Advertising trade bodies have claimed that a new law passed this week by the European Parliament will not require website publishers to ask permission to put cookies on a user's computer. They argue that browser settings will imply consent. The European Parliament today voted to approve the European Commission's Telecoms Package …
IAB, who want to push advertising, interpret the new law meaning that nothing needs to change.
Well here's another interpretation. I think that, by visiting the Register, a cookie tracking my login details and, say, new preferences is essential the service being offered.
I do not feel that a third party tracking cookie is essential.
So, nothing needs to change in the provision between the 1st and 2nd party, but bolt ons that are not obvious or explicitly associated with the site I'm visiting (advertising and tracking cookies, for example) need my permission.
What's more, I'm pretty sure that my interpretation is closer to that intended than the IAB's.
That said, the problem these days..
..isn't normal browser cookies. Those can be managed quite effectively by letting your browser delete private data on exit- which is less of an inconvenience than you'd imagine.
The problem has now moved- people use flash cookies to track you, in some cases. A lot of people don't realise that flash allows a small amount of persistent local storage by default in many cases. The interface is relatively obscure, closed and crummy, and many folks don't realise that it even exists.
Thus, any sort of fuss about browser cookies is actually useful to the sneaky malfeasants. As long as people don't get cross about the actual tracking mechanisms, the likelihood of decent management tools emerging is somewhat reduced.
Aluminium hats on, everyone!
They are wrong.
"has given his or her consent, having been provided with clear and comprehensive information"
A login cookie is a prime example of a requested service, though a brief text when the box is ticked to "remember login" isn't going to hurt anyone and be simple to do.
I have no idea what information literally any cookie on my computer holds though or what and who it tracks or relates too, so there sure as hell is not "clear and comprehensive information" available already, so they better had pull their socks up.
Hear Ye!, Hear Ye!
Buy this post I announce to the world that killing me is forbidden, Likewise, you shall commit no other crime of any kind against me, my family and to all those I choose to offer such protection.
There, that's covered and I may now live in total harmony with all creatures and suffer no harm, or attempted harm, from any person or corporate entity ever again.
Too bad not harming people isn't simply some sort of moral "law". Or given the context here, why isn't not harming the default position. Hmmmm ... I sort of always thought it was. Oh well, I guess I was wrong but no matter, I'm protected now.
Really I am, I mean y'all going to do as I say right? Good, I thought so.
You want me to host your crud on my PC?
Then you ASK.
Your site may change. If you don't ask each time I won't know.
How many times does it need saying?
I have to say although I am not surprised the IAB are trying to spin these ammendments to 5(3) into something they are not; I am surprised that they have to be told by the Commission so many times that they are wrong.
I have heard Commissioner Reding state explicitly over and over again for the past month that these new rules require "prior informed consent". The Commission is quite clear on this and we have a guarantee from the Commission (via multiple public speeches made by Commissioner Reding) that they will not shy away from taking infringement action against Member States who fail to enforce EU Law (such as the current action against the UK for allowing BT and Phorm to intercept consumer's Internet communications).
Of course the advertising industry has been impotent for decades which is why they rely so heavily on Opt-Out models; so it is understandable that they might be a bit worried since they don't even have any confidence in their own business models to attract people to Opt-In.
What else is there to say other than don't trust the industry or the media to give unbiased coverage on this issue as they all share the same bed. The new rules are a victory for consumer privacy and this scares a lot of people with vast bank balances built from the collection and selling of our personal data.
And don't worry IAB, I am not going anywhere - see you in the ring.
I have devised a solution for the IAB's Cookie Woes free of charge - http://tinyurl.com/ygoactw
Cookies blocked by default
That would make it opt-in. Advertisers HATE opt-in. Who is going to say "yes, more ads please".
They want it to be opt-out, and they want to hide the opt-out option.
... they just don't work. When a site needs a cookie for log in reasons, no browser can differentiate between that cookie and the first party cookies set by Google-analytics or any other tracking or advertising provider. So much tracking is now done through subdomains, using domain cookies that asking for permission before setting such cookies can be the only way to interpret the new requirements.
I can see a few people being happy with the first kind of cookie. The second kind is what saw the birth of a whole industry to keep our computer systems free from adware tracking cookies and I will be most upset once this legislation is in place if some tracker tries to get around me by having permission for one type of cookie and then stealing onto my computer with another kind.
I do hope the UK regulators are aware of sneak-ware, including all the non-cookie tracking methods over which no browser has any control.
Delete all cookies when the browser closes
... and run firefox with noscript.
Boot ==> Other foot
If these marketing snakes' self-serving interpretation is correct and the law really does state that browser settings explicity imply user consent, then we need further legislation to make sure all browsers default to, as an absolute minimum, no 3rd party cookies. See how much the oily little satan-fellating gobshites like it then.
Bottom line: who in their right mind, if ever explicitly asked: "Do you want to allow ad.mc-adserve.marketing.com to track your online movements? Yes/No" is ever going to hit Yes?
Christ, even those of us who know how to control cookies can't be arsed to do it right most of the time. How much chance does Granny Miggins have of knowing she's supposedly consented to these scum-sucking bottom feeders tracking her online movements?
Paris because fellatio.
Look at the provisions outlined here, which were conveniently ignored!
Spam and cookies law in force today in UK
OUT-LAW News, 11/12/2003
Require businesses to gain prior consent before sending unsolicited advertising e-mail to individuals, except where there is an existing customer relationship;
Proof by contradiction?
1) Suppose that the correct interpretation is that browser settings imply consent.
2) Now suppose I set my browser to reject the cookies I don't want to give consent to.
3) The web site cannot now set those cookies. Therefore the law says, in effect:
"It is illegal for you to set cookies if, and only if, it is impossible for you to set them"
4) Therefore the law is completely unnecessary if interpretation (1) is correct.
5) Therefore interpretation (1) was not the interpretation intended by the law makers.
Bush Monkey Spanner
This SetTopBox's browser software is fixed in ROM & allows cookies, but no cookie settings.
At what point did I permanently agree to surveillance cookies on this machine? Retrospectively - when purchased?
"It would be better for everyone if the IAB Europe's view is right," said Robertson. "It is a pragmatic way to interpret a very bad law that otherwise damages the user experience on websites."
“Is she talking about cookies that track users across websites to deliver better advertising..."
Yes, she is. Tracking users is ipso facto spying on them, and advertising is never technically necessary.
(Although it might be *commercially* required.)
Wassa cookie then?
"They argue that browser settings will imply consent"
Which assumes that peope know what cookies are, that they exist and that folks are aware they can play with browser settings other than changing appearance and adding bookmarks.
Advertisers rely on people not knowing what's going on with thier browser.
And rely on people happy to use browsers without AdBlock.
They need thier taget market as dumb as possible.
A Cookie is...
No Shit Sherlock! This is an IT site you know!
Now everyone, vote this comment down so that everyone will read it! HAHAHA
And what about non-EU advertising companies. Will this ruling affect them?
The advertisers should be forced to use .ads domain so we can block them out in one go.
It is quite clear!
Unlike the IAB the wording seems quite clear to me.
The change from
is only allowed on condition that the subscriber or user concerned has given his/her prior consent, which may be given by way of using the appropriate settings of a browser or another application, after having been provided with clear and comprehensive information
... is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ...
The replacement of 'prior' and 'after' with 'having' doesn't change the meaning. My Oxford English Dictionary gives a definition of 'having' as 1. A possession 2. The action or condition of having possession.
It's clear that a user must be in possession of 'clear and comprehensive information' before their consent can be given.
The relegation of using browser settings for giving consent also makes clear that the consent must come first and changing the browser settings is simply one method by which you give that consent.
Lastly it is clear that implied consent for storage/access of information on a user's PC is only allowed if it is strictly necessary to carry out an explicit request by the user. So unless I go to a website and explicitly request to be tracked or advertised at, I can't see any reason why there should be tracking/advertising cookies on my PC.
It'll just be added to the ToS that you agree to have 3rd party cookies set up when you register for the website (though what to do with sites where you don't register?).
What about sites outside the EU but use location based adverts so show adverts from inside the EU? Tricky that.
So no longer will we have to listen to bullshit from advertiser about people who use adblock are stealing.
A quick reminder, PeerGardian, modified HOSTS file; adblock, noscript and Betterprivacy for Firefox; SuperAntiSpyware etc. etc.
It's my computer, the battlefield belongs to me....
Did I read that right ?
You know this bit...
ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses)
So someone thinks that malware authors are going to tell me about a cookie because the law says the must ? ehh?
How can you consent...
... when you don't even know a cookie is being stored?
I have Firefox's cookie settings to "ask me every time" and I've found that even if I'm only looking something up on google, often I get a message that the top site on the search is asking to store a cookie on my computer!
Why, for gods' sake? I haven't even *visited* the damn site and already it's trying to shove its cookie down my metaphorical throat.
I only ever give most cookies "Allow for Session" permissions apart from the ones from obvious tracking/ advertising servers which I deny, I also use the Better Privacy add-on to get rid of Flash based cookies, yet still when I run Spybot or AdAware I get warnings of tracking cookies that have slipped through the net.
Of course Advertisers are going to try to interpret these regulations in the way that's most favourable to them, what we need is TPTB telling them to stop playing silly buggers...
It seems to me that the only sensible way to do this is for the browser to default to asking about each cookie. This, however, leads to a problem: there would need to be a way of getting cookie descriptions, either via HTTP headers (which is how cookies are sent – they are NOT files, even though a certain monopolist's browser might store them as such) or via an extra HTTP request.
Otherwise, the only way that I can see (at the time of writing) that this would work is to just set the cookie(s) (subject to browser settings) and to provide a page which describes them and link to that page from any pages the accessing of which would cause the cookie(s) to be set.