Most public sector organisations do not ask internet users' consent to cookie tracking, a survey has said. The UK's Privacy and Electronic Communications (Amendment) Regulations implement changes to EU law and were brought into effect in May. The new law requires website operators to make sure they have "informed consent" from …
The lunatics have taken over the asylum.
A massive amount of time and money is being wasted on this utter crap.
Meanwhile, services are being cut, children go without books and OAP's die in their homes through lack of heating in winter.
Glad we got our priorities right then.
Dogs and cats, living together!
Maybe if the government ignores the problems they'll get better. Then again, I'm so libertarian that I should drive a Conestoga wagon: if government does less, with rare exceptions, I'm all for it.
Thats almost sensible...
"Less obstructive methods, such as obtaining consent from websites' terms and conditions..."
So to comply with this, all we have to do is add some legal bumf to the T's & C's and we're good?
Careful, that almost sounds sensible!
But in the real world
How many times do people bother to search out, read and understand the Privacy or T's & C's sections before using a website?
A tiny fraction of 1% I would imagine - that doesn't sound much like informed consent to me.
... the regulations don't allow for a simple update to the T&C. It has to be a physical message right before the user starts their journey through your site. The regulations speciafically state that anyone using Google Analytics needs to ask permission from the users as well, so there goes my stats which help me shape the content for the customer and hopefully make their visit faster and more informed, thanks EU.
...is that your issue or theirs?
Maybe should have a opt in / out box.
Yes = to to site.
No = goto http://www.parliament.uk/about/contacting/mp/
This is one f***ked up law, made by dickheads that have no idea what bit of paper has been shoved in front of them and they have asked to sign.
"How many times do people bother to search out, read and understand the Privacy or T's & C's sections before using a website?"
How many times would the cookies been set as soon as the user load the website, far before even finding the Privacy or Ts&Cs sections?
"Informed Consent" is a bonkers standard in this context
"Informed Consent" is a totally inappropriate standard to apply here anyway.
It comes from the world of medicine, where the surgeon has to make sure you understand the implications of that vasectomy before relying on your signature as permission to apply the scalpel to your goolies.
We don't apply anything like as high a standard in other walks of life: that mortgage you signed up for is a weight around your neck, whether or not you understood how compound interest works. With a few restrictions around 'unfair contract terms' etc., caveat emptor applies.
Informed consent is just the wrong standard in this case (even 'click the box' consent is a bit strong, for the reasons others have pointed out).
Please explain to another AC, it is not my real name, how the use of Google Analytics allows you to improve your users experience?
I do assume you have access to website logs and a bit of foss that might allow you to do the analytics yourself..... or is your arse just to lazy?
I'd be interested in the name of your website in order to do a bit of analytics myself.
Well..... fuck me. You mean that you sell inco products to people with incontinence problems and Google is telling you that most of your visitors are 'of a certain age'?
Might I ask how Google came by such information?
You hosted their 'free' tool and gave it away. How do you think your customers might feel about that one?
ITMT what the fuck are you doing operating a website whereby you have such a basic lack of clue about your target audience that you just have a basic lack of clue?
Meeeeeeep Meeeeeeeeeeep Meeeeeeeeeeeeep
My website will die if I am not allowed to host third party data scrapers and get 0.000000001C for every $1 they earn.
Sympathy bucket is empty.
Go get a proper business model.
Blaming the wrong people
If it wasn't for the marketing folks using increasingly devious ways of invading people's privacy the eurocrats wouldn't have felt the need to draw up a law like this, and it has to be drawn widely to stop them weaseling their way round it. For a couple of recent examples:
There are loads of cases where an honest majority are inconvenienced by a law that's there to protect the public at large from a dishonest minority. It sucks to be one of the ones inconvenienced, but unless you can think of a better way to protect the public from the scum I suggest you deal with it.
"I do assume you have access to website logs and a bit of foss that might allow you to do the analytics yourself..... or is your arse just to lazy?"
I am capable of crafting my own wheel but prefer to use ones I buy "off of the shelf". I am capable of disposing of my own refuse at the local council tip but instead prefer to stick the bins out for collection etc etc etc. Please think before accusing people of laziness rather than considering whether they believe their time is better spent elsewhere - it is the basis for productivity/value add whether you consider it to have been "added" or not.
I would mention that you do not "buy Google Analytics off the shelf" all you do is host their scripts on your site for 'free'. Of course it is not 'free' because the analytics as delivered to you are generated by the same tools that you are hosting as a result of Google analysing the behaviour of people on your site and the content of the site itself and combining that with data gathered from sites elsewhere in order to generate the associated profiles. I would suggest that wealth of data is more immensely valuable to Google than anything you receive in return but you are quite happy to gift such information about your visitors without their explicit knowledge to Google because either you do not know, do not think or do not care.
Google analytics is in my browsers' block lists. I don't claim to be typical, but I'm certainly not alone. So performing your own logfile analysis is definitely more accurate.
"By next May"
"By next May" is, perhaps, the key phrase, which only appears quite a way down the article.
ICO expects organisations to be taking steps to ensure that they are compliant by May 2012, but a lack of compliance is not necessarily an immediate problem:
"Organisations have 12 months to make sure they comply with the new rules. In that time we expect websites to be looking at the cookies they use and where necessary putting in place steps to get your consent.
If a website does not appear to be taking steps to comply with the new rules and we receive a complaint during this 12 month period we will provide advice to the organisation concerned on the requirements of the law and how they might comply. Where we think it is appropriate we will also ask organisations to explain the steps they are taking to ensure that they will be in a position to comply by May 2012."
Source: ICO: http://www.ico.gov.uk/news/current_topics/new_pecr_rules.aspx
Q: How can you break the law if you can't be punished?
If you fine a local authority, it's the council-tax payers who have to pay it. Councils don't have any money of their own: only the money they forcibly extract from people in their region. If some of that is taken away from them in fines, the local people (who paid it) either have to pay more to make up the shortfall, or suffer from reduced services.
The council itself is never made to suffer.
So to say that a number of councils are breaking the law, and that they could be fined because they haven't done some stuff about cookies on their websites, is meaningless. They won't suffer, even if they are found to be doing something illegal. Councils are not people: you can't anthropomorphise them and apply "punishments" or "rewards" as you would to a naughty child. As an organisation, not a person, they are immune to punishment. Consequently trying to apply laws to non-people is ineffective.
The best you can do is ask nicely, "if they oh-so wouldn't mind terribly if they might (when it's convenient) please, have a little look at doing something about all the cookies their websites push out - no pressure at all. Thank you all, very much indeed." The answer, as with everything a council is asked (nicely or not) to do is that it will cost money and need more people - in a time when they have to cut costs and staff. So again: just as with paying fines, it's the tax-payers who get stuffed with the compliance costs.
Good point, but not quite...
... I see what your saying but I think the person in charge of the website will probably have a vested interest in keeping their job, so that might be a bigger motivator for complying by May 2012.
Don't forget, Councils do actually employ normal human beings that have wives, kids, mortgages etc.
Councils employ actual people.....
Yeah verily. Just as with the many instances of laptops, sticks, cds "lost" with personal data on them it is not the council that should be fined (i.e. council tax payers who have to stump up the money) but the individual officers and their managers who allow the laxity.
As I have said before on numerous posts, council tax payers are punished when a council is fined, but the responsible individual is really punished when a gaol sentence is applied, which cannot be passed on to the long-suffering public hypothetically "served" by the council.
That's a WTF in itself, I can see the committee decision:
PHB #1; We need to store as much information as possible on the visitors
PHB #1: just because
Tech: We'll probably need a database to do that much information.
PHB #2: I've heard about these things called cookies, why not use them
Tech: You've got to be shitting me. **Gets out razor blade**
99% of UK gov websites are breaking the law...
...and so, I imagine, are 99% of all other websites.
Is any self-respecting website developer going to make any effort to spoil the user experience with various popups asking the user something they probably don't understand anyway?
Some EU initiatives are worthwhile. This is not one of them.
Re: 99% of UK gov websites are breaking the law...
"Is any self-respecting website developer going to make any effort to spoil the user experience with various popups asking the user something they probably don't understand anyway?"
Don't you think...
... that showing ads and using analytical tools are essential mechanisms of a site?
Most site owners will.
Does this apply to HTTP etags too? Or can we simply switch to using etags rather than cookies?
goes in the same category as the one they had about regulating the shape of bananas/cucumbers ...
If you want to talk about UK lawbreaking websites
why not have a look to see if you can find any websites which comply with the Disability Discrimination Act and its successors.
E.g. the kind of standards-compliant Flash-free website that is not just inherently multiplatform, bandwidth-efficient, indexable by search engines, etc, but also usable by (eg) people with impaired vision who use a screen reader.
Cookies are for eating.
Can I just ask what are the criteria for determining whether the site comes under UK Law?
*.uk? Any site registered to a UK entity (rather than a proxy registration)?
This is how the law comes into disrepute...
... through passing bushels of ridiculous, pointless, time-wasting, unenforceable laws.
People naturally ignore them, and thus get comfortable with paying no heed to the law.
These laws are rubbish
Look how easily they break
T's & C's Change no problem!
Anyone seem this in any T's & C's on a website?
Just wondering on the wording, I am expecting lots of junk mail on this issue, and lots of discussion, so if we could recover this potential to loose time (and money) on this issue with a change to some T's & C's now, then I am up for it!
what happens if the user says no?
Then they can have the 'Frankie Boyle Vegetarian Option'.
As in "There is a vegetarian option - you can f**k off".
Then you FAIL
because you'll have to ask them over and over and over - unless of course storing a cookie to remember that they don't want you to store cookies counts as an essential function?
I'm probably not going to rewrite my websites to work without cookies, so yes at best I could ask permission and if they say no then they get asked again every time they open a new page.
Problem with that is, people who currently have cookies turned off and put up with the minor inconvenience they might encounter will then find my website totally unusable. How does that benefit anybody?
-1 (imaginary website)
If your site can't function at all without cookies then you are *definitely* doing it wrong!
best get on with that rewrite.
The crux of it
So at the moment someone who has disabled cookies can use my site. In future they won't be able to use my site because I will have send them somewhere else if they decline cookies when I ask them.
I'm not arrogant enough to think that being unable to visit my website is a great loss to anyone, but multiply that across lots of websites and it becomes a problem. Ironically, this law could harm people who are already dealing with their own privacy concerns by disabling cookies.
Councils (and businesses) often have highly paid directors
"As an organisation, not a person, they are immune to punishment. Consequently trying to apply laws to non-people is ineffective."
You make a good point but miss the answer. Apply the laws to the people in charge. The people in charge pay themselves as individuals lots of money because "they are responsible". So if they are responsible and there are punishments to be dished out, why are the "responsible" people (who paid themselves a great deal) also not picking up the punishments.
It would help focus these folks minds.
I do realise it's not going to happen just yet, but I suspect if things were done this way there'd be noticeable differences.
Re: Councils (and businesses) often have highly paid directors
"You make a good point but miss the answer. Apply the laws to the people in charge. The people in charge pay themselves as individuals lots of money because "they are responsible"."
They are only responsible for the good stuff - and consequently reward themselves handsomely. If anything bad happens, I think you will find that someone else is repsonsible for that.
Applies to large corporations too.
Esc key 'cos I would like to. Anyone know a good place to go?
If the ICO have already deemed that organisations have 12 months grace then I fail to see how they can be contravening the law.
It sounds like websites control your computer.
HTTP is a stateless protocol, which means between page loads, the web server normally has no way to know who's who. Cookies solve that, by letting each visitor identify itself every request. It works as follows:
<visitor> I'd like to look at this web site.
<server> Sure, here's the web site. Also, next time you visit, give me this cookie (a number), so I know who you are.
... time passes ...
<visitor> I'd like to look at another page. Here's that cookie you gave me last time.
With this absurd legislation, the server would have to ask permission for the visitor to return the cookie? It doesn't make sense! It's up to the visitor to return the cookie!
Or maybe the exchange would be more absurd:
<visitor> I'd like to look at this web page.
* visitor reads page
<visitor> OK, I accept the policy.
<server> Who are you?
<visitor> I'd like to look at this web page now.
The legislation is just a poor attempt at solving the problem that most users don't know how to control their software.
" the server would have to ask permission for the visitor to return the cookie? "
The website would have to ask permission to set the cookie in the first place. The server doesn't do anything to get the cookie back - that's the browser and HTTP. The browser would ALWAYS return cookies, because they would (in theory) have been legitimately set in the first place.
The user doesn't need to know how to (fully) control their software, this legislation is another example of lawmakers not fully understanding (or bothering to) how modern tech works and that it's a lot more complicated than their stuffy old brains would like.
This law is specifically about tracking cookies, not session cookies. That is, the cookies that Google et all like to set that have expiry dates of some time after 2030. Not a session cookie that helps your site maintain state while the viewer is watching it, and expires some sensible time later (say, 24 hours).
Normal cookie usage is unaffected. You may feel free to POST a session ID instead though, if you want to make sure of your legality. Just don't use GET unless you want your users getting hacked by copy-pasting a URL to the wrong people.
Wot, not big biscuits? Bummer...
The guy at the corner shop probably vaguely recognises me and knows which Sunday paper I read. He doesn't know anything else, eg my name. That isn't an invasion of my privacy. He doesn't need my permission to vaguely recognise me.
Tesco, if I was daft enough to use a loyalty card, know my name and address, virtually everything I buy, hence a lot about my family and lifestyle, how much petrol I buy and where, even which theme park I take my kids to when I spend my points. That is an invasion of privacy and I deserve a choice (which I have, of course, I don't own a clubcard).
That seems to be pretty much the same as most websites - most websites can't track you as you move around the web, they can only track you as you move around that website. To track people any further than that you would need your own code running on lots of other peoples' websites.
So this law only really matters if you are Google, but we all have to comply, and it could be very difficult for CMS users who don't have detailed knowledge of exactly what their site is doing under the hood. Unless the major CMS projects address this, we are going to have millions of lawbreakers, or a hell of a lot of static HTML sites.
Pretty good but
I like your analogy, but I don't think the CMS projects need to address anything - as you say it's the ad networks that do the cross site tracking (Google esp, getting sick of expansys adverts everywhere just coz I work there and happen to go on the site a fair bit)
The EU needs a kick in the teeth so that it legislates only against the ad groups, who should be the ones required to get permission to track between domains.
RE: Pretty good but
I agree the CMS Vendors shouldn't have to do anything it really should be targeted at the Ad Networks, unfortunately common sense and some technically minded people in central governement and EU Parliament are unfortunaetly absent from the process.
my grocery store knows who I am, too.
I'm the guy that buys:
candybars and rope - lunch plus stabilizing furniture during a friends' move
apples and razor blades - lunch plus i was cleaning windows after painting
antifreeze and dogfood - car needed antifreeze and parents dog needed food
cucumbers and condoms - ok, this was a joke because I only needed the cucumbers and just couldn't resist.
If I'm bored and have a big list, I'll match up the items in creepy pairs and buy them, with cash, usually ones, wearing gloves, at the 4 stores in the chain closest to my house.
If I'm really bored, I'll turn my phone off and go out for a drive. And start driving in circles, mall parking lots are best, and turn my phone on one corner and off at the opposite corner, over and over until I get bored.
I wouldn't be surprised if my car had more than one tracking device attached...
I went to my local gov site and a socitm survey popped up. It left cookies on my computer despite my do not track setting. These people are retards.
Just viewing the socitim.net (not the gov.uk) saves a TestCookie and no sign of a tick box.
Could someone clarify this for me
Is this new law banning use of any cookies without consent, or just tracking cookies. The testing they've reported suggests to me that it's all cookies, but that's just stupid. They are a perfectly reasonable way of storing state (and this is coming from someone who whitelists cookies). It may be persisting a session id for authentication, the on screen location of a widget, or the page you're on in a survey. That's not tracking you, it's simply working around the stateless nature of http.
I can see the reasoning behind the law, but please tell me it's only applying to cookies that uniquely identify you, and persist for a significant period of time.
It would have been so simple to make this simple
But instead we (well, those of us in Europe) are stuck with something confusing ans unenforceable that people will just ignore, because there is no other viable option. As I understand it, the law does have an exemption for cookies that are "necessary", but doesn't provide any further clarification.
But all they would have had to do is specify that first-party session cookies can be used without restriction. That would be a whole lot more helpful, and should cover the majority of what is truly necessary.
FFS - Lies
Balls - they've pinged sites checking for cookies being set - that's it. That's not an audit.
Cookies being set != no consent.
The updated directive (it's not new) is not specifically about cookies, it's about storing and persisting data on the local machine (by any means) without consent. The persistence is an important, as this differentiates between session and tracking cookies.
Also any mechanism of local data critical to the function of service provided is exempt, such as cookies on an eCommerce site persisting your shopping cart.
The wording is actually reasonable clever in ensuring that it targets tracking cookies without explicitly stating so. And for these cookies, providing clear information on your terms and conditions is actually enough to comply - this wouldn't be identified by this cocking "research".
So if a LA site sets a session cookie, that's not breaking the law, it really isn't. And the idea that a site is setting 186 cookies - nonsense - that's their "auditing" software failing. And the 99% figure also nonsense - how do I know, I visited 30 sites this evening and checked, typically you're dealing with 3 (session + socitm survey + google analytics) - online payments might issue a 4th but as stated, this along with the session cookie, would be exempt.
In any case, ICO aren't doing anything for year, and have already stated that the user agent vendors (Google, Microsoft, Mozilla, etc.) will be responsible for compliance. Leaving web site owners for all intents and purposes with nothing to do.
Beyond the idiocy of SOCITM (in this statement), is that it hasn't been challenged by the journalist copy/pasting the press release. *sad / grumpy face*
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market
- Analysis Uber, Lyft and cutting corners: The true face of the Sharing Economy