Visit any website and there's a good chance that it will send a cookie to your computer. But unless that cookie is essential, its delivery could become illegal under a strange new plan that has, very quietly, won EU support. Cookies are small text files that websites send to visitors' computers. Websites struggle to recognise …
Instead of whining
Mind you I don't know why you are concerned, given the level of regulatory capture which currently exists in the UK and the historical evidence illustrating a complete lack of enforcement by the relevant bodies; it is highly unlikely any such changes or interpretations of EU Directives will impact the technology industry in the UK, which is rapidly becoming a safe haven for unethical business practices. And let's face it, many of the organisations responsible for such disgusting behaviour probably have Pinsent Masons (yes Out-Law.com) on retainer.
Anyone who can't see an obvious conflict of interests with this article would have to be incredibly short sighted.
You dont need cookies to track usage
google analytics might - but thats barred from most of our sites anyway so wont do you any good anyway.
Sounds Fine to Me
The Law isn't there to provide business opportunities; as a user I'd be very happy if this was introduced and enforced and it's tough titty on you if your website is designed around slapping loads of tracking information onto my computer.
So that is what the ....
... google-analytics item is that always appears on my NoScript list (and which I never permit) !!
Now I know they are not something that I want!
Great what you pick up from the Register!
It's your computer. If you don't want cookies turn the bloody things off in preferences!
How would this apply to Phorm ? This directive mentions websites, and having to get consent from the user to drop cookies in their browser. With Phorm being a grubby quasi-legal man in the middle attack monitoring automaton and not a web site, would this apply ?
WTF is an an "essencial" cookie? One that gives off a faint aroma when lightly toasted? "Mmm... the great smell of cached data!".
Mine's the one with the dictionary in the pocket.
Conflict of interests or not, the article raises an important point which your ad hominem ignores - we need to know what the law *means* so we can comply with it, whether we're predatory ad trackers or nice family-run toy businesses. Having a vague probable ban on all cookies isn't really going to help anyone. Let's have explicit laws against ad trackers, if that's the intent.
This reminds me a bit of IR35, where a major stated problem is that it's impossible to tell in advance whether or not you're in compliance.
Cookies not required...
The vast majority of cookies are not required, especially those that come from Google Analytics and similar services. My default cookie permissions are set to refuse all except for sites I specifically allow. The vast majority of sites work perfectly like this and the only time I have problems is with sites that I need to login to and haven't visited before, enabling cookies for those sites is easy.
My usage information is private and I don't want you to spoon feed it to Google. If that causes you some inconvenience in collecting statistics for your own use tough.
So what do the Germans say?
Do they have anything similar? They often act as nice canaries because once such dubious laws are enacted, busybody lawyers set up non-profit organizations and send off letters to providers warning them that they are breaking the law and demand 5'000 EUR for the act of letter-writing.
Anyway, cookie panic is as 90's as John Travolta.
Yes this is awful, non-enforceable etc... However this is academic. We can now with a large number of modern browsers, FF, Safari, IE8 circumvent cookies anyway.
Cookies make you fat and lazy
... the solution is for browser suppliers to change the default setting for cookie handling to "ask" rather than "accept". This way the great unwashed who think their monitor is their computer will be "protected" from those nasty cookies and will be asked their permission before a cookie is set.
Meets the law, regardless of how daft, protects site owners and gives even the least technically gifted the choice of whether they allow a site to set a cookie.
Or is that too simplistic?
"google-analytics item is that always appears on my NoScript list"
Mark google-analytics as untrusted, then it won't show up in the list.
Aside from google analytics, the google tracking cookie that you get for using their search matches you to a number in the big google machine. This is recorded against any searches and potentially (we don't know cos google wont day) any sites you visit that use google analytics.
If you don't kill all your cookies after each session then google gets to know just about everything about you, bar your name.
Not a bad law, per se. Cookies had a small purpose which has been expanded by migrating cookies from domain to domain. Sorry el Reg, but it is not defacto that cookies are good.
@ Eddie Edwards
There is no proposal to have a ban on cookies, maybe you should re-read the article?
@ Eddie Edwards
Furthermore, when was the last time a large company wanted to know what a law means so they could comply with it? In the real world, companies only want to know what the laws mean so they can find loopholes which allow them to circumvent compliance.
In principle the arguments regarding cookies in the Directive are very good, they give weight to consumer choice over commercial interests, that is a very positive step. Defining what is essential and what is not would be useful but it certainly doesn't warrant a knee jerk reaction against the spirit of the directive.
I should have typed all these in 1 comment but never mind.
Your reference to IR35 in the last part of your comment is incoherent. Quite obviously it is very easy to determine whether or not you are compliant on the cookie issue, simply don't set any cookies until the user indicates consent, problem solved.
I suspect that definitions of essential cookies will be either included in notes for the directive or will be left to member states to define within their own legislation.
The answer from my side of the fence (pro privacy) is that essential cookies might include login and site preference cookies (including compliance with the Disability Discrimination Act). Whereas advertising/marketing, 3rd party and tracking cookies are not essential.
Do I think people should be asked permission before Google Analytics, Audience Science, Shopping Cart deletion (as per examples in the article) are permitted? Yes of course I do.
@AC: Phorm aphected unphavourably
As anonymous coward (18 May, 10:50) implied, this will almost certainly affect Phorm. Phorm's webwise system does an elaborate redirection dance which ends up with a webwise cookie being placed on your system, but looking as if it has come from the site you actually wanted to visit. This is already of questionable morality, if not legality, as Reg readers will probably already know. If this is classed as a non-essential cookie, it certainly has the opportunity to cause a lot of confusion as to who the cookie "really" belongs to. The target site? Phorm? The ISP? The user? Whatever the outcome, it's likely to be another ball-bearing rolling around under the feet of the Phorm legal dept.
It would be good if firefox implemented 'chuck all cookies' at the end of session as the default setting, and possibly allowed us to keep a few select ones as 'permenant'.
This is one of the first things I do when setting up a new ff installation, along with adblock and orbit classic, the theme of those with taste.
I'm perfectly happy with some cookie stuff - it can be of use to me too you know.
But like I say - its my computer - ask me first!
This could get interesting, with some of the Phorm statements that to avoid them logging all your stuff you'd need one of their cookies. Hopefully they'll have to find a more sensible way to control their opt-in, given that I don't give them permission to modify my computer (storing a cookie is a modification).
@ Alexander Hanff
Why on Earth would you want to implement this legislation when every browser already has the functionality to implement this client-side?
Set cookies to "Ask" - even force browser companies to make this the default if you really really really want to annoy people - job done, without every website operator in Europe having to spend time on this ridiculous task.
However, a reasonable exception ought to be made for those cookies which do not threaten privacy, for example, because they only persist during a single session at a web site.
Because browsers are not limited to an EU market, in fact most of them are developed outside of the EU. A browser company is unlikely to want to be forced into something by foreign laws.
Plus it leaves a lot of holes in the net for rogue companies to manipulate. If people get annoyed with clicking an option in their browser to allow cookies by default, it will apply for -all- cookies even though it is unlikely that people will be happy to have all cookies allowed. The legislation needs to impact the source of the problem, which is the web sites themselves instead of passing responsibilities off to 3rd parties which are certainly not the responsible parties.
Privacy is a right not a convenience (or inconvenience depending on your view) so if companies have to throw a couple of hours work at becoming privacy compliant that is their problem to resolve not the browsers.
Oh, wake up people. Phorm's cookie would most assuredly be classified as "essential".
Re: Alexander Hanff
But websites are as global as browsers - either the browser makers would need to geolocate and sens people different versions, or every website on the planet will have to do that with every hit they get...
If people get annoyed by the allow-cookies option (and they would), they'd get equally annoyed by the requests popping up from websites. With the crucial difference they wouldn't be able to turn these off by saying they want to accept them all...
As I see it this scheme is basically trying to force website operators to create an inferior duplicate of functionality that is already available client side, and which could be forced as a default option if it is really considered important (which IMO it isn't).
A cookie is needed to track "shopping cart abandonment"?
Wouldn't that data be available in the server-side copy of the shopping cart that never gets completed?
Surely, no-one in their right mind would design an essential metrics collection based on the exsistence of a cookie? The user can flush these things on a whim. How then is such data useful?
Sorry, you had me right up until you started whining about not being able to farm your cookies out to a third party, at which point the ol' sympathy bladder drained abruptly.
No it isn't, it is trying to force companies to behave ethically and respect the rights of individuals. Another reason why this is not suitable to try and enforce on browsers is because a browser cannot possibly tell people what the cookies for each site are for so how is a customer supposed to give or deny informed consent on a per site basis?
It makes far more sense for web sites to filter based on geofilters (given they are making money out of the data) than it does to try and force browsers to do it (which make no direct revenue out of the data, they merely give people the means to access web sites).
This is -not- a browser issue, it is a commercial behaviour issue which needs to be addressed at the core level as I stated before. And what about LSO's (flash cookies) are they supposed to be controlled by the browser too?
The Google Analytics example wasn't that good.
Your server logs have all the information that Google Analytics provides you, and are available without resorting to third-party websites setting cookies.
Actually, the cookie policies in most browsers are extremely deficient. I rely on 3rd party plugins to manage cookies in Firefox, and built-in cookie management in Firefox, Safari, Opera, IEx and others is extraordinarily basic and limited.
That said, this law looks like it was written by someone who overheard someone explain a cookie to someone else, but missed half the conversation.
@OUT-LAW.COM - why do you think Google lets you use the service for free?
Answer: because they hope to monetise the personal data they collect by offering the service.
The consensus is Europe that an IP address is personal data because it can be used to identify an individual person. As such an individual's express consent is required before it is passed to a third party.
You can get great stats from log files but no market research should depend upon visitor tracking entirely.
Users can stop cookies
It is their browsers that send them.
And most browsers have the ability to stop that.
What is going on, do we have just dunces trying to make law that pertains IT.
So many villages, so many missing.
HTTP is stateless, you cannot maintain state without sending a token of some sort, the cookie is the best form to send that token in. Other ways have far more security implications.
Not just cookies
I don't like being tracked without permission. Sadly, the trackers seem to feel thay have a right to track me and have moved on from relying on normal (or 3rd party) cookies.
Have you checked your Flash cookies lately? Do YOU know what your browser's showing the world via GlobalStotage()?
It's turing into a bit of an arms race. Firefox users can regain some control with a combination of the NoScript, RequestPolicy and BetterPrivacy add-ons. But what about IE, Chrome and other browsers? There's no easy way to defend against this cr@p. Publishers certainly aren't interested in asking permission.
I'm no fan of legislation, but has anyone got a better idea?
If this does become law..
If this does become law, and I'm not saying it's a good idea, then wouldn't it be possible to sign up for cookies once and allow all non-invasive cookies to download every time you visit the site.
This would mean that when a user clears his cookie stash he'd have to re-agree, but that is usually a weekly or monthly affair for most people that even know they can delete cookies.
It's the same deal as the cookies themselves. Each time I visit a site I either have to enter my username and password or I "agree" to be cookie-er-ised and get an auto logon. That happens right now with sites like The Register.
What seems to be the issue here is lack of education rather than cookies are evil.
Some are, some aren't. It's sort of like saying all software is evil because some is spyware. But we don't need ridiculous laws banning sites from offering software downloads.
So if it must become law, aside from the huge irritation it's going to cause 99% of internet users, there has to be a way of accommodating it without having to agree to every single cookie, every single time you try to fill out a comment (like this one) or go to a forum.
And yes, certain cookies should be banned, but the vast majority are harmless. Just ask your anti-spyware application, no not the crap ones that think they're being clever by clearing out your cookie trash and claiming to have rid your computer of 10422 pieces of malware, the real anti-spyware apps that say cookies are a very low priority, but they can clean them out if you really want.
"When someone visits OUT-LAW.COM for the first time, our site endeavours to send that visitor's computer a cookie. We do this with some help from Google, which offers a free service called Google Analytics."
Get a grip. Collect your own data and do your own analyses, it's not that hard.
Also, I wonder whether it's possible to link Google analytics cookies to the different sites that produce them. Or if Google can do it - a quick skim suggests they can - and you can't be sure what they are actually doing with the data.
The proposed law doesn't go far enough, but well done EU so far!
Why are people so paranoid about large companies knowing what they like? Google, etc, aren't sitting there judging you... They aren't even sitting there judging the anonymous ID they've assigned you. They've got millions of people doing the same thing, so why would they care?
There was a big scramble in the last few months of this package. Pro-phorm UK policy makers were weakening the 'choose to refuse'. There was also a page and half from Ofcom suggesting Internet could be treated like a Cable TV network leading to net discrimination clauses - the wiki amendments and AT&T amendments. There was also the 'three strikes' clauses being pushed by UK and French civil servants.
Parliament did catch the three strikes and pushed the package to conciliation. In the UK the Lib Dems Sara Ludford and Caroline Lucas of the Greens were active, as were UKIP and the Scottish Nationalists. As late as last week iptegrity.com was reporting on meetings to squeeze the legislation through. Tory MEP Malcom Harbour (the rapporteur - the proposer) keeps re-assuring fellow MEPs he is acting in the customer interest, but putting a Tory on a Customer Protection committee is a bit like Alastair Campbell being in charge of a Truth commission, it's just not in their genes, they do not get it. Mr Harbour is Mr Cameron top internet expert, be worried!
Amidst the arguing, Internet access was declared a right and thus much of the net discrimination clauses were weakened, but they were adopted. It remains to be seen whether the conciliation process opens up the nasties in the adopted clauses or whether they remain. The lack of scrutiny and accountability is awful as the conciliation process happens behind closed doors.
What is clear is that tens of thousands made their voice heard and those in the smaller parties listened, so I will voting for them on June 4th.
A lot of us just don't want some marketing company tracking of movements and trying to sell us crap.
What you say is all well and good now, but there is a large potential for abuse, and that is what most people would be concerned with. Last night I clicked a link on a blog and ended up reading some other blog that was very right-wing and kind of scary. I do not like the idea that such information is recorded, and might be able to be used against me. What if I'm accused of a crime and the police demand my records from google? they might put up a fight NOW, but you only have to look at how things were 10 years ago to see how quickly things change. Such a thing could become common procedure.
But really, the bottom line is people enjoy their privacy, and this is a matter of privacy.