Denmark
They've banned Marmite in their cookies as well.
A pattern is emerging that shows European Member States greeting Brussels with a collective thumbs-down on its cookies law. So far, the Commission has had just two submissions from countries that have agreed to fully adhere to the amendments to the e-Privacy Directive. "Denmark and Estonia have notified measures to implement …
http://ec.europa.eu
Sets 2 cookies. No privacy policy, no statement on cookies, no attempt to ask permission to set cookies. These cowboys should be prosecuted to the fullest extent of the law (Note - if they change all this overnight and comply with the deadline, I'll let them off)
It would be interesting to compile a list of all the EU websites that miss the deadline
Frown icon coz' it looks like a sad cookie
We need to be told what practices are illegal, not what might be vaguely permissable on a good day. No-one should have to consider all possible legal definitions of "strictly necessary" before implementing the session ID system that comes built-in to the server's scripting engine.
the idiots with no technical comprehension are the pony-tailed twats who can't build a web site without it burying the user's browser with a shit-load of cookies. this is bad design and lazy programming.
there is no need whatsoever for any web site to need cookies to work. rather than whine about the idiots in brussels, direct your complaints to the massively over-paid wastes of space who are responsible for generating all these pointless cookies in the first place. if they had any clue there wouldn't be any cookies to get our brussels overlords excited. so just fix your web site and you'll have nothing to worry about from this latest silly law.
Flat file html website can indeed be browsed with no requirement for cookies provided you do not wish to track usage patterns.
Complex CGI web applications that require authentication do however benefit from cookies so that a user moving from page to page within the site can be identified without the need to provide authentication on a page by page basses. Likewise session variables can only really be made use of if you use a cookie.
Unless you are aware of some other way of identifying a user between page hits? If you are then please share it with us.
However I suspect you are just unaware of your own ignorance which explains your eagerness to criticise people who do things that are beyond your level of understanding.
PS if you use cookie-less sessions a session ID is appended to your links. You then run the risk that a user will publishing a URL from a link on your site which includes their session ID and so opens their session to anyone who follows the link to the URL.
The web is stateless, websites cannot maintain the session from one page to another without some way of tracking the user, you're effectively creating an entirely new instance of the application on every single page - yes you CAN pass the session ID around in the URI but that has a whole host of security implications in and of itself (particularly with regards to session hijacking).
The BEST way to say ooooh, maintain the state of a user's shopping cart is to use a cookie to track their session - there is still the potential for session hijacking but it's not something that happens inadvertently when someone copies and pastes an address.
If you're building any kind of halfway secure web application you basically HAVE to use (SSL) cookies, well unless you want the user to log in on every single page of course.
So Mr. Morrow - as a (heavily pierced) "pony-tailed twat" myself - I ask you to go back to your world of shoddy single-user, toy, VB6 applications, you obviously have no understanding of how the www works.
Aside:
Really, unless you're a crapvertiser, you should need no more than 3 cookies.
1: a non-secure session cookie that holds no sensitive information (basket contents for instance).
2: a secure user authentication session cookie.
3: entirely optional but I tend to use it, a cookie placed from JavaScript which provides information for the server-side code about the JS functionality the user has allowed in their browser. It's more reliable than browser sniffing in HTTP headers and allows you to determine whether your script is sending the user "rich, dynamic" views (e.g. when the user adds a product to the basket it automatically appears in a basket summary box without having to reload the page) or static ones (effectively flat HTML).
Saves a tonne of <noscript> tags and means the markup pushed to the browser is better optimised for that browser (which cuts down your bandwidth consumption).
The official message now is that the rules "need further clarification" before they can be put into effect.
http://www.version2.dk/artikel/19228-nye-cookie-regler-bliver-udskudt-i-maanedsvis if you can read danish. (Actually, Google does a fair translation).
Amazing, really - we usually put whatever Brussels fancies into the law books right away.
"In order to deliver a lovely web site, we will send cookies. Is that ok?"
<Click>
Then proceed as before - only slightly more intrusively, as consent was given.
Asking for permission simply delegates responsibility to the user, who has no idea what the implications are, and who just clicks on "ok" to make the nasty box go away so they can look at pictures of kittens.
Just like UAC really.
Which if I accept it, will disable the ghastly hordes of mobile phone images that have appeared in the page background since I was last here ? ( ironically enough the only place they are not , is on the page that they link to ), but apparently el regs pony tailed designer forgot that if one has been to the "our new mobiles service page" one no longer needs to be haunted by massed blackberrys and shiny phones..
And another cookie please ,that will also allow us the option of setting the new , hyper-saturated red to go back to something less retina obliterating ..?
In otherwords give us the option ..via cookies ..to put el reg back like it was ..before you lose at least one reader ..and probably anyone else who doesn't want zombie phones and dayglo red webpages on a tech site.
You have those cookies ? ..great I'll take two..
Given the current lack of enforcement for the DPA (yeah, I know there are now fines but I'll believe it when I see it), I can't see this affecting anyone but a few unlucky 'examples'.
I gave up on bothering to comply with with most govt regulation apart from tax (which they do enforce with teeth) and health & safety (ditto) decades ago..... it's saved me a fortune.
I'm more worried about US compliance than EU. FTC do have some real teeth.
Will wait and see - browsers will probably deal with this in a couple of versions.