... with the fact that a government agency has actually attempted to compile a proper PDF, it has bookmarks and imbedded bookmark links.
That was the only thing that has impressed me about this so far though.
The government has let businesses down by refusing to clarify a law on cookies that has privacy regulators and advertisers at loggerheads, leaving publishers languishing in the middle, unsure whether their advertising is lawful or not. This week the government had the chance, when transposing EU law into UK law, to find a way …
... with the fact that a government agency has actually attempted to compile a proper PDF, it has bookmarks and imbedded bookmark links.
That was the only thing that has impressed me about this so far though.
"most browsers accept cookies by default. "
I'm pretty sure the default on any recent browser has been to accept only FIRST party cookies by default. Third party cookies can and SHOULD be blocked by default and if that's not the current default for a browser then why not change the law to *make* it the default.
If that in turn breaks many sites, then that's probably a good thing. With a few possible exceptions, any site which "requires" a third party cookie is doing so mainly with the specific intent of invading the person's privacy. First party cookies, however, usually act for the benefit of the user -- remembering things that would otherwise have to be repeatedly rekeyed. Or they let the webmaster get some idea of how many users are returning regulars. If kept within the confines of a single site, it is no worse than the public library staff knowing who comes in frequently.
The law should understand the difference and distinguish sensibly between them, presuming consent to first party cookies if the browser has been set to accept them but requiring third party acceptance to be off by default.
But to work, the law needs to go further and insist that except in a few very rigidly defined cases a user must be *able* to use every site with third party cookies and scripts disabled. "This site requires it" is an *excuse*, not a reason.
right up to your last paragraph, where you advocate forcing webmasters to allow access to every site without third-party cookies. This statement is why I downvoted your post.
Sorry, but - my website, my rules. I PAY for the bandwidth so people like you can read my websites. If my business model (even just the plain fucking ability to pay my bandwidth costs) relies on revenue from third-party advertising, then tough shit. If you don't like it, don't use my site. Nobody's holding a gun to your head forcing you to visit my site, so I'm perfectly within my rights to block access to content if a visitor refuses to allow third-party cookies. It IS a REASON, not an excuse, when it's the only way the website can continue to exist.
You make a brilliant point Steve
As you rightly point out, the owner of the site is paying for it and should be able to include what they want to pay the bills.
If you don't like cookies then change your browser settings to refuse them, why a law had to be made is unbelievable over-beurocracy from the EU again.
This is where your hard earned cookie ad revenue gets wasted
A fine illustration of Struan's loyalties this piece - I have never read such utter rubbish in my life.
What Struan meant to say is:
Industry don't want these changes because it obligates them to behave ethically and seek consent to track and profile.
Industry don't give a shit about how this impacts users, they only care about how it impacts their ability to cast a wide net for profiling - which is what opt out has allowed them to do for far too long.
Industry have no interest in finding a solution to the Opt In problem - they have had years to find that solution, I have even offered them the solution and they refused to engage. Rather they have concentrated on aggressive lobbying to try and devolve privacy regulation to allow them to do whatever they want without restriction. They have failed to do that and I warned them publicly almost two years ago and on multiple occassions since, that if they continued that line they would fail and be faced with a situation they are unprepared for - Opt In.
All this rubbish about browser control and the nonsense in recital 66 (which was written by industry sympathists) - browsers are NOT suitable for determining consent. Browser have zero control over flash cookies, they have very poor control over 3rd party cookies and with the news that HTML5 browser databases are now also being abused by advertisers they have zero control over those too. Furthermore, -everyone- knows (especially industry) that people rarely change default settings which is exactly why they have been fighting for Opt Out - the same is true with regards to browsers default settings.
Industry want to prey on the fact that as a general rule users are naiive and passive when it comes to online activities - they rarely take active control over how their browsing is managed and as such those browser controls are completely ineffective in managing user privacy.
Now my predictions have come true and they are in mad panic mode, lashing out with scare tactics.
Well I have one thing to say to you all - tough shit, you made your bed have the bollox to lay in it.
All your life, Alex? What a sheltered one you must have led. But you do PI a disservice by persisting in viewing this issue as black v white. It's not just about big faceless industry v the people - it's also about how small publishers (inc the Reg and Struan) can continue to provide information to the likes of you for free. If you don't start thinking about solutions that will work, you're going to lose. Inevitably.
I am not posting on here as PI, if I was I would make that clear. I am posting on here as me and I have as much right to my own opinion on these issues as everyone else.
However, I am sure if you want to ask PI for an official statement on the matter - whereas it may be a little more elegant in its wording, I am pretty sure the context will be the same which is why they took me on board in the first place.
In fact let me just quote an official PI statement on this matter to clarify:
"Privacy International believes that online behavioural targeting for online commercial advertising using the technology of Deep Packet Inspection (DPI) is a dangerous and potentially unlawful technique that is fraught with unethical practice. This industry extends across multiple models and strategies including the use of Deep Packet Inspection, Flash Cookies, Tracking Cookies and other emerging technologies.
We believe that, particularly in the long term, the threat arising from these technologies is of such gravity that commercial organisations must not be permitted to adopt Opt-Out solutions. Without care, industry will within three years adopt a default opt-out platform upon which can be built a limitless spectrum of intrusive technologies. Governments need to legislate in a way that protects the rights of the general public. From any ethical standpoint such interception of web traffic must be conditional on the basis of explicit and informed consent. "
You can read the entire press release here:
John, were industry's intent to help the little guys then I might be a little more interested in listening to them but you and I both know that is not the case - they have their own agenda and that agenda is focused on behavioural profiling and the ability to do it without oversight on as many people as they can - opt-in means that this utterly reprehensible practise is less likely to be given consent and as such is going to impact their bottom lines. The "little guys" are not the ones paying lobbyists to push for looser regulations - so I find it particularly insulting to my intelligence when all of a sudden big business doesn't get its own way that suddenly it is about the "little guys".
You know as well as I that industry have been given free reign to self regulate on these issues for decades and have completely failed to do so. Companies were making money on the web a long time before behavioural profiling or even 3rd party cookies existed and they did just fine - The Register included.
I hear this free content argument all the time and it simply doesn't wash - if you can't run a business ethically and legally irrespective of what perceived value you may think there is in your offerings, then you shouldn't be in business period - don't blame fundamental rights for a failed business model.
However much of a long term reader I am of The Register, it doesn't mean I am about to forget my work and my principles because industry are crying that they won't be able to operate unethically. If you want to use behavioural advertising make it appealing to your visitors and get their consent - if you are unable to obtain that consent in an ethical fashion, don't do it - period.
I personally don't give a damn if this means companies revenues are a little constricted at the benefit to privacy - in fact it should be clear to anyone, yourself included, that my priorities are to safeguard those fundamental rights and that I place the value of those rights a lot higher than I place the value of a company being able to abuse those rights for profit - I lobby specifically for that purpose and have never pretended to do anything else.
So I stand by my criticisms of Struan - and I won't apologise for upsetting industry in the process.
And let me just clarify one more thing - if society decides (or any individuals within that society) that they do not want to be involved in behavioural profiling without prior informed consent - who the hell are big business to tell them they are wrong? The lobbying from industry on the Telecoms Reform Package was -incredibly aggressive- and I am not guessing at this, i have it from very reliable sources within the EU Commission and the EU Parliament that this was the case - not least our own bloody government under pressure from the IAB. They failed, which indicates that the pressure from the public was sufficiently overwhelming to counter that lobbying - get over it.
"I have even offered them the solution and they refused to engage."
"If you don't start thinking about solutions that will work...."
So John.. I don't know about Alexander's solution but it seems you do so perhaps you might care to explain what it is and why it won't work then provide a better one yourself... or do we just accept that in order to have a free interwebs we have to give away information to the marketing drones so they can sell less aware people tut, overprice it when they get the opportunity and ram some extras about the shop whilst loading up the dice against them elsewhere and the rest of it.
As a 'worldly' person you pick up a VHS recorder from Comet for £5 and treat the sales person like dirt as they try to boost you with the £345 12 year extra super plus parts, service and replacement guarantee but you only got yours for £5 because some mug paid the extra. Obviously you just flash your near field equipped iWhatever about the shop and get a free IKEA on your way out of the door.
Bwah-Ha-Ha sucks to be a [l]user.
Seems like Struan has a solution...
See... all you have to do is RTFM. Well Gee Shucks.... did not realise it was as simple as that. Thanks Struan.. now I know all I need to know about how to remove the shit you placed on my computer off of it. Do I need to do it again? What? You mean I do? Err, just a mo, that was in link errr, item Gosh it's all gone hazy. Hang on... don't diss me. Ah There. All gone now. Brill Tah Thanks for.... Oh, it's all back again. Bugger. Oooops, Arse.. time to update the flash pron viewing thing as a result of security stuff. There done. Am I not L33T? Oooops bugger, that reset all my settings back to FaceBook mode. Just a mo... trog trog trog. There. Now then.. NoScript, AdBlock Plus, Beef Taco, Better Privacy and don't forget to switch off saferbrowsing.... errr plus some other stuff...
I don't know. Life would be much easier if the next door neighbours cat did not repeatedly shit in my strawberry patch....
Gosh, these chaps look like The Dudes. It's a pretty TwoTone/SKA/Mod looking affair so it's got to be good shit. ZOOOOOOOOOOOOM.
Pssssst Struan. Want to by some Clearasil?
Fuck Me! What are you getting so up tight about? I just ran your picture, demographics and desire for cookies through the BTA engine and it says you need more Zit Cream to stop possible future face eruptions. It's all been anonymised and sent off to... Anyway, so I take it you don't need Zit Cream. How about some Zit Cream. No? Car insurance? Oh, OK..... sorry about that one. Don't get too shitty about next weeks 1284 telephone calls trying to sell you it then. So, about this Zit Cream? You don't need it? BTA engine says you do. Travel insurance then. Refill for your car deodorizer. Homoeopathic Viagra.....
I just knew we would get there eventually. Thank you for checking the 'Leave me the Fuck Alone Box' as implemented under the new EU directives.
"Dear Struan. As a valued customer of Homeopathic ZitCreamIzUs we thought we would spend some time spamming your head with our special offer on spider insurance. As you will know.....
You have received this message because whilst you thought you were dead clever by checking box 15)ii]a/iv you forgot to persistently logically check/uncheck the other ones and totally missed the hidden link at the bottom of page 3) thus agreeing that we are allowed to do 'things'. Thanks for signing up.
Now then..... what about this Zit Cream or shall we discuss your pubic hair problems?
What the Fuck are you moaning about now!!! BTA engine says you have pubic hair problems. Get over yourself. It's all anonymised and e-mailed to your Google account. Sheesh.
Ah but, John, "monetization" of the Internet is a relatively new idea. We who remember the free, open, non-discriminatory interconnection of private networks and quid pro quo sharing of knowledge idea don't want it and we never have. If small publishers (or anyone else, for that matter) need to go into shady ethical areas to make money, perhaps their business models are flawed, in which case it's up to them, not us, to think about solutions that both work and do not infringe the rights of others or move aside for those that can.
However, if some people are willing to accept being tracked and profiled, why, let them opt in. What these small publishers are scared of is that nobody will, so perhaps this tells you just how popular this idea of throwing privacy to the wind really is. If that doesn't, the lengths some people go to to release themselves from all this snooping should be a massive clue.
I forget the last time, if ever, I looked at a newspaper or magazine, even a free one, and some prick popped up, took my photo, handed me a form to fill in and tattooed my arse with a unique ID while I wasn't looking. The result would probably be a very real-time smack in the mouth for whoever tried. I'm also struggling to remember a time I made a purchase on the strength of an advert that I didn't go looking for specifically based on other criteria. In fact, I usually have a harder time finding what I want to purchase *because* of the relentless advertising.
The whole thing is a sham. It's poorly thought out and people are trying to make it work against all odds using guilt trips. Sorry, but I don't feel the least bit guilty.
Sorry this to me is just an EPIC fail, why is this even needed surely it's a USERS RIGHT to decide IF he / she wants them ... I don't mind targeted ads I don't, some people do and that's what "AD blocking addons" are for..
No. As Alex says, the default should be safety and privacy. There has been ample opportunity to do this in a self-regulatory manner and it has been repeatedly missed. Even things we should be able to trust such as Firefox has added things like SafeBrowsing and GeoLocation which leaks PII like a sieve. Enough is enough. Either respect users' privacy or laws like this will be needed. It's as simple as that.
... don't visit the site.
How is visiting someone's site and them tracking how you move around their site any different to walking into a shop, and a sales assistant watching what you do?
The whole point of the changes to the Directive were to do exactly that - give the users a choice. The reason the changes occurred is because previously there was no choice, this tracking and profiling is currently carried out surrepticiously, the vast majority of people are not aware it is going on, ergo they have not had a choice, their right to choose has not existed - it has been forced onto them.
Once the Directive is transposed into UK law they will then have the opportunity to make an informed choice on whether or not they want to be tracked and served behavioural ads.
As to the comment about ad blockers; ad blockers do NOT prevent behavioural profiling and tracking, they merely prevent you from seeing the results of that profiling and tracking by blocking the ads. These companies still track all your online movements and store it in a database irrespective of whether or not you see the ads. But further to that - the vast majority of users are NOT tech savvy, they wouldn't know a plugin or addon from a primary key - this makes them vulnerable to exploitation.
This is why browser settings, adblockers etc etc etc are not the solution because they still leave the vast majority of the population vulnerable.
Next time you write a comment try to think outside your tiny little box.
The sales assistant doesn't follow you around every place you visit, poking around in even your private interactions, until you burn your store receipts. Nor does she employ someone else with lousy privacy policies to do it for her. That's the difference.
Aha, there's your problem, right there. It's not an EU law, it's a Commission directive.
The fault here is, as usual, with the fact that the British Single European Act makes the same assumption.
Directives from the Commission *are* "EU law." The commission issues directives after they've been assembled by the Council of Ministers relevant to the particular area covered by the directive. Directives are routinely issued as regulatory directives that bypass the national legislatures entirely, however they still have to issue a number of legislative directives that must then be implemented by the national legislatures as well. The point being, though, that the legislation is issued by the commission as a directive. in truth there is no "EU law". It's all directives.
Only crap web sites.
Use proper C21 technology and you won't have a problem.
Having said that - this is a bloody stupid piece of meaningless bureacracy that will do nothing for web users except add another few radio buttons to be checked.
What's up with the EU? Is there not enough real security/data protection issues for them to look into?
BB is watching you - unfortunately he's not watching the bloke from vanuatu who is nicking your credit card details
Seem to be a lot of naysayers here.
The thing is, asking consent for every cookie is pushing it - you have to remember that we're operating in a space where the majority of consumers still think the internet is 'the little e on your screen'. There was the classic Google Chrome-related footage of people on the street being asked what a browser is - needless to say most didn't know.
In this context, asking for permission for cookies every time a consumer visits a website just ain't gonna work.
You are wrongly assuming (and I blame you not because this is what industry have been trying to make people believe) that consent is going to be required everytime you visit a website. This is not the case at all.
Firstly, consent is only required for cookies that are not needed for providing the services the user has explicitly requested - this is the "technical cookies" exemption. Secondly the vast majority of adveritsing (where cookies will require consent) is managed by a very small subset of advertising companies - you need only opt in to their practices once - this is the point I have been trying to get across to industry for the past 2 years, a point they have completely ignored.
I could go into further detail but since the industry have refused at every level to take my advice, I am not about to give them the get out at this stage - they have earned my contempt and can now find their own solution unless they are prepared to pay me for my time and work. I have no obligation to provide solutions for the industry, my obligation lies in protecting privacy - I have attempted to do the former in order to try and engage industry but have been ignored - this gives me little incentive to continue banging my head against a lead wall.
Sites don't profile, so they won't lose anything by sticking with "needed for functionality" cookies. Ad networks are the ones that don't want opt-in, but even they would only need to ask for permission once, when the user first encountered an ad from that network. That "opt-in" would work for every ad on every website that was served by that ad network for the next few years until that user gets a new machine (most users never clear their cookies - they don't even know how)
So the end user won't be inundated with cookie requests. The Ad industry isn't concerned that users will be turned off by a storm of cookie requests, they're concerned that some people will say "No".
>> In this context, asking for permission for cookies every time a consumer visits a website just ain't gonna work
True. So maybe we'll get web sites that can work *WITHOUT* cookies. And all the other useless crap like Flash, Java, HTML5, etc. etc. Then the web designers who have relied on these evils will have to get a proper job. Oh happy day...
Paris icon 'cos she doesn't leave unwelcome deposits all over the place.
That, ultimately, is the point.
It seems more likely that this is going to go over like when UAC was added to Vista. Lots of developers howled that it wouldn't let them write crappy code anymore and broke a number of old programs that noone wanted to update, but ultimately the programmers started writing better code that didn't need to ask the user for admin rights all the time. In this case it'll mean that some sites will continue to spam users with requests to install cookies, but most current websites will update themselves so that they don't need to use a cookie to track you. And, of course, it'll also mean that some users will just claim that they know what they're doing and accept all cookies.
If browser settings were to be considered acceptance, doesn't that make the law entirely useless. If I've set my browser not to accept cookies, they can't set a cookie, so they can't fall foul of the law. If I've set it to accept the cookies, it's considered acceptance, so they can't fall foul of the law. Short of finding a browser vulnerability and exploiting it, how could you break this law?
So... following this logic... if the browser's default cookie settings are what sets the law. Does this mean that the Wireless law is back to front?
By default, a laptop will automatically connect to an unencrypted network... permission is implied by the network being open and the laptop automatically connecting. And yet that is "illegal"?
If you followed the debate and the various speeches after the changes were passed you would already know this. Session cookies would be classed as technical cookies required for a service the user has explicitly requested - for example, if you are using a web site's shopping cart you have made a conscious decision to do so and the session cookie which allows items to be placed into that cart and then purchased is essential for the service explicitly requested - you will note Struan doesn't use session cookies in an attempt to support his arguments - because he knows it is an invalid point.
Easy enough to have a tick box for "remember me" (persistent cookie for the website) or "know about me" (info shared with advertisers across sites), and an option to leave boxes unticked? That's an optimistic attitude.
For web sites, if there is an option to continue or enhance PII data gathering without penalty, we should expect them to take it. Why wouldn't they choose what they want? All they have to do is declare that it is necessary, or possibly construct the website to make sure it is.
Which begs the question why does the EU bother with this? To have something to point to when trying to gain popularity? To tick the "something must be done box".
It's about time browsers had more nuanced and effective control over what is and isn't accepted. Blocking 3rd party cookies is flawed, because some online payment and banking services need 3rd party cookies to complete transactions properly, and I'm fairly sure at least some large sites run 3rd partly cookies via subdomains of the main site, bypassing 3rd party control.
A more friendly system is definitely needed for flash based cookies, available by default - or perhaps they should be banned since they seem to serve no useful function other than to bypass user choice on the sly. Subliminal TV ads were banned as ethically dubious, why should cookies for targeted ads be seen as any different?
How about creating a small number of broad based cookie categories that define cookies by purpose rather than simply by origin, and ensure that any advertising, tracking or data collection based cookies get a category of their own, with default controls within the browser defaulting to privacy mode - or at least asking the user to choose the first time the browser is run. Businesses would be obliged to tag their cookies as such, in the same way as some parental control ratings work. Or oblige businesses to declare their tracking/ad/data collection domains and have these added to a central list that can be checked by the browser and blocked (much like the ABP lists but with legal obligation) or allowed.
Alex Hanff is right; the industry has spent a great deal of time and money ensuring this is thoroughly skewed in their direction, in the minds of both the public and the bureaucrats. The ability to decide how much of your privacy you haemorrhage for someone else's profit shouldn't just be restricted to the technically literate.
It is incredibly inconvenient to me that I am not allowed to rob banks - but the reason I am not allowed to rob banks is because of the harm it causes. Should I be permitted to break that law simply because it is more convenient and increases my "revenues" or should I (as currently happens) be expected to abide by that law or face the consequences?
I could go on, but if people haven't got the point yet, it is unlikely they ever will.
"This law, which is not yet in force across Europe, immediately appeared to hamper the prospects for advertisers"
......I'm happy that this will prevent cookies being used to track my usage. I hate adverters at the best of times, and now the support is on my side. Let advertisers advertise, but not to track my usage and target ads.
I should not have to install ad blockers or abine or no script, etc..... to prevent my usage being tracked.
Like it or not, this puts the power back into the users hands.
"The advertising industry is adamant that you can rely on cookie settings"
My message is this: I block all cookies in the browser settings. But that hasn't stopped advertisers using flash cookies, which are not controlled by the broswers cookie settings. Thus I have to install 3rd party software to stop them. I should not have to do this.
Therefore you can not rely on browser settings. And 'you' know this.
New York Times piece on some of the world biggest online companies exploiting a flaw in IE's p3p implementation to override users' cookie preferences and place cookies even when the user has specified not to.
Or how about this one?
Childrens' sites plant more tracking cookies/beacons than sites targetted at adults - part of WSJ's "What do they know?" series:
Self regulate? We can't trust these guys as far as we can throw them and you expect me to sympathise with them? Please, give me a break!
With a lot of PHP systems they need to set PHP session cookies so do they now need to ask permission first and what if the user is sensible and clears browser cache and session information on closing his browser ? if not they have to leave a record of sites visited which defeats privacy.
The same with load balancing cookies etc, third party cookies and flash cookies should not be set without permission but the best way to deal with that is to change default web browser permissions and enforce better cookie settings such as HTTP only and expire when the browser closes.
Average users won't understand the cookie problem anyway (search youtube for "what is a browser" )
I accept this may not be a popular opinion, but, hey, somebody's gotta say it...
It is about time the muppet brigade took some lessons in basic security practice - not just how to set up the browser with regards things like cookies (and, can we assume this ALSO applies to those "unmentioned" Flash cookies?) but also in the relative dangers of blathering every insipid little thought onto random social networks.
The internet is just like real life, there are lovely beautiful places with friendly people, and there are sordid dark alleys where even low-lifes are too wussy to hang out. The only problem, for a newbie it can be hard to tell one from another until you're already there. And for a child, well, many's the time I've had to perform a tedious Windows reinstall because some brat downloaded and installed everything they could see. Funny, the little bastard was quick enough to click through Windows' generic security warnings (and one even turned OFF the antivirus "because it wouldn't let me install blahblah").
So many problems (and so many El Reg headlines) could be averted if the populace gave as much attention to their internet behaviour as they do to their favourite Premiership teams, or the latest Zac Efron/Twilight movie.
Companies could behave in an ethical and lawful fashion. How do you suggest users educate themselves on how to avoid browser exploits such as the p3p exploit in IE? How do you suggest users prevent 3rd parties from respawning http cookies using local stored objects such as Flash? How do you suggest people defend themselves from the new threats posed by HTML5 browser databases (yet more local stored objects).
The fact remains that even those of us who are tech savvy are unable to prevent much of this behaviour fro occurring.
As for your obvious contempt for children doing things they shouldn't - perhaps if they were supervised more appropriately or appropriate technical measures were put in place to lock the sysem down, the "little bastards" you are referring to would not be able to behave in such a dangerous manner. YOU (as someone who seems to illustrate they are in a controlling position on this issue regarding childrens' access) are responsible for that NOT the kids.
So I am voting you down because your comment is worthless and doesn't consider the issues at all, it is merely a rant at non tech savvy users.
Any company that doesn't like these rules and would rather have users go straight to a screen rather than having to tick a box will now just take their activities to another part of the world?
"at best they will interrupt the user experience at their website, at worst the user will refuse them permission to serve targeted ads"
But then serving targetted or untargeted ads doesn't exactly enhance one's user experience in the first place.
"An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user,"
With respect to first-party cookies:
'Strictly' speaking, cookies are only necessary because a developer says they are. 'Strictly' speaking, there is no web application out there that cannot be made to work without cookies.Therefore, 'stricty' speaking, cookies are never the only solution to a problem and 'strictly' speaking' it could be argued that cookies are always unnecessary.
Cookies are cheap, alternative mechanisms are not so cheap. That's all there is to it. Technically there can be no debate about what's "strictly necessary" as technically cookies are never absolutely necessary.
With respect to third-party cookies: They should always be blocked IMO.
Epic fail from just about every conceivable angle.
Their primary design function is to preserve state, because HTML is a stateless language. In case you don't understand what that means, let me explain: Each new page load, it's as if you had just come to the site, and any information that you might require from the previous page is lost. State preservation means the browser can "remember" things you did previously on the site, such as adding an item to your shopping cart, or editing a document on the site.
Granted, the other way you can preserve state is with a session ID in the URL, but this is basically shifting the cookie from the cookie jar to the address bar. It still tracks what you do, and with a URL-based session ID the user has no option to turn it off, as with cookies.
So the vast majority web applications, as opposed to mere web *sites*, DO require cookies or some equivalent means of stateful process to function. Imagine using Word to type a document and Word forgot everything every time you flicked to a new document, and you had to start again each time you went back to your first one. Applications NEED to preserve state for this reason, whether they are running on your desktop or as part of a web page.
If that means of state preservation is not a cookie, then it's a functional equivalent like a session ID. So when a developer (like myself) says that cookies are necessary, it's because we know what we're talking about, unlike yourself who obviously hasn't a clue.
With the browser set to ask for confirmation then you find that many sites use large number of cookies (not third-party ones) but still work find when you refuse them.
I am sure many of them are not even using most of the cookies.
What annoys me most is when a site informs me that I must enable cookies to continue but does not say which cookies.
Saddest part of the whole thing is that cookies of any kind are not really needed at all, even for Web2.0 cruft.
The wish for European uniformity will lead to judges clarifying laws. These will be different across the Union. Conformity will come when, and if, an individual takes an invasion of privacy case to the European Court of Human Rights.
phrase a law/directive/wish so that only case law and therefor lawyers benifit.