The UK government will not have its regulatory house in order by 25 May when a new EU law on cookies come into force. At the same time, the Information Commissioner's Office is warning businesses to be ready for the changes, even though the government's own guidelines won't be published until after that date. Under the European …
How is it an "unnecessary burden"? Surely all they do is to drop the sending of cookies to folks' PCs until they work out how to ask permission. Simples.
If they weren't so busy
messing with our rights to free speech, they might have hit the deadline.
UK gov stuck in the 20th century
You can't honestly expect any sort of technological savvy from these people. Even the Department for INNOVATION and Skills is still using IE6!
I guess this won't include flash shared objects.
"the ICO was concerned that it could also 'cause an unnecessary burden on UK businesses' "
Woudn't it be a darn sight more accurate to say "We're totally incompetent to even think of dealing with this - just look at the complete balls-up we started with our never-ending inaction over UK ISPS who routinely intercept people's browsing for commercial gain."
Fuckwits, to a man.
Maybe stop this fear mongering about cookies (because that's what it is) and actually EXPLAIN what they are and what they do. Not just spew nonsense like "tracky advert behavioral website file linky download" that only serves to make people confused and frightened. THEN you can work on restricting their use (note: I'm not saying this is necessarily a bad thing)
Shit a brick.
"websites that track their users' cookies"
What does that actually mean?
It is not clear from the article and I'm damned if I'm reading the whole instrument in order to find out this basic explanation.
AFAIK, a website only ever has access to the cookie(s) that it creates. There is therefore no mechanism by which a web site can determine the existence of or read the information stored in cookies from other web sites.
The potential risk to privacy stems from third-party cookies that can allow an ad network (I.e. Google) to track pages that a user visits across large parts of the web.
Cookies are valid below a specified folder on the domain. If you (as a website) ask for it to apply to the root then any other site/app on that domain can read it.
Ad cookies work by switching to another domain in an iframe so it can set it's own cookies and read them back from another site.
A website does indeed have access to cookies it creates
Now think about the average website. That facebook 'like' button is a script brought in from facebook that can set and read cookies, regardless of whether you have a facebook account, they can track you across anywhere with such a button.
A lot of pages bring in stuff from google-analytics, and that gets to set/read a cookie also.
And then there are the ad networks, and the bigger ones will have content across millions of sites. Hell, this very 'reply to post' page brings in scripts from doubleclick (google now, I believe).
So it's not as simple as cookies only being set for the site you're on, it's cookies being set for hundreds of sites you never visited explicitly but were brought in anyway.
Take a look in your cookie dialogue in your browser. There will be hundreds. This is why I recommend use of the "Cookie Monster" extension with firefox, it lets you control this stuff and switch off third party cookies while allowing the first-party ones you need to make the sites you actually visit work correctly.
How do we track users that have selected "no" so that we don't have to keep asking them on every page? Can we store it in the session... or do session cookies still count as cookies? In which case we'll have to just pass the session id along in the url... nice and secure :D
Paris, because she always gives permission to access her cookies.
That would be the "do not track" header, surely?
That the browsers are now putting in place.
Why does everything need a session? And why is it a problem to have a session in the URL for most online activites in which any sort of session security is secondary?
which is why I see this as being a complete balls up.
you can use cookieless URL's but everythings going to have to run through an encoding and/or encryption and its easily broken because how many people never click back or use bookmarks or other browser aids to navigate?
also that is a fairly major re-write on most sites.
a simple competition - find an EU compliant site
Be the first to find an official EU web site that meets the new directive.
Easy, isn't it?
To give you a head start, the official web site for the European Parliament Information Office in the United Kingdom , http://www.europarl.org.uk/, is FAIL. It doesn't ask permission to store cookies. It uses Google Analytics, like everyone else.
Do sites that have already set cookies have to remove them if you don't opt in? EG HMRC sets a cookie with a 5 year's life time. Can I take HMRC to court for breaking the law at any time between when the government starts enforcing this directive, and 21 Feb 2016 when their cookie expires? (I want some of my tax back!).
OPP (One page passwords)
If a user tries to logon to a site and gets presented with "Would you permit this site to store cookies?" how many people are going to say "No" when it may as well read "Would you like this site to function correctly?"
Unless the types of cookies that are allowed is clarified this is an insane waste of time which nobody will want "protecting" them.
(Sarcastic icon for the ICO)
But that's exactly what it needs to say
An online shop for instance, could not track until someone clicks an "add to cart" button, or a buy button. Then they say "we need cookies to carry on or the site won't work" and the prospective buyer then makes the decision.
I'm not sure anything more than session cookies are required even then.
A forum site which remembers the user via cookies could survive with session cookies if it made people log in every time, and be login-free if the user agrees to persistent cookies.
There are many ways to minimise cookie use, and there are many ways the user can be told (or asked) "cookies or no site for you".
Should this even be the business of government?
The EU seems to be getting itself in a right little tizzy about internet privacy.
I suppose it is an easy target.
^ I see they are well prepared for there own laws...
Thank you for succinctly summing up the situation. This entire thing could be cleared up by just educating people to block 3rd party cookies.
Oh, and I'm guessing the username is ironic?
Very poorly thought out
This is the worst Website law I have seen in a long while, based on a complete misunderstand of cookies and privacy.
My websites store NO personal information about visitors. On the other hand, a visitor's Browser may store some information in cookies, on their Browser, but it is not personal information, and no private information is involved.
I checked through the 3000+ cookies stored by my Browser and found the number that contain personal information, such as my postcode: none. Or contain my telephone number: none. Or my name: 6 sites where I had provided my screen name.
In other words, there is no privacy issue. And anyone with a modern Browser can block cookies if they wish.
You're missing the point
It's not about whether the cookies themselves contain identifiable information.
It's about tracking. It can be a random number in the cookie itself, but when half the internet brings in something from doubleclick or google-analytics then google and the other ad networks can track your browsing habits and get a good picture of everything you do online.
Some people have a problem with this.
Report EU Websites to the authorities
We should all report to the authorities, any EU websites that fails its own laws on cookies, starting with the website for the European Union, http://europa.eu
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Analysis Oh no, Joe: WinPhone users already griping over 8.1 mega-update
- Leaked pics show EMBIGGENED iPhone 6 screen
- Opportunity selfie: Martian winds have given the spunky ol' rover a spring cleaning
- OK, we get the message, Microsoft: Windows Defender splats 1000s of WinXP, Server 2k3 PCs