global standard for the past 15+ years.

No "standard" was ever agreed to by the overwhelming majority of the web population who don't understand the web on a technical level.

The tech industry used to be pretty good at self-regulating user privacy, but over the last decade that has gone out the window. No serious effort has been made to bring the lay person in on the debate over their privacy rights. The industry has taken advantage of public ignorance to continually change the rules in whatever way was needed to exploit the latest opportunity.

And now we are starting to see the fallout from that. The public is willing to slow innovation to ensure that it does not happen at the expense of privacy. Sometimes they may be more strict than necessary, but they will be erring on the right side.

"The public is willing to slow innovation"

I really don't think 'the public' has any more say in this than they did about how cookies work. They're as clueless about how politics and laws work as they are about technical matters.

And web developers have every incentive to keep it that way.