back to article French privacy cops snarl at websites over crap EU cookie warnings

French privacy watchdog CNIL has snarled at 20 websites for failing to comply with EU cookie laws. Following a series of raids last year, the Commission Nationale de l’Informatique et des Libertés this week put the websites on notice for not giving users enough information about how their activity is being tracked. Under EU …

  1. Anonymous Coward
    Anonymous Coward

    The law is an ass

    "This site uses cookies..." Really? NO SHIT!

    The banner just gets in the way and provides no information whatsoever that is off any use. It's not the cookies from the site that are the issue, it's how the information gets uses and that's more down the the third party data-miners...err..privacy invaders. i.e. advertisers.

    If the EU wants to do something useful, the need to impose laws against cross-site tracking except when allowed via explicit and informed user consent.

    1. Anonymous Coward
      Anonymous Coward

      Re: The law is an ass

      > It's not the cookies from the site that are the issue, it's how the information gets uses and that's more down the the third party data-miners...err..privacy invaders. i.e. advertisers.

      Which, as I read the article, is precisely what the CNIL want websites to be forthcoming about.

      Totally agree with you on third party cookies, btw. Especially since, when I'm giving The Register permission to set some cookies & stuff, I'm not really giving permission to App Nexus, DataPoint Media, Doubleclick, Facebook, Google, and Twitter to do so.

    2. Yag

      Re: The law is an ass

      The banner just gets in the way and provides no information whatsoever that is off any use.

      In the case of El Reg, we can only praise them for the "Find out more." link. The provided list is quite comprehensive...

  2. Anonymous Coward
    Anonymous Coward

    Yep-I-already-know

    I'm fed up with these click-through warnings that are so ubiquitous that they amount to "This website also uses cookies". It doesn't seem to achieve anything for me - and as usual the really bad actors will hack around the letter of the law or simply ignore it. So I'd like my browser to set a "yep-I-already-know" field on all GETs.

  3. Tezfair

    Quite a common thing

    I always understood the ruling as you have to click on a consent rather than just reading it. I see a lot of sites with 'we use cookies' banner but I ignore them on the basis that a cookie should only be installed when I allow, but more often than not the cookie is already installed.

    1. Anonymous Coward
      Anonymous Coward

      Re: Quite a common thing

      A high % of those banners you ignore actually say something like "your continued use of this site is considered acceptance of this [cookie] policy" and then use cookies anyway.

      The banner is utterly pointless, I still see it here on El'Reg, my brain treats it like ads and doesn't bring it to my conscious attention.

  4. Anonymous Coward
    Anonymous Coward

    It's interesting to see that my small web site meets someone's legal interpretation. There was I thinking that my development time had been wasted by over-engineering it to meet the spirit, as well as the letter, of the directive.

    Users are told that their details will only be stored as cookies if they put a tick in a box on a form where such action is effected. At any future point they can untick the box and their cookies will be removed.

    Unfortunately it is unlikely that many of my users live in France.

    1. ElReg!comments!Pierre Silver badge
      Thumb Up

      Good (wo)man, you!

      I think your approach is great, and as your (l)users may not be grateful enough, allow me to do the following in their stead:

      Thank you.

  5. ACZ
    Thumb Up

    Really pleased to see this

    I'm really pleased to see that they are doing this - the EU law is clearly written to require informed consent before dropping cookies on browsers, but clearly websites drop cookies on browsers anyway and the pop-up is just to tell you that they have done that, not to obtain positive consent first (as opposed to e.g. some kind of passive of implied consent).

    As per other earlier comments, the current click-through warnings are utterly pointless and just seem to be done to provide a veneer of "You must have consented because we told you that we had done it."

    If this causes websites to actually do what the law requires them to do and obtain positive consent before dropping cookies on browsers then that's great. If websites want to block access to people who don't consent then that's up to them, but the point is that they have to obtain positive consent first.

    1. Indolent Wretch

      Re: Really pleased to see this

      I visit a lot of websites. I have no interest in having to give my "informed" frikking consent every time I visit a new one. I'm busy.

      Pointless waste of time and a classic example of the French noticing something in the world that isn't wholly about them so shitting on it so people pay them attention.

      1. Anonymous Coward
        Anonymous Coward

        Re: Really pleased to see this

        > I visit a lot of websites. I have no interest in having to give my "informed" frikking consent every time I visit a new one. I'm busy.

        You're busy visiting a lot of websites? And posting comments?

        Research, yes of course.

  6. John70

    I just completely ignore the cookie banner. It's a stupid law.

    As AC above puts it "If the EU wants to do something useful, the need to impose laws against cross-site tracking except when allowed via explicit and informed user consent."

    1. ElReg!comments!Pierre Silver badge
      Pint

      I just completely ignore your <comment>, it'a supid <comment>.

      To top it off, I'm not breaking any law in the process! Ain't life wonderful?

    2. Anonymous Coward
      Anonymous Coward

      > It's a stupid law.

      Have you read it?

  7. smartypants

    UK government department guilty

    "although some of the sites have a banner informing users that cookies will be placed on their computer, none of them waited for consent before doing so."

    That is indeed illegal. So is this website:

    https://ico.org.uk/

    That's the website of the government department in charge of enforcing the cookie law in the UK.

    And they break it themselves.

    You couldn't make it up....

    1. MrXavia

      Re: UK government department guilty

      If I remember correctly from when I read the law a long time ago, 'necessary' functional cookies were permitted, I.E. cookies that make the website work are allowed, but those that are not needed are not (i,e, Tracking cookies)

      Which I read to mean, I can have a single session cookie for my website, which is the only cookie I ever use anyway...

  8. Dan 55 Silver badge

    JobServe is the only site I've seen that does it right, in that it will not set any cookies until you accept the banner. If you want to log in, etc... you have to accept the banner first. Wonder how they did that right because JobServe so many things wrong...

    The Register just does what most do, which is stick up a banner and then set cookies anyway.

    1. Drewc Gold badge

      You kinda need to sign in to a jobs site - so JobServe can behave this way.

      We used to have a much longer message / acceptance - but it was too intrusive for mobile. So along with most UK publishers we eased up on the message side. We are confident that we are complying with the law and equally confident that readers who don't want cookie know how to wipe them after each session.

      1. ElReg!comments!Pierre Silver badge
        Thumb Down

        I'm sorry Drew, that's BS

        "too intrusive for mobile" and "we trust our users yada yadda" is just marketspeak for "we can't be arsed".Let's forget we're on a tech site and pretend you don't know any better; one good way to comply with the law would be:

        -check for the REGACCEPTCOOKIES cookie; if present, proceed without any banner or warning;

        -if absent, present the user with a tick-box (in any form: dedicated page, another bit of JS crap, whatever). If box is ticked, set REGACCEPTCOOKIES cookie (and then some);

        -if box is not ticked, present the user with whatever you feel you can do without setting cookies. Heh, that may even be a blank page with "tick the box, dummy" in the center; not nice, but legal.

        -job done

        Intrusive? Maybe on the first connection. Much less intrusive than the current solution in the long run though.

        I'm sure there are other ways you can think of.

      2. Dan 55 Silver badge

        You can browse JobServe without signing in or accepting cookies. You can apply for jobs without signing in but you do need to accept cookies to though, but not until that point.

        The use case for El Reg is similar, you could not use any cookies until someone actually posts and to do that they would need to accept cookies and sign in, but not until that point.

        But advertising being what it it is...

        Do you have to be compliant with just the UK's law or other EU states' laws too because their residents access your site and what El Reg does isn't in compliance with their law? I'm pretty sure you'd get a fine for your trouble from the French and Spanish data protection authorities.

        Still, there are always Flash cookies and LocalStorage data if you want to get round the letter of the law.

        1. ElReg!comments!Pierre Silver badge
          Stop

          Re: flash cookies and localstorage NOOOOO!

          Please don't give ElReg webdevs any (more) bad ideas.

          Browsing ElReg from low-footprint browsers or screen-readers has gotten hard enough with the new layout.

        2. Anonymous Coward
          Anonymous Coward

          IIRC you can set Flash opitions to prompt you as to whether a site is allowed to store Flash Cookies. Not sure if there is an equivalent for use of local storage.

        3. Anonymous Coward
          Anonymous Coward

          > Still, there are always Flash cookies and LocalStorage data if you want to get round the letter of the law.

          It would really help if you actually knew the law before giving advice.

          Directive 2002/58/EC talks about "information stored in a user's terminal equipment", and the accompanying guidelines make explicit reference to both the two technologies you have mentioned as well as a bunch of others.

      3. Anonymous Coward
        Anonymous Coward

        > We are confident that we are complying with the law

        So how about all those third party cookies, some from companies I didn't even know existed (DataPoint Media, App Nexus) and the rest from companies I do no business with (Facebook, Twitter, Doubleclick, ...), and which I never got a chance to accept or decline?

        The thing is, those advertisers just dump the cookies anyway, *not* helping you in the process as there is no need for cookies, local storage, and stuff to either display advertising or get paid for clicks, and completely disregarding the wishes of your users (which is questionable whether you're obtaining any form of informed consent as required by the law).

        Also, being confident "that readers who don't want cookie know how to wipe them" would hardly pass muster, as the law does not make users responsible for wiping cookies, much less requires them to be knowledgeable in those arts.

        In short, Drew, your comment is utter bullshit.

  9. xyzw

    Amazon utilise des cookies. En savoir plus.

    "Amazon utilise des cookies. En savoir plus" is all you get from amazon.fr

    Amazon does even tell you you could disable them (and how).

    Full law here: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm

    They even provide tempate and some kits (http://webtools.ec.europa.eu/cookie-consent/documentation/)

  10. heyrick Silver badge

    CNIL? Yeah, follow your own rules, dumbasses!

    "If you continue to browse this website, you are allowing all third-party services"

    http://www.cnil.fr/english/

    1. ElReg!comments!Pierre Silver badge
      Facepalm

      BULLSHIT! [was:: CNIL? Yeah, follow your own rules, dumbasses!]

      Things are bad enough without you making things up (or is it bad translation?). The French version crudely reads "by browsing this site you allow 3rd-party cookies as needed for video presentations", with a box labelled "OK, accept all" (in green) and another labelled "tune to your needs" (in gray). The "tune" link allows you to opt out of the 3rd-party cookie setting, which are from DaylyMotion and YouTube (explicitly stated, individually tunable).

      On my cursory check 10 s ago no cookie was set at all (I did not check the "OK, accept all" button, obviously).

      I'd say they're pretty much following their own rules, unless I missed something.

      1. ket

        Re: BULLSHIT! [was:: CNIL? Yeah, follow your own rules, dumbasses!]

        I see 3 cookies set on initial page load before I've agreed to anything.

        2 that appear to be session related and 1 named 'tartaucitron'

        Nom, nom, nom.

      2. heyrick Silver badge
        FAIL

        Re: BULLSHIT! [was:: CNIL? Yeah, follow your own rules, dumbasses!]

        @ Pierre - it would be useful if you actually visited the link given.

        1. Can you please define "continue to browse"? The message, which is not a bad translation from French but is given IN ENGLISH exactly as written, implies that by using the CNIL website, you are giving consent to third party services. It is better than some in that you can personalise the cookies, but does it work? I set DailyMotion to Deny then followed a link from CNIL to a DailyMotion video (tutoriel pour les achats en ligne) and ten session cookies were set by DailyMotion, plus an LSO (persistent Flash cookie) from static1.dmcdn.net containing video player settings and a session ID. So much for CNIL's Deny option.

        2. You will notice that the message and personalisation options go away when you navigate around the site. This is because CNIL creates session cookies in the form of _pk_id.#.#### and _pk_ses.#.#### (where # is a number), these seem to grow as you visit the site, switch languages, etc. I have three pairs at the moment. There is also a cookie called "tartaucitron" (ho ho) which records the so-called preferences for DailyMotion and YouTube.

        3. Yes, they are session based, but it seems that there is too much going on to be anything other than CNIL tracking your behaviour on the site.

        4. This only happens if you have JavaScript enabled (ie, not using NoScript etc). That you saw the message means that you had the cookies set. It happens sometime as the page is loading when it calls http://piwik.cnil.fr/piwik.php, and it appears to pass if you have realplayer, wma, director, flash, Java, gears, your display resolution, plus how many milliseconds it took to fetch the page body; and the reply is a 1x1 image, plus cookies. All of this without obtaining your consent.

        Maybe if you took as long looking at the site as writing your reply, you might have noticed this.

  11. Anonymous Coward
    Anonymous Coward

    Very annoying they are too

    When I "visit" Europe via VPN I get those annoying cookie messages.

    Stop it.

    It's inhumane!

    1. ElReg!comments!Pierre Silver badge
      Paris Hilton

      Re: Very annoying they are too

      inhumane indeed. But then again, you "visiting Europa via VPN" to access the WWW would be you trying to escape your local "humane" legislation, yeah?

      1. Anonymous Coward
        Anonymous Coward

        Re: Very annoying they are too

        Not legislation.

        Try international lawyers...

    2. Anonymous Coward
      Anonymous Coward

      Re: Very annoying they are too

      > Stop it.

      > It's inhumane!

      Easy enough: All that needs to happen is sites actually stop using cookies, etc., willy-nilly.

      The biggest website that I've been responsible for, with a few thousand visitors per day, 50% of which were paid subscribers, never used a single cookie or other persistent storage technology, and was highly praised for its usability and responsiveness.

      This was well before the so-called cookie law came into effect. Once it did go into effect I realised there was nothing we needed to do because we did not store any info on the user's computers, so the user experience was not degraded *and* it took us literally zero work to comply.

      If we could do it, why others can't?

      NB: Google Analytics & similar are overrated. We got all the info we needed from our access logs, which was more than sufficient to get a useful demographic profile of our visitors without being intrusive.

  12. This post has been deleted by its author

    1. ElReg!comments!Pierre Silver badge
      FAIL

      @ Holmes

      "People know what it means to open a web browser and visit a page"

      How much are you willing to bet on that? (Protip: you're about to lose)

  13. Anonymous Coward
    Anonymous Coward

    Hosting

    My (small) website has cookies set by the hosting company (for load balancing purposes, apparently).

    It's impossible for me to comply with the letter of the cookie law, other than by moving to a different hosting service.

    The hosting company is based in France.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hosting

      Re load balancing cookies - this is not a problem. From the web site, http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm, mentioned above by xyzw:-

      However, some cookies are exempt from this requirement. Consent is not required if the cookie is:

      used for the sole purpose of carrying out the transmission of a communication, and

      strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service.

      Cookies clearly exempt from consent according to the EU advisory body on data protection- WP29pdf include:

      user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases

      authentication cookies, to identify the user once he has logged in, for the duration of a session

      user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration

      multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session

      load‑balancing cookies, for the duration of session

      user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)

      third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.

      1. ElReg!comments!Pierre Silver badge
        Thumb Up

        Re: Hosting

        Very useful reminder, thank you.

      2. Anonymous Coward
        Anonymous Coward

        Re: Hosting

        That is very clear - and reassuring - information.

        Thank you, ql!

    2. Anonymous Coward
      Anonymous Coward

      Re: Hosting

      > It's impossible for me to comply with the letter of the cookie law, other than by moving to a different hosting service.

      Respectfully, the fact that you say this shows that you haven't even tried.

  14. Fibbles

    The most annoying thing about the banners is that I have to enable cookies to get rid of the damn things.

  15. Anonymous Coward
    Anonymous Coward

    consent?

    The Register uses cookies. Find out more. Close.

    At least in "find out more" there is a list of cookies and what they do.

  16. FlatSpot
    Devil

    I thought there was an exemption

    That if it was a fundamental requirement for the functionality of the site, eg for the purposes of tracking what you put in a "basket" ?

  17. moiety

    But really it's not the cookies from the site you're visiting that are a problem anyway - it's the 3rd party cookies dropped on you by advertisers that are the real threat.

  18. bigbob

    Beef up "Do not track"

    Most websites track every search, article read, linked with other sites you view, every geo-located IP etc.

    Most phone apps track every click.

    Most big shopping arcades track people using their wifi MAC.

    This is all used not only so that they can 'optimise the experience' but to sell to advertisers.

    And all this without our consent. There is virtually no push back to companies that track us.

    How about some options in your browser, rather like iphone "this app wants to use your location"? It would say "this site wants to track you and sell it to advertisers". Of course you can say No, and sites have the same choice as with ad blocker - either let you continue anyhow (and lose a bit of revenue) or refuse to let you use the site.

    Whilst a good chunk of the web & phone apps are funded by tracking & ads (google apps, media), all the rest (government, shops, wikipedia) we should have a choice to not have them track us too, because currently it is so god damned easy for companies to do it.

    1. Dan 55 Silver badge

      Re: Beef up "Do not track"

      I remember in Netscape Communicator you could get it to pop up an accept/deny dialog box for every new cookie set by the server while the page was loading (stopping the load while the dialog was displayed, naturally). It was fairly intolerable then, now it would probably be called a denial of service.

    2. Anonymous Coward
      Anonymous Coward

      Re: Beef up "Do not track"

      > How about some options in your browser, rather like iphone "this app wants to use your location"? It would say "this site wants to track you and sell it to advertisers".

      There was some effort years ago, but it died a death long ago (perhaps because some of the usual sponsors of this sort of work felt threatened by it?)

      This was it:

      http://www.w3.org/TR/P3P/j

  19. Daggerchild Silver badge
    Happy

    Be careful what you ask for...

    Does anyone by any chance have the source IP ranges of the CNIL?

    They seem to be pining for websites with more popups and deliberately intrusive and obstructive messages. I'm sure many, many website operators could find it in their hearts to make an exception and give these chaps exactly what they're asking for :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019