> we won't have google analytics, or any of the major analytics packages.
weblogs analytics packages have been around since the beginning of the Web.
> we therefore wouldn't know about things like screen resolutions, etc.
You don't need cookies to record browser capabilities. A smidgen of JavaScript and an endpoint of some sort, and you are there.
> so we'd have to design to the lowest common denominator possible, because we wouldnt know that only 1% of visitors have 800x600 screens now.
This is a hysterial overreaction. Or think about concepts like Media Queries, and Responsive Design. (You can haterz the name, but the principle is useful and appropriate).
> we also wouldnt be able to track conversion goals,
Don't your conversion goals have completion pages? Are you not able to add meta information to your links that record this information? Third party tools mostly require JavaScript anyway, so there's nothing impossible there.
> and what do we do about frameworks that automatically set a session cookie?
Don't store information in the corresponding server-side session that isn't essential to providing a service.
> think you'll find that most corporate special interests try to minimize the numer of cookies set anyway
My anecdotal evidence differs from yours. I find the use of random third party analytics and ad tracking tools, plus on page cookies mean they set loads of cookies. Winnowing that down to a small number, like one per type/duration would help. Corporate interests in the UK don't care about saving bytes.
It's possible to identify a user based on only browser characteristics with a pretty high success rate. While in the white paper they mainly talk about using it to re-set cookies, there's no reason a site couldn't collect all of this information and sell it to 3rd-party advertisers. At that point they've gotten mostly the same results, and completely circumvented the law.
Writing laws that regulate the internet is extremely difficult.
logs based analytics packages are inaccurate. a single ip could represent 1 person, or 10, or an entire nation behind a proxy or nat.
feature detection is done in javascript, but sent only once, as long as you set... a cookie. i don't want to run and execute any more than i need to. sure it's not a big deal, but it's an example about how this effects things that benefit consumers, and no 'corporate interest'
Responsive designa and media queries have gotten a lot of 'ink' lately, but I think they're over estimated. There's a sweet spot for text length, and other elements in design. Knowing wether or not you can hit them for the particular users of your site are important. (There are other issues, but they're outside the scope of this argument)
I'm unaware of any quality packages that would let you do thigns like tracking conversion goals without cookies, session or otherwise.
and on sessions cookies. how doe we decide what's essential? is a csrf token essential? does this allow me to set the session cookie on first visit? do i need to dump my csrf protection for no logged in visitors?
Honestly, I fight tooth and nail to keep designers from specifying 3rd party packages that require cookies at all. right now, my employer's website sets 4 total, 3 for google analytics (used to be urchin) and 1 for vary-on headers for caching. would the cookie we use for caching be illegal? it's not essential to the visitor, but with all the bots hitting our page that would never respond to prompts, we'd have to dynamically serve pages with each load. (yes we do need a better caching plugin for wordpress...)
that all said. my previous post was a response to how this only hurts corporate interests, and that in reality it does affect society at large negatively.
> logs based analytics packages are inaccurate. a single ip could represent 1 person, or 10, or an entire nation behind a proxy or nat.
Cookie-based, javascript-based and/or image-based tracking mechanisms are also inaccurate, in different ways. You just pick the inaccuracy you're prepared to live with.
> feature detection is done in javascript, but sent only once, as long as you set... a cookie. i don't want to run and execute any more than i need to.
So you agree it's a valid alternative. Your preference that it only execute once doesn't absolve your responsibility for the privacy of your visitors to your website.
If indeed you believe it's in the best interests of the visitor to use a Google Analytics cookie, explain it to them and gain their informed consent.
> I'm unaware of any quality packages that would let you do thigns like tracking conversion goals without cookies, session or otherwise.
Well, you have time to research it. Perhaps there's a nice opportunity there for it. Some of it will be about brushing off and updating techniques in use before cookies became widespread reliable.
> and on sessions cookies. how doe we decide what's essential? is a csrf token essential? does this allow me to set the session cookie on first visit?
I am not a lawyer, you need to consult one if the answer to this isn't clear to you.
Ask yourself what is the purpose of a CSRF token. Ask yourself is this in the visitor's interests to have this present. If you explained it's purpose to the visitor, and the potential side-effects of both having and not-having this cookie set, would you feel like you needed a shower immediately after?
My opinion is that a CSRF token is fine when it's only used for the purpose it is intended. If you are unsure, you should consult a lawyer.
> would the cookie we use for caching be illegal?
Is caching a core part of the purpose/service/offering that you offer to customers? If not, but you feel it is necessary for a better quality of service from you, then figure out a way to explain it to your site visitors, and let them make a decision on whether they want to benefit from it's advantage. If they don't want it, then fine, they get a slightly slower experience.
> that all said. my previous post was a response to how this only hurts corporate interests,
Human beings and their privacy should come before artificial entities and their balance sheet.
> and that in reality it does affect society at large negatively.
I disagree. I think protecting the privacy of individuals is a positive thing. I like the idea of informed consent, particularly for things that breach my privacy without my knowledge. All you are being asked is to be upfront and seek the consent of your site visitors before sharing their information with a third party.
> Human beings and their privacy should come before artificial entities and their balance sheet
but we're not talking about things that violate privacy. We're talking about things like preventing cross site request forgeries, and having to ask permission to do it, we're talking about things like providing a faster experience, taking up less computing power, and possibly making the world a little greener, and having to ask permission of each visitor to do it.
> All you are being asked is to be upfront and seek the consent of your site visitors before sharing their information with a third party.
It doesn't talk about third parties at all. This discussion isn't even about how it affects ad networks.
> Well, you have time to research it. Perhaps there's a nice opportunity there for it. Some of it will be about brushing off and updating techniques in use before cookies became widespread reliable.
there is no opportunity, the same information just simply is NOT there. You get an ip, and standard headers, and the request made. thats it. you can't query things like screen resolution, browser capabilities, what version of flash you need to target at minimum. you also lose flexibility. you need to be forwarding logs on to a central processor, or even have access to your logs in the first place, which many people do not.
Imagine some schmuck who adds a plugin to wordpress who gets fined, even though he doesnt know what a cookie is, because the plugin stores it's state in a cookie (think tabs and what not) these arnt strictly necessary to the operation of the site, so it's a fine for him.
Which bring me to another question, how the hell can they even enforce this? you can't really automate it. there will be too much variation in consent popups and in page elements, and who even knows what solutions. Someone would have to go site by site in the uk and check. and then, how would you know what sites ARE subject to this? UK sites arnt just limited to .co.uk. the company i work for has .com as their tld. Does every uk admin need to register the sites they run?
This all seems alot to ask just to block people from running google analytics. Afterall, do you think any ad networks that actually set cookies and track people are going to be in the EU at all? they're not really subject to these laws.
"The new rule is intended to add to the level of protection afforded to the privacy of internet users. It follows therefore that the more intrusive your use of cookies is, the more priority you will need to give to considering changing how you use it."
> It doesn't talk about third parties at all. This discussion isn't even about how it affects ad networks.
The document you reference also contains this:
"However, some uses of cookies can involve creating detailed profiles of an individual’s browsing activity. If you are doing this, or allowing it to happen, on your website or across a range of sites, it is clear that you are doing something that could be quite intrusive – the more privacy intrusive your activity, the more priority you will need to give to getting meaningful consent."
it even goes on to offer:
"It might be useful to think of this in terms of a sliding scale, with privacy neutral cookies at one end of the scale and more intrusive uses of the technology at the other. You can then focus your efforts on achieving compliance appropriately providing more information and offering more detailed choices at the intrusive end of the scale."
weblogs analytics packages have been around since the beginning of the Web.
> we therefore wouldn't know about things like screen resolutions, etc.
You don't need cookies to record browser capabilities. A smidgen of JavaScript and an endpoint of some sort, and you are there.
> so we'd have to design to the lowest common denominator possible, because we wouldnt know that only 1% of visitors have 800x600 screens now.
This is a hysterial overreaction. Or think about concepts like Media Queries, and Responsive Design. (You can haterz the name, but the principle is useful and appropriate).
> we also wouldnt be able to track conversion goals,
Don't your conversion goals have completion pages? Are you not able to add meta information to your links that record this information? Third party tools mostly require JavaScript anyway, so there's nothing impossible there.
> and what do we do about frameworks that automatically set a session cookie?
Don't store information in the corresponding server-side session that isn't essential to providing a service.
> think you'll find that most corporate special interests try to minimize the numer of cookies set anyway My anecdotal evidence differs from yours. I find the use of random third party analytics and ad tracking tools, plus on page cookies mean they set loads of cookies. Winnowing that down to a small number, like one per type/duration would help. Corporate interests in the UK don't care about saving bytes.