back to article You can break EU cookie rules ... if your site breaks without cookies

Website operators can only take advantage of an exemption from new cookie laws if site users specifically request a service or function and that service would not work without the serving of the cookie, EU data protection regulators have warned. After changes to the EU Privacy and Electronic Communications (e-Privacy) …

COMMENTS

This topic is closed for new posts.
  1. Dan 55 Silver badge
    Facepalm

    Ye gods, they've managed to make it worse

    The web's going turn into a mass of Yes/No alert boxes from everything to like buttons, submitting forms, to mouseover events.

    1. edge_e

      Re: Ye gods, they've managed to make it worse

      They certainly have!

      It's not going to stop tracking because those that knew little about cookies just auto click the accept buttons when they appear. What's changed is that those of us who clear our cookies get hassled every day.

      Laws should be made by people that have a clue

      1. Tom 7

        Re: Ye gods, they've managed to make it worse

        Laws are made by people who have a clue - they're just not the people who vote for the idiots that agree to them. Do you imagine we live in a democracy or some other eden?

      2. Anonymous Coward
        Anonymous Coward

        Re: Ye gods, they've managed to make it worse

        "What's changed is that those of us who clear our cookies get hassled every day."

        worse than that ... there are some people offering "cookie compliance" services ... problem is that they set a cookie to say you've opted out but that is from a "third party" site so those of us who by default refuse to accept thrid part cookies get hassled on *every* page

  2. This post has been deleted by its author

    1. Synonymous Howard

      Re: I'd like to see JavaScript liability

      Plus add in Java and Flash to that liability as well please.

  3. Anonymous Coward
    Anonymous Coward

    "Our site doesn't allow you to opt out of cookies because the only way to do this would be to set a cookie on your machine to say you have opted out of cookies. Thus as our 'compliance to cookies directive' would not work without cookies we therefore claim an exemption from the requirement to allow users to opt out of cookies"

    There you are .... job done!

    1. Anonymous Coward
      Anonymous Coward

      That's nonsense though

      You can make your site in such a way that it only sets cookies when it needs to, and asks if there isn't one present.

      There's no real need for the front page of most sites to set a cookie at all. They can remember user prefs if there's already a cookie, they set one without asking if a cookie-reliant feature is used.

      The only class you can't set without permission are cookies that track behaviour either within or without the site. Your page can operate perfectly fine without these. It may make your life harder in terms of analytics etc, but that's exactly the point of the legislation - you shouldn't just go opting everyone's behaviour into your analytics engine without permission.

  4. CraigW

    idiots

    Who are these idiots? And who said they could make this crap up and people would have to listen to it?

    1. pipster

      Re: idiots

      I agree, this is brain-meltingly agonising stuff which people without a clue about how websites work in the real world are coming up with.

      And all while the rest of the non-EU world chuckles away at our frustration.

      1. David Hicks
        Thumb Down

        Re: idiots

        I know that most websites I stumble across work fine without cookies, as I reject them all by default.

        Perhaps it's you that has a problem with understanding how websites work?

        1. pipster
          Stop

          Re: idiots

          Seeing as I've been building them for 15 years I have a pretty good idea, and know that most users do not want a barrage of messages asking them to accept a cookie which is simply trying to store something like a shopping basket ID.

          1. stucs201
            FAIL

            Re: idiots

            "Seeing as I've been building them for 15 years I have a pretty good idea, and know that most users do not want a barrage of messages asking them to accept a cookie which is simply trying to store something like a shopping basket ID."

            And since a shopping site breaks without that cookie you don't need to present that barrage of messages.

        2. Danny 14

          Re: idiots

          My websites need cookies, I use FormsAuthenticationTicket inside cookies. You wouldnt be able to use my websites without them as they are used for authentication. Since that clearly breaks functionality then I guess i'm exempt.

          1. melt
            Stop

            Re: idiots

            No, *you* are not exempt, it is only *that* *cookie* which is exempt.

            Just because your site needs a preferences cookie or an authentication cookie for it to fundamentally work does not mean that you get a blanket exemption to set Google Analytics or ShareThis cookies, for example.

  5. Richard Cartledge
    Facepalm

    You people are crazy, this was lobbied for by big business who were sick of their cookies being blocked or deleted. Now people who clear or block cookies will suffer relentless nagging popups.

    1. edge_e

      "this was lobbied for by big business"

      Do you have evidence or are you even more cynical than me?

    2. heyrick Silver badge

      "will suffer relentless nagging popups"

      Really? Whenever I see one, I use AdBlocker's element selector to add it to the filter rules. Bam, gone.

      Now if only I could do something about sodding El Reg's banner pop-up on my phone. Didn't anybody think to try the main site on Android's browser? It works well, except for that persistent cookie popup...

  6. Anthony Cartmell

    Triple-negative?

    Can someone explain the quote "just because you consent to a website remembering your details once it does not mean that in the future you may not wish to visit that site again anonymously."?

    Too many "not"s in there for me :(

    Unravelling the double-negatives, I think I get:

    "just because you consent to a website remembering your details once it does not mean that in the future you may wish to visit that site again and be remembered." - which is patently nonsense!

    1. Old Tom

      Re: Triple-negative?

      No, it means "just because you consent to a website remembering your details once, it does not mean that in the future you may not wish to visit that site again anonymously"

      Or... Even though on one visit you consent to a website remembering your details, at a later date you may want to visit the site anonymously.

      e.g. Maybe I'm happy for a retailer to recognise who I am when I visit their site. But maybe one time I go there for a peek at dildos, or iProducts - on this occasion I might want to be anonymous for that visit.

      1. Danny 14

        Re: Triple-negative?

        tools -> In private browsing?

        1. stubert
          Meh

          Re: Triple-negative?

          Exactly, if that is what this is all about it is fundamentally ridiculous as you can use your private browsing to anonymise that visit, cookies may still be stored for that browser session only and will not be connected to your non-anonymous visit.

          I understood this legislation as being useful to prevent inter-website tracking of users without consent namely with third party cookies, social linking services and advertisers can aggregate information about users across websites, where they've been, what they've been doing, and use that information to target advertising. and the legislation covers any client-side storage method that can be utilised to do so, if this is not the case it is flawed by that I mean other methods can be used.

          Session tracking can be done through the URL but is much much less secure and user preferences can be stored server side. If you don't want your current usage to be linked to an account you have like Danny says just use private browsing you will have a new identity for the website until you go back to your normal settings.

          Even with this legislation in place, the technology itself is not the problem, the problem is aggregating data, even if anonymised, the trail itself leaves clues as to someones true identity and this tracking can be done at protocol level at various places throughout the internet stack.

          Adding a few popup windows to confirm acceptance of a cookie is a nice little placebo and really the legislation is too roundabout to be effective in solving anything.

          1. heyrick Silver badge

            Re: Triple-negative?

            "I understood this legislation as being useful to prevent inter-website tracking of users without consent namely with third party cookies,"

            Not really. Read El Reg's cookies doc [ http://www.theregister.co.uk/Profile/cookies/ ]. Now these popups on El Reg are El Reg asking for permission to set cookies, yes? It seems to be assumed that if you give theregister permission to store cookies, you're also happy to give permission to other sites and advertisement servers (doubleclick.net for example).

            What is happening now is just the icing on a wonderfully bodged cake. And is it any wonder big sites didn't implement any sort of cookie policy until the last moment? I bet the geeks at El Reg, BBC, et al looked at the directive and thought, collectively, "you're shitting me, right?".

  7. Soruk
    Mushroom

    it is possible.

    Years ago I had a website ordering form that tracked the order process using a rather hideous method. A hash key that was transmitted from one page to the next through a series of CGI forms in a hidden field, that connected to a temporary file on the server containing the information the server needed to know. Every request was a PUT request to the next CGI in the chain. A cron job deleted those temporary files that had not been touched after a certain period of time.

    But yes, that was horrible.

    In a related note, where does this latest bit of Eurocrap leave users of Google Analytics?

    1. Anonymous Coward
      Anonymous Coward

      Re: it is possible.

      Paying for something that they're not allowed to use, that's how it leaves them.

      Although, I guess all they'd have to do is use the google cookies in a load-balancing regime, at which point they'd be 'necessary' for the operation of the site.

      What happens when Google converts their cookies from 3rd party to 1st party? They have the DNS infrastructure to do it, but I'd certainly hate to manage that system.

    2. Anonymous Coward
      Anonymous Coward

      Re: it is possible.

      It leaves them having to give people the option to say no to it. Which is how as a user I like it. If its for your benefit not mine then you're not storing it on my computer.

  8. Neil Barnes Silver badge

    It's interesting that on 'compliant' sites

    I've only seen one that has so far offered me a choice of which cookies to accept - all the others have said 'we need them, so you're going to get them' or words to that effect.

    The one that behaved was BT - which offered a popup with a slider offering either 'necessary', 'nice to have' or 'tracking' options.

  9. Anonymous Coward
    Anonymous Coward

    "Website operators can only take advantage of an exemption from new cookie laws if site users specifically request a service or function and that service would not work without the serving of the cookie, EU data protection regulators have warned."

    So the whole process was a waste of taxpayers money!

    Site owners just now claim that they must serve the cookie, and done.

  10. Irongut

    Even more confused

    This crap just gets more confusing every time I read a new article about it.

    I give up. I'm not implementing any of this crap.

    1. stucs201
      WTF?

      Re: Even more confused

      Its not confusing at all:

      If its necessary to make what the user came to your site for (e.g. a shopping basket) then you don't need to ask.

      If its for your benefit not the users (analysis, adverts, etc) then you need permission.

  11. madick

    Best Cookie Warning?

    One of better responses to Regulation 6 of the PECR (the Cookie Law) can be found on The Daily Mash website:

    " We've updated our privacy policy, not that you care. You can read it or click to get rid of this annoying box and carry on as before. [Whatever] "

  12. Anonymous Coward
    Anonymous Coward

    Any day now there will be new guidance from the ICO ...

    ... because this EU update contradicts the most recent ICO advice.

    A plea to the legislators - please focus this law on the things that actually cause real concern to a significant number of users, and then give clear advice on what to do.

    At the moment, it looks very much as though you could not facilitate festivities in a facility for fermenting foaming beverages.

  13. Old Handle
    FAIL

    They could have make this some much simpler and clearer if lawmakers weren't completely technically clueless. Why couldn't they just say session cookies OK but if they want long-term cookies they have to ask?

    1. stucs201

      Because that doesn't separate permision to "rememeber I'm logged in so I don't have to type my password again tommorow" from "stalk me from site to site and deliver creepy adverts based on my browsing history".

  14. chris lively
    FAIL

    Stupid stupid laws

    The government needs to stop legislating technology and instead focus on behavior.

    The whole idea of laws around use of cookies is asinine. You have to get very specific in order to target the groups you are trying to stop instead of harming regular people.

    A better law would have simply stated:

    "No one may track people without their explicit consent unless you are a government entity"

    Add in a fine schedule and call it a day. As it stands, browser manufacturers simply need to come up with a new name for local data storage and access in a browser and poof all those. Police laws go out the window and it will take 10 years for the legislators to fix it.

    1. Dan 55 Silver badge

      Re: Stupid stupid laws

      They already exist, they're called called DOM Storage, Indexed DB, and Web SQL Database.

      Flash cookies only got dragged into the debate because they're commonly called Flash cookies, but the proper name is Local Storage Object. If people didn't commonly call them Flash cookies then the EU wouldn't have even been aware that they existed.

This topic is closed for new posts.

Other stories you might like