The Information Commissioner's Office won't begin enforcing the new cookies law for another six months yet - in the meantime, the regulator has issued a reminder to web outfits warning them to prepare to comply with the legislation. On 25 May 2011, the implementation of the revised e-Privacy Directive passed with a whimper …
Most of this I am happy with and accept as being on the right track. However the regulations apply to persistent and session cookies (page 4 of their guidance pdf). This has evidentially been written by some arts muppet who does not have the first clue as to how a real web site is written.
Each page refresh to a web server starts afresh, completely unrelated to any previous page served up. This is not how a user sees it: they think of it as a conversation - a session. This sort of session cookie is used to tie the page hits from a user together so that they are related. The session cookie is ONLY returned to the domain that set it, expires when the browser is closed and, generally, is not recognised by the server if unused for 1/2 hour or so.
There is also little distinction on the purpose of a cookie. A request for a larger font size is considered the same as one that record the user's name, the privacy implications of these two are worlds apart.
Much too great an emphasis on the wording of a poorly drafted law rather than what the intention is.
The ICO's own web site:
They make great show of how to do it, but when I agreed to it storing that cookie on my machine and I found:
* 2 cookies from www.ico.gov.uk
- session cookie
- ICOCookiesAccepted - permanent cookie that expires in 2 years.
* 5 cookies from ico.gov.uk ---- which is a cross site cookie -- a site that I did not agree to.
cookies that vary from being session to permanent which expire varying from 1 hour to 2 years.
without a doubt one of the worst bits of legislation ever deployed. It will however keep quite a few pencil pushers employed.
And after 6 months, the non-UK web giants - Google, Amazon and ArseBook will simply ignore them.
The ICO Commissioner will then stamp his little feet - and will be ignored.
It's a EU-wide law and the European Commission is pretty good at enforcing such law even on "foreign" companies. Easily done when they almost always have EU-based subsidiaries in order to trade. The European courts, whilst not fast, are still faster and toothier than their US counterparts and increasingly uphold Commission findings. And, inasmuch as Google has already agreed to randomise the last octet for Google Analytics, you can seem them starting to fall into line.
it's now open season ... for tracking online behaviour without requesting consent
Its been open season on UK internet users for some years...
"The ICO has not contacted any independent IT experts for their view on Webwise... The ICO are not technical experts so encouraged Phorm to be transparent and directly engage with technical experts to address concerns raised by such experts about the safeguards and nature of the Webwise product"
These are the people we expect to enforce cookie legislation? You're pulling my leg.
Meanwhile, old salts just dig up their old log file analysers and set up the webserver to start dumping a copy of the logs for each site in a folder somewhere and hardly notice the inconvenience. It's not like there is a critical need for the extra info gathered through a cookie most of the time.
Of course, this is exactly advertisers don't want. But the law has been passed and the Commission will ensure it is enforced. It also sets a precedent for the next battle which will be the myriad bits of data requested and stored on mobile devices.
The law is an ass
A bad law that punishes the innocent and won't deter the guilty. There are two relevant petitions on the ePetitions website - I've signed both
I have a list of companies that I'm going to check on the 25th May to ensure that they've implemented the change. If not, I'm going to submit a complaint to the ICO just to see what, if anything, they're prepared to do.
In my experience the ICO is extremely reluctant to prosecute companies. They will not prosecute a company for failure to comply with the PECR2003, and they will not prosecute companies for failure to comply with Section 11 of the DPA98. So I want to see if they're going to prosecute companies for failure to comply with the cookie legislation and if so, why the duplicity? Why enforce one section of the Act but not another?
I'm booking the day off work and if you're listed on my website I'll be checking out your site.
Why enforce one section of the Act but not another?
Because one makes sense and the other is nonsense?
Another reason to quit EC
or why not adopt the French model, sign up to all the loony legislation and do nothing whatsoever to enforce it (except the legislation that makes their work-shy lifestyle mandatory).
- Review Samsung Galaxy Note 8: Proof the pen is mightier?
- Nuke plants to rely on PDP-11 code UNTIL 2050!
- Spin doctors brazenly fiddle with tiny bits in front of the neighbours
- Game Theory Out with a bang: The Last of Us lets PS3 exit with head held high
- Flash flaw potentially makes every webcam or laptop a PEEPHOLE