Feeds

back to article You can break EU cookie rules ... if your site breaks without cookies

Website operators can only take advantage of an exemption from new cookie laws if site users specifically request a service or function and that service would not work without the serving of the cookie, EU data protection regulators have warned. After changes to the EU Privacy and Electronic Communications (e-Privacy) Directive …

COMMENTS

This topic is closed for new posts.
Silver badge
Facepalm

Ye gods, they've managed to make it worse

The web's going turn into a mass of Yes/No alert boxes from everything to like buttons, submitting forms, to mouseover events.

9
1

Re: Ye gods, they've managed to make it worse

They certainly have!

It's not going to stop tracking because those that knew little about cookies just auto click the accept buttons when they appear. What's changed is that those of us who clear our cookies get hassled every day.

Laws should be made by people that have a clue

8
1
Silver badge

Re: Ye gods, they've managed to make it worse

Laws are made by people who have a clue - they're just not the people who vote for the idiots that agree to them. Do you imagine we live in a democracy or some other eden?

0
2
Anonymous Coward

Re: Ye gods, they've managed to make it worse

"What's changed is that those of us who clear our cookies get hassled every day."

worse than that ... there are some people offering "cookie compliance" services ... problem is that they set a cookie to say you've opted out but that is from a "third party" site so those of us who by default refuse to accept thrid part cookies get hassled on *every* page

1
0
Bronze badge
Alert

I'd like to see JavaScript liability

If your site doesn't work without JavaScript, you should be liable for damage to my computer system caused by malware that goes through it.

4
8

Re: I'd like to see JavaScript liability

Plus add in Java and Flash to that liability as well please.

1
0
Anonymous Coward

"Our site doesn't allow you to opt out of cookies because the only way to do this would be to set a cookie on your machine to say you have opted out of cookies. Thus as our 'compliance to cookies directive' would not work without cookies we therefore claim an exemption from the requirement to allow users to opt out of cookies"

There you are .... job done!

13
2
Anonymous Coward

That's nonsense though

You can make your site in such a way that it only sets cookies when it needs to, and asks if there isn't one present.

There's no real need for the front page of most sites to set a cookie at all. They can remember user prefs if there's already a cookie, they set one without asking if a cookie-reliant feature is used.

The only class you can't set without permission are cookies that track behaviour either within or without the site. Your page can operate perfectly fine without these. It may make your life harder in terms of analytics etc, but that's exactly the point of the legislation - you shouldn't just go opting everyone's behaviour into your analytics engine without permission.

6
1

idiots

Who are these idiots? And who said they could make this crap up and people would have to listen to it?

5
2

Re: idiots

I agree, this is brain-meltingly agonising stuff which people without a clue about how websites work in the real world are coming up with.

And all while the rest of the non-EU world chuckles away at our frustration.

1
2
Thumb Down

Re: idiots

I know that most websites I stumble across work fine without cookies, as I reject them all by default.

Perhaps it's you that has a problem with understanding how websites work?

2
3
Stop

Re: idiots

Seeing as I've been building them for 15 years I have a pretty good idea, and know that most users do not want a barrage of messages asking them to accept a cookie which is simply trying to store something like a shopping basket ID.

5
3
Silver badge

Re: idiots

My websites need cookies, I use FormsAuthenticationTicket inside cookies. You wouldnt be able to use my websites without them as they are used for authentication. Since that clearly breaks functionality then I guess i'm exempt.

0
2
Silver badge
FAIL

Re: idiots

"Seeing as I've been building them for 15 years I have a pretty good idea, and know that most users do not want a barrage of messages asking them to accept a cookie which is simply trying to store something like a shopping basket ID."

And since a shopping site breaks without that cookie you don't need to present that barrage of messages.

3
0
Stop

Re: idiots

No, *you* are not exempt, it is only *that* *cookie* which is exempt.

Just because your site needs a preferences cookie or an authentication cookie for it to fundamentally work does not mean that you get a blanket exemption to set Google Analytics or ShareThis cookies, for example.

1
0
Facepalm

You people are crazy, this was lobbied for by big business who were sick of their cookies being blocked or deleted. Now people who clear or block cookies will suffer relentless nagging popups.

5
1

"this was lobbied for by big business"

Do you have evidence or are you even more cynical than me?

1
0
Silver badge

"will suffer relentless nagging popups"

Really? Whenever I see one, I use AdBlocker's element selector to add it to the filter rules. Bam, gone.

Now if only I could do something about sodding El Reg's banner pop-up on my phone. Didn't anybody think to try the main site on Android's browser? It works well, except for that persistent cookie popup...

1
0

Triple-negative?

Can someone explain the quote "just because you consent to a website remembering your details once it does not mean that in the future you may not wish to visit that site again anonymously."?

Too many "not"s in there for me :(

Unravelling the double-negatives, I think I get:

"just because you consent to a website remembering your details once it does not mean that in the future you may wish to visit that site again and be remembered." - which is patently nonsense!

0
0

Re: Triple-negative?

No, it means "just because you consent to a website remembering your details once, it does not mean that in the future you may not wish to visit that site again anonymously"

Or... Even though on one visit you consent to a website remembering your details, at a later date you may want to visit the site anonymously.

e.g. Maybe I'm happy for a retailer to recognise who I am when I visit their site. But maybe one time I go there for a peek at dildos, or iProducts - on this occasion I might want to be anonymous for that visit.

0
0
Silver badge

Re: Triple-negative?

tools -> In private browsing?

2
0
Meh

Re: Triple-negative?

Exactly, if that is what this is all about it is fundamentally ridiculous as you can use your private browsing to anonymise that visit, cookies may still be stored for that browser session only and will not be connected to your non-anonymous visit.

I understood this legislation as being useful to prevent inter-website tracking of users without consent namely with third party cookies, social linking services and advertisers can aggregate information about users across websites, where they've been, what they've been doing, and use that information to target advertising. and the legislation covers any client-side storage method that can be utilised to do so, if this is not the case it is flawed by that I mean other methods can be used.

Session tracking can be done through the URL but is much much less secure and user preferences can be stored server side. If you don't want your current usage to be linked to an account you have like Danny says just use private browsing you will have a new identity for the website until you go back to your normal settings.

Even with this legislation in place, the technology itself is not the problem, the problem is aggregating data, even if anonymised, the trail itself leaves clues as to someones true identity and this tracking can be done at protocol level at various places throughout the internet stack.

Adding a few popup windows to confirm acceptance of a cookie is a nice little placebo and really the legislation is too roundabout to be effective in solving anything.

0
0
Silver badge

Re: Triple-negative?

"I understood this legislation as being useful to prevent inter-website tracking of users without consent namely with third party cookies,"

Not really. Read El Reg's cookies doc [ http://www.theregister.co.uk/Profile/cookies/ ]. Now these popups on El Reg are El Reg asking for permission to set cookies, yes? It seems to be assumed that if you give theregister permission to store cookies, you're also happy to give permission to other sites and advertisement servers (doubleclick.net for example).

What is happening now is just the icing on a wonderfully bodged cake. And is it any wonder big sites didn't implement any sort of cookie policy until the last moment? I bet the geeks at El Reg, BBC, et al looked at the directive and thought, collectively, "you're shitting me, right?".

0
0
Mushroom

it is possible.

Years ago I had a website ordering form that tracked the order process using a rather hideous method. A hash key that was transmitted from one page to the next through a series of CGI forms in a hidden field, that connected to a temporary file on the server containing the information the server needed to know. Every request was a PUT request to the next CGI in the chain. A cron job deleted those temporary files that had not been touched after a certain period of time.

But yes, that was horrible.

In a related note, where does this latest bit of Eurocrap leave users of Google Analytics?

0
0
Silver badge

Re: it is possible.

Paying for something that they're not allowed to use, that's how it leaves them.

Although, I guess all they'd have to do is use the google cookies in a load-balancing regime, at which point they'd be 'necessary' for the operation of the site.

What happens when Google converts their cookies from 3rd party to 1st party? They have the DNS infrastructure to do it, but I'd certainly hate to manage that system.

0
0
Anonymous Coward

Re: it is possible.

It leaves them having to give people the option to say no to it. Which is how as a user I like it. If its for your benefit not mine then you're not storing it on my computer.

1
1
Silver badge

It's interesting that on 'compliant' sites

I've only seen one that has so far offered me a choice of which cookies to accept - all the others have said 'we need them, so you're going to get them' or words to that effect.

The one that behaved was BT - which offered a popup with a slider offering either 'necessary', 'nice to have' or 'tracking' options.

1
0
Anonymous Coward

"Website operators can only take advantage of an exemption from new cookie laws if site users specifically request a service or function and that service would not work without the serving of the cookie, EU data protection regulators have warned."

So the whole process was a waste of taxpayers money!

Site owners just now claim that they must serve the cookie, and done.

0
2
Silver badge

Even more confused

This crap just gets more confusing every time I read a new article about it.

I give up. I'm not implementing any of this crap.

3
1
Silver badge
WTF?

Re: Even more confused

Its not confusing at all:

If its necessary to make what the user came to your site for (e.g. a shopping basket) then you don't need to ask.

If its for your benefit not the users (analysis, adverts, etc) then you need permission.

0
0

Best Cookie Warning?

One of better responses to Regulation 6 of the PECR (the Cookie Law) can be found on The Daily Mash website:

" We've updated our privacy policy, not that you care. You can read it or click to get rid of this annoying box and carry on as before. [Whatever] "

3
0
Anonymous Coward

Any day now there will be new guidance from the ICO ...

... because this EU update contradicts the most recent ICO advice.

A plea to the legislators - please focus this law on the things that actually cause real concern to a significant number of users, and then give clear advice on what to do.

At the moment, it looks very much as though you could not facilitate festivities in a facility for fermenting foaming beverages.

1
0
Bronze badge
FAIL

They could have make this some much simpler and clearer if lawmakers weren't completely technically clueless. Why couldn't they just say session cookies OK but if they want long-term cookies they have to ask?

0
0
Silver badge

Because that doesn't separate permision to "rememeber I'm logged in so I don't have to type my password again tommorow" from "stalk me from site to site and deliver creepy adverts based on my browsing history".

0
0
Bronze badge
FAIL

Stupid stupid laws

The government needs to stop legislating technology and instead focus on behavior.

The whole idea of laws around use of cookies is asinine. You have to get very specific in order to target the groups you are trying to stop instead of harming regular people.

A better law would have simply stated:

"No one may track people without their explicit consent unless you are a government entity"

Add in a fine schedule and call it a day. As it stands, browser manufacturers simply need to come up with a new name for local data storage and access in a browser and poof all those. Police laws go out the window and it will take 10 years for the legislators to fix it.

0
0
Silver badge

Re: Stupid stupid laws

They already exist, they're called called DOM Storage, Indexed DB, and Web SQL Database.

Flash cookies only got dragged into the debate because they're commonly called Flash cookies, but the proper name is Local Storage Object. If people didn't commonly call them Flash cookies then the EU wouldn't have even been aware that they existed.

0
0
This topic is closed for new posts.