So stupid. I love how the EU have just decided that the only use cookies have is for ad profiling. Never mind the hundred of important/critical functions they fulfil. Massive massive fail.

So stupid. I love how the EU have just decided that the only use cookies have is for ad profiling. Never mind the hundred of important/critical functions they fulfil. Massive massive fail.

This is causing us some grief here too since we learnt of the new law. We’re a e-Commerce provider and this will not only cause us grief developing the changes, but will also cause of grief in having to explain to our customers why their webstores now have an annoying privacy feature.
The end result for us is that people will spend less on our customers webstores and we’ll have less successful and eventually less customers.
How can something like this get passed? Who is actually standing up asking for this sort of thing? And why hasn’t somebody with half a ounce of intelligence pointed out to them how stupid this new law is?

Ummm… isn’t that why they invented browser privacy settings?

I wonder if the wording of the law is restricted just to Cookies? Maybe we can get around this restriction by using HTML5 local storage on newer browsers. Would obviously involve recoding still to implement and would need to have a fallback for unsupported browsers but this could be a way of getting around it I guess. Going to try and find the directive now to see if this is possible…

I wonder if the wording of the law is restricted just to Cookies? Maybe we can get around this restriction by using HTML5 local storage on newer browsers. Would obviously involve recoding still to implement and would need to have a fallback for unsupported browsers but this could be a way of getting around it I guess. Going to try and find the directive now to see if this is possible…

Wow, just stupid. Really.
I wonder who was the genius that came up with the law – probably still using IE6..

Wow, just stupid. Really.
I wonder who was the genius that came up with the law – probably still using IE6..

Wow, just stupid. Really.
I wonder who was the genius that came up with the law – probably still using IE6..

Mike, I don’t really see that the law will ever have any consequences at all. They explicitly state that exempt will be given for keeping track of contents in shopping carts, and the legislation would never be able to select out a single category like that. In the end that exempt will cover 99.9% of all websites. Even if not, why would pop-up windows be needed? Most website already asks the user if they want the website to remember their login right in the registration form.

A worst-case scenario would be that the law will require websites to put the word “cookie” in the phrasing of that question. It either would not be enforced, OR it would be enforced and be applied everywhere, which would quickly dilute any concerns consumers have with the word cookie. Since they see it everywhere including on sites they already trust. In Sweden websites have since many years been forced by legislation to state if they use cookies or not, and it has never been the cause of any problem.

This is not by far Armageddon for European startups, even if it is applied to the literal of the vague information given so far.

Yeah this is terrible news. I would definitely move our business abroad if this did happen. @mikebutcher, anyway you can get @natwei or anyone else involved in the East London Tech City initiative to oppose the new law?

Rush it! Send all your websites to Switzerland and Norway!

Iceland?

I suggest point-blank refusing to adopt this change. It’s ridiculous that this ‘law’ could be enforced. I assume it will be based on a complaints system. Surely the user could then be told to change their privacy settings and be done with it.

A complete waste of time in my opinion. Some half-wits sat in an office and SERIOUSLY came up with this as the solution to what is probably a very minor problem?

I suspect that the biggest consequence of this law will be the fact that it once again provides another black mark against Europe in terms of its start-up reputation. The ability to introduce Europe wide laws that make absolutely no sense such as this will once again prove that Europe is just too hard a place for most developers to do business.

dupe-sorry .. disqus confused me

I guess EU web companies will have to become creative and find other means to keep users logged in. If the law’s really specific for cookies then it’s not a real problem. As complaining is very unlikely to get the industry anywhere (it’s the EU, remember…), it seems to me that taking it as an innovation challenge is the way to go.

I think you are right Martin, I have just been looking at the directive and this para stands out for me (I think this is what you are referring to):
——————-
50. The EDPS considers appropriate to exempt from the need to inform and give the possibility to refuse in situations as those illustrated above when technical storage or access to a user’s terminal equipment is necessary for the sole purpose of carrying out the transmission of a communication over an electronic communication network. The same applies when the technical storage or access is strictly necessary in order to provide an information society service. However, the EDPS does not see the need to exclude from the obligation to provide information and offer the right to refuse in those situations where the technical storage or access has the purpose of merely facilitating the transmission of a communication. For example, pursuant to the last sentence of this Article a data subject may not benefit from information and the right to oppose the processing of his/her data if a cookie collects his language preferences or his location (e.g. Belgium, China) as this kind of cookies could be presented as having as objective the facilitation of the transmission of a communication. The EDPS is aware that at the level of software, the possibility is given in practice to data subjects to refuse or modulate the storage of cookies. However this is not backed-up clearly enough by any legal provision that would formally entitle the data subject to defend his rights in the context described above.
——————-

Looks to me like we don’t have too much to worry about for normal usage, just for things where there is a real privacy issue (which is right).

There is a lot of knee jerk reaction to this, but having had a quick scan through it doesn’t look so scary. But of course I’m not a lawyer and haven’t read it in depth (http://europa.eu/rapid/pressReleasesAction.do?reference=EDPS/09/13&format=HTML&aged=1&language=EN&guiLanguage=en)

I think you are right Martin, I have just been looking at the directive and this para stands out for me (I think this is what you are referring to):
——————-
50. The EDPS considers appropriate to exempt from the need to inform and give the possibility to refuse in situations as those illustrated above when technical storage or access to a user’s terminal equipment is necessary for the sole purpose of carrying out the transmission of a communication over an electronic communication network. The same applies when the technical storage or access is strictly necessary in order to provide an information society service. However, the EDPS does not see the need to exclude from the obligation to provide information and offer the right to refuse in those situations where the technical storage or access has the purpose of merely facilitating the transmission of a communication. For example, pursuant to the last sentence of this Article a data subject may not benefit from information and the right to oppose the processing of his/her data if a cookie collects his language preferences or his location (e.g. Belgium, China) as this kind of cookies could be presented as having as objective the facilitation of the transmission of a communication. The EDPS is aware that at the level of software, the possibility is given in practice to data subjects to refuse or modulate the storage of cookies. However this is not backed-up clearly enough by any legal provision that would formally entitle the data subject to defend his rights in the context described above.
——————-

Looks to me like we don’t have too much to worry about for normal usage, just for things where there is a real privacy issue (which is right).

There is a lot of knee jerk reaction to this, but having had a quick scan through it doesn’t look so scary. But of course I’m not a lawyer and haven’t read it in depth (http://europa.eu/rapid/pressReleasesAction.do?reference=EDPS/09/13&format=HTML&aged=1&language=EN&guiLanguage=en)

According to the Commission “settings of a browser or another application” are sufficient. Read the article by the WSJ. http://online.wsj.com/article/SB10001424052748703396604576087992755049156.html

Probably an issue for data aggregators that use third party cookies to target ads.

Does that even work anyways? I mean is there any proof that targted ads work better? I’d like to see it…

Other than that… Maybe a “Remember Me” button or checkbox somewhere is not such a bad thing. Might give some power back to individual businesses who are selling out to third party tools.

Could be a slight throw back too.

Probably an issue for data aggregators that use third party cookies to target ads.

Does that even work anyways? I mean is there any proof that targted ads work better? I’d like to see it…

Other than that… Maybe a “Remember Me” button or checkbox somewhere is not such a bad thing. Might give some power back to individual businesses who are selling out to third party tools.

Could be a slight throw back too.

Probably an issue for data aggregators that use third party cookies to target ads.

Does that even work anyways? I mean is there any proof that targted ads work better? I’d like to see it…

Other than that… Maybe a “Remember Me” button or checkbox somewhere is not such a bad thing. Might give some power back to individual businesses who are selling out to third party tools.

Could be a slight throw back too.

I think the EU have a law whereby they need to pass a new dumb law each week.

I think the EU have a law whereby they need to pass a new dumb law each week.

When reading the European Parliament Directive (http://register.consilium.europa.eu/pdf/en/09/st03/st03674.en09.pdf) it says this at point 66:

“Where it is technically possible and effective, in accordance with the relevant
provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by
using the appropriate settings of a browser or other application.”

So it might not be so bad after all?

No one will follow this law. It may exist, but no one will care. As you said, it’s damn impossible to police it. They have a long track record in making rules that should protect people from some new technology EU lawmakers don’t understand well.

No one will follow this law. It may exist, but no one will care. As you said, it’s damn impossible to police it. They have a long track record in making rules that should protect people from some new technology EU lawmakers don’t understand well.

How could it not be enforced? I mean Lybia and Egypt are quite capable of shutting down the entire internet. And the USA is quite capable of taking out Torrent websites.

Completely enforceable.

Who loses out really? I hardly think it is small to even medium sized business, and individuals.

It’s a jab directly at the top major corporate internet brands that track with third party cookies.

What else could it be?

How could it not be enforced? I mean Lybia and Egypt are quite capable of shutting down the entire internet. And the USA is quite capable of taking out Torrent websites.

Completely enforceable.

Who loses out really? I hardly think it is small to even medium sized business, and individuals.

It’s a jab directly at the top major corporate internet brands that track with third party cookies.

What else could it be?

How could it not be enforced? I mean Lybia and Egypt are quite capable of shutting down the entire internet. And the USA is quite capable of taking out Torrent websites.

Completely enforceable.

Who loses out really? I hardly think it is small to even medium sized business, and individuals.

It’s a jab directly at the top major corporate internet brands that track with third party cookies.

What else could it be?

Most of the wording in the directive seems to talk about Cookies (or SpyWare) so I guess lack of technical knowledge could have created a loophole here, I’ve just had a quick scan and legal speak makes my head hurt but maybe someone with a bit more knowledge could confirm if this is true? Having said that I think this whole thing could be a non issue anyway, see comment above.

For our business we ask for users consent when they sign up, so I am unsure if this will affect us too much.

But I think the bigger issue here is the stifling of entrepreneurship by bereaucratic dinosaurs. It appears that they don’t understand tech and so should not be legislating it. Initiatives like East London Tech City are promising but with law makers like this, the astute entrepreneurs will leave to geographies where business is easiest to do.

Cape Town anyone

Thanks for bringing this to the fore Mike, just because it is not ‘enforceable’ – we should make people aware that it is still damaging to our economy and that the GOV should be helping not hindering innovation.

As you state these abilities are already in place – if the EU wants better protection put it at the point of use – i.e. the browser – but the fact is even in this space I believe IE used to have lots of warnings about cookies but they have all gone? why – competitiveness – the browser wars are forcing through changes that users WANT way quicker than any government could enforce. If the users want it then they get it.

A privacy focused browser actually got pitched at a Techcrunch event I was at – and everyone dismissed it – because although there are some very loud advocates – they are generally hypocrites who probably still use IE.

What purpose does a third party cookie or even a same domain cookie serve that is crucial to the function of any website that is not collecting statistics and can’t be done through a login or a “remember me” button?

I am asking because nothing comes to mind.

This EU law is a directive. This is different to a regulation where it is not a europe wide law. It is an instruction to member states to implement some kind of legislation to this effect.

It does not mean a ton of web sites are going to get fined on May 25th. There is a long history of countries dragging their feet or just plain refusing to implement directives.

There is also a wide variety of flexibility in how they implement this law. See the Tobacco advertising ban. http://en.wikipedia.org/wiki/Tobacco_advertising#Europe

Surely it’s more of an issue of the bureaucracy necessary to administer the complaints, not the issue of warning or penalizing websites. It seems kind of like prosecuting bittorrent pirates: sure, you can see that someone’s violating the law, but the overhead involved in submitting the complaint, checking the jurisdiction, verifying that the site is not in compliance, etc, will be vastly out of proportion to the impact the decision will have. (Exceptions made for large brands / sites where the impact could in fact be noticeable, as you say)

But the really great thing is that there is NOTHING you can do about it. The people who made this directive aren’t elected, nor under the control of a democratic government. Welcome to the feeling of impotence that most people in the world feel when living in a dictatorship.

But the really great thing is that there is NOTHING you can do about it. The people who made this directive aren’t elected, nor under the control of a democratic government. Welcome to the feeling of impotence that most people in the world feel when living in a dictatorship.

I understand that not every everyone breaking the law gets punished. In the states they seem to set examples, and rather harsh ones, if it is true that poor mother downloading Mp3s who was sued for millions. Or Internic, ??? taking out select torrent websites.

But it is enforceable. The obvious one being third party cookies. That is why I am wondering what the real purpose is. I mean Google is said to have petitioned Google Street view in Germany and have not gotten an overwhelming response, but a noticeable one.

Maybe it is just a campaigner running for office looking to get noticed? Who knows?

How exactly does a “remember me” button work in your model without storing any sort of user data?

How exactly does a “remember me” button work in your model without storing any sort of user data?

i think is a good decision, all for transparency, i prefer knowing what websites do with my data, rather living with the ilusion that everyone respects my privacy.

I live in Europe and i think is a good decision, all for transparency, i prefer knowing what websites do with my data, rather living with the ilusion that everyone respects my privacy.

I live in Europe and i think is a good decision, all for transparency, i prefer knowing what websites do with my data, rather living with the ilusion that everyone respects my privacy.

I live in Europe and i think is a good decision, all for transparency, i prefer knowing what websites do with my data, rather living with the ilusion that everyone respects my privacy.

It might be a definite issue for TechCrunch. After emptying my cookies, going to the front page, and then this one I collected cookies from 25 different domains.

2 of them were techcrunch.com an eu.techcrunch.com

The rest… probably all advertisers.

You obviously don’t know how the “remember me” functionality works. It stores a cookie.

I know that this is an issue, but “kill our startups stone dead”? Please.
Asking users to accept site terms, a privacy policy and a cookies policy is standard practice anyway when they sign up – if a site isn’t transparent about its cookie policy then it makes me wonder why.

I used http://selectout.org/ to see what was tracking me. *41* separate companies are tracking me without my knowledge – not that I particularly mind it, but I would have preferred to have known that or chosen which companies I’d like to share my info with.

Obviously, this is more of an issue from the fact the EU, who really shouldn’t be messing with the internet, trying to legislate on a worldwide distributed network which they aren’t equipped to understand the nuances of. That for me is a lot more worrying that having to add one line of code to my next application “validates_acceptance_of :terms”.

I know that this is an issue, but “kill our startups stone dead”? Please.
Asking users to accept site terms, a privacy policy and a cookies policy is standard practice anyway when they sign up – if a site isn’t transparent about its cookie policy then it makes me wonder why.

I used http://selectout.org/ to see what was tracking me. *41* separate companies are tracking me without my knowledge – not that I particularly mind it, but I would have preferred to have known that or chosen which companies I’d like to share my info with.

Obviously, this is more of an issue from the fact the EU, who really shouldn’t be messing with the internet, trying to legislate on a worldwide distributed network which they aren’t equipped to understand the nuances of. That for me is a lot more worrying that having to add one line of code to my next application “validates_acceptance_of :terms”.

It’s like the Millennium Bug never happened!
Yet another scare story to feed the IT consultancy market!

The way it will work is that your competitor’s lawyer will write you a letter asking you to implement or pay a fine.
That is how most of these things are enforced and the fines can be hefty, especially for a startup.

Yeah it will certainly affect advertisers, but I don’t care too much about that But for shopping carts, language settings etc. I don’t think it will affect anything.

The directive (the EU can’t pass laws) specifically says that cookies used just for essential tasks like user login are excluded. The biggest danger is actually that each EU country will implement the directive in different ways leading to a confusing situation across the region. See our analysis here – http://gloo.ws/eu

[...] Stupid EU cookie law will hand the advantage to the US, kill our startups stone dead [...]

I assume you have a check mark setting in your store asking customers to actively confirm your Terms of Use?
If you do then all you may have to do is change the wording to: “Confirm Terms of Use and Data Protection Policy”.
In the data protection policy you can mention the cookie business. No one will read it, but consumers have the choice to read it if they want to.
I am not a lawyer, but that is how we have solved the problem.

I assume you have a check mark setting in your store asking customers to actively confirm your Terms of Use?
If you do then all you may have to do is change the wording to: “Confirm Terms of Use and Data Protection Policy”.
In the data protection policy you can mention the cookie business. No one will read it, but consumers have the choice to read it if they want to.
I am not a lawyer, but that is how we have solved the problem.

The article is all about forcing website operators to explicitly ask for consent to store their user data.

So, a “Remeber Me” is a way to legally do it. It is a creative solution unless I am missing a piece of legal terminology somewhere not mentioned in the article.

I would say that the “remember me” button is giving your consent to having a cookie stored, I think that’s what MrGamma means

I think that’s fair enough… I don’t want fucking “companies” collecting my data. I don’t want my data tracked across different sites – that seems to be what this directive is about.

There seems to be a bit of confusion about the practicalities of what this is tracking (eg: shopping-carts vs permanent logins)… but the spirit of it is (as far as I can tell) the collection of data that should be personal.

By the way, any of you people who have commented, who don’t know the difference between a directive and a law… please go away. Anyone who’s not from the EU, but who is still anti-EU… please, just fuck off. Anyone who depends on the Daily Mail or the Telegraph for their info… christ? aren’t you tired of being lied to?

If you don’t like it, write to your MEP – you’ll get more sense out of them than your “MP” (or local equiv). I know. I’ve tried.

We’ll be launching our start-up after that date and will for sure be refusing to adopt this change. We’ll see how that pans out, but this the stupidest law I’ve ever heard of – these people are ignorant. How is this going to help anyone? I’m sure the people who have lived with cookies for all this time are going to be equally irritated with all the ‘Do you agree’ pop-ups.

If you log into a site, how does the site keep track of your session, given that the HTTP protocol is stateless? With a cookie. Maybe the EU wants to modify the HTTP protocol to safeguard privacy? We have no privacy in the EC – this is just a PR stunt.

Again, the EU has proven their incompetence. How many european sites are running on Microsoft’s Internet Informations Services – which by default creates a session cookie? Probably a lot.

It shows a complete lack of understanding on the subject from ‘those in the know’ at the EU. And small businesses have got a tough enough challenge at the moment without this to worry about. Horrific law, horrifically timed.

I wrote a blog post on the subject yesterday on how the internet and online industries could look like in 10 years time, perhaps slightly tongue in cheek (a lot tongue in cheek):

http://civilisetheseanimals.blogspot.com/2011/03/back-from-future-whatever-happened-to.html

I believe the issue is that while currently the button can read “Remember Me”, after 25th of may this is insufficient and would have to say “Click here to have your log in information stored for future access to this site. This information is stored locally to your computer and not use by us for marketing purposes….. blah blah blah”. Businesses are concerned that the more wordy, detailed information is going to put off potential customers from using their site as they have been made paranoid about privacy settings.

Ah good old order 66

Nope. Even if you uncheck “remember me” you normally can log in. It may happen that you loose your session when you close the browser, or that after a logout the login form does not longer pre-fill your username, depending on the meaning. But you get a session anyway.

Login needs a way to track several requests back to a given user because the HTTP protocol is stateless. Either a session ID, or session data like your userID with some checksum to prevent tampering (that has been the Ruby on Rails default for a long time).

The traditional techniques to do so are cookies, URL rewriting, hidden fields. From them, the one that works better by far and the de facto standard nowadays are cookies. URL rewriting may put your session in the wild, good luck with that. Hidden fields have no use in GET requests. So, we all use a cookie.

I’d love to know where you got your interpretation of the directive, because it is, to put it bluntly, wrong. The directive does not demand you prompt a user every time you store a user’s data, or associate a user with a cookie. That issue has been covered many times over the years since the directive was first proposed, which is why cookies that are essential for a service the user has explicitly asked for do not need any warning: i.e. when a user logs in to, or signs in to your service.

The warning is required where companies such as doubleclick use cookies to track your behaviour on the web without your consent, and for services you have not asked for. Whether the law is well written may be up for debate, but the intent of the law is perfectly reasonable.

My interpretation of that would be to still have “remember me” but link it to a page which explains the policy in more detail, much like the current “Terms & Conditions” links we all use (and no-one reads). I really think this whole thing is getting blown out of proportion, when I first read about it I thought it was ridiculous but a little bit of research has shown that it really isn’t that bad (unless you are an advertiser who is tracking users). It’s making for great hype though and probably lots of page views for the blogs who are touting the scare stories

Wow, goodbye innovation.

what a brilliant idea – let’s let lawyers design network protocols.

It only really affects behavioral advertising and tracking, reading through it I can’t see anything in there that will impede cookie use for functionality on websites so this article and it’s headline feel ridiculously alarmist. To be frank we (the advertising community) kinda had this coming, we took entirely the wrong approach to the whole issue and tried to dismiss people’s worries with ‘it’s for your own good’ and now that arrogance is coming back to bite us on the backside.

Instead of trying to look for loopholes we should be spending the energy on thinking up ways to get people involved and interested, not sneaking around in the not deliberately hidden but not exactly open manner we have in the past.

Also remember that the EU is an opt-in culture for online advertising – unlike the US, there were grumblings when EU anti-spam laws came into play but it didn’t exactly kill the industry.

I am ashamed that I live in EU…

Reminds me of the law that required a man with a red flag to walk in front of a car.
Killed the British car industry before it even got started.

Reminds me of the law that required a man with a red flag to walk in front of a car.
Killed the British car industry before it even got started.

What the hell are you talking about? You got it all totally wrong!

This law DOES NOT disallow cookies. The opposite is the case. It just states that you must not stalk users to track what they are doing OUTSIDE your website without asking first. Banning the misuse of cookies may help getting out of the spiral of new ads are countered by new ad-blockers on a weekly basis.

For registered users and customers, nothing will change – just add a passage to your terms of service that are signed on registration and you are fine.

That’s the best law since a long time!
And it’s no big news! Tracking cookies and web-bugs are not only against Netiquette, to track user information along with IPs without explicit permission has been a gray zone and probably was illegal all the way!

Even the facebook “like”-button was illegal all the way. It’s just that hardly anybody knows.
The only thing that the EU does is to apply common sense and state the obvious. They are making a law to explicitly state, what has implicitly been there since decades.

I understand the HTTP headers.

I am just wondering what critical function cookies serve besides customizing a website. Besides collecting statistics. Collecting statistics or identifying a user being the only critical function they serve to my understanding.

I should be able to crawl just about any website that is not behind a login (where the legal notice is) without cookies enabled and have it still work.

Shopping carts have been mentioned, but if there was a “remember me, remember my favorites” maybe that meets the user consent requirement.

It seems to be an issue of a publicly non-biased non-personalized web, versus customized, personalized targeted advertisement web.

In any event, even if cookies are not stored, anyone with Javascript enabled and a third party script installed (or even a mini 1×1 gif) into the website can still track via IP address, right? If it is just for aggregate (less than perfect, personalized to an individual, or everyone behind a sub-network regional slightly aggregated) statistics.

1. Register startup in off-shore jurisdiction (conveniently tax-free)
2. Setup servers in the USA (conveniently cheap)
3. Profit!

PS Glad to see a proper comments system again

Considering that many people turn off cookies altogether, or use browser that can be pretty selective about these things, this law may well put the startups at an advantage: at least their sites will work for the increasingly privacy-conscious consumers out there.

The U.S. also has a ton of U.S.-wide laws that make no sense and stifle development – you need look no further than Sarbanes Oxley which has all but killed the tech IPO.

The article is spreading FUD for 2 reasons:

1. as Martin Källström pointed out, in practice the EU directive will only impact 3d party cookies. For first party cookies, in almost all of the cases it can be argued that they are “technically necessary to provide the requested service”

2. even for third party cookies, there still is discussion about the interpretation of the directive – see further

The part of the directive that applies to cookies is (I agree with Nick Halstead on that) indeed a piece of crap – but not for its intention, but for its totally ambiguous wording. The result of a long lobby struggle in the European Parliament was a text http://register.consilium.europa.eu/pdf/en/09/st03/st03674.en09.pdf in which the directive (the actual legal text from page 40 on) was contradicted by the “considerations” accompanying the text (the “Whereas” explanations up to page 40)

The text of the directive itself says:

“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”

The requirement for “clear and comprehensive information” before giving consent to store a cookie (= “information stored, in the terminal equipment of a user”) can indeed be interpreted as a mandatory notice in advance.

However it does not apply to “technical storage or access… strictly necessary in order for the provider of an information society service explicitly requested by the… user”. This is made more explicit by consideration 66 p 34: “strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user” -> hence the interpretation that first party cookies do not need “prior consent” (BTW you still need to explain what you do with cookies in your privacy statement).

However that same consideration 66 p 34 leaves open the door for all cookies, also the tracking 3d party cookies (Doubleclick etc…): “Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application”. The discussion on whether you can omit prior notice and just rely on browser settings is still going on…

Some people argue that browser settings are sufficient (about half of the member states, the Commission, the MEP responsible for the directive: http://admin.campaigner.nl//users/ddma/files/95907289-alexanderalvaroexplainescookies.pdf …), others argue that most users are not aware of these settings and that browser settings at this moment are not userfriendly, have the wrong defaults, and are implemented in an inconsistent way (that in itself is a long story again). See the argumentation of the EU privacy watchdogs: http://privacy.fgov.be/nl/static/pdf/direct-marketing/advies-groep-29-behavioural-advertising.pdf

BTW I am using the word “directive” here and not “EU law”. Technically, there is no such a thing as “EU law”: directives are decided upon on EU level but still have to be “implemented” in the legislation of individual EU countries. The ambiguity of the text will probably lead to the unwelcome situation where some EU countries have implement the stricter or more lax approach, depending on the privacy attitudes of the country. The discussion is still going on in the Netherlands for example.

Further comments:

@ Mike Robinson on circumventing the directive by using HTML5 or Flash: no way, the text is technology-neutral: “store information on the equipment of a user”
@ Gabriele Bozzi on moving to EFTA countries such as Switzerland and Norway: EFTA takes over all EU directives in order to secure unhindered trade with the EU. So this directive will be implemented in Switzerland and Norway as well

(My background: I have worked as a technical advisor to the Dutch Data protection Authority and do technical consulting work for government and legal organizations)

“That translates into warnings which will put off consumers from EU sites, while US-based startups will be free to continue as they are. How convenient huh.”

That argument does not work.

Does not US require resellers and/or manufacturer to put labels on products and services sold in US? Not even the warning labels on cigarettes?

If the US had labels on the banks sectors maybe we wouldn’t have banking crisis.

Ahh … plus – just you know: this law DOES NOT hand the sector to US companies. Because this law applies to all the competition – including US companies as well.
They can be sued and European law will be enforced in the US as well. Exactly like European companies can be sued in the US and Europe will enforce US law as well.

This is because it’s the market that counts, not where you have found your start-up. So if you are an US-American company offering a site in Spanish or for Spanish citizens, you fall under Spanish legislative and vice versa.

Also for most ad-vendors it is NOT the start-up’s problem. It is in the site owner’s responsibility to make sure to only use tools that are in consent with law. And he is also the one who will be held responsible.
The only thing the company has to do is inform him, that he may not be allowed to use their product in certain countries and that he should investigate this before installing your software.

Advertisers pay the wages of free web services. Reality check dude.

Yes, and many people use them effectively. The great (technologically) unwashed on the other hand are giving away much information for free, without consent. It’s those that need protecting. It’s more like a law prohibiting companies from taping advertising on your car without your consent, or going through your filing cabinet at home.

ah yes. Although I seem to vaguely recall that Rover, Bentley, Rolls Royce and Vauxhall used to be British car manufacturers.

Sounds like scaremongering to me. The law doesn’t say anything about big popup windows or dialog all over the place; one discrete checkbox c could turn out to be sufficient.

Anything that stores in session is controlled by a cookie. This means most of multiple step forms, all of shopping carts, all of login systems, etc.

Well… lets say it didn’t would anything essentially be broken? Probably only websites that change states based on what user data is stored, so it would effect shopping carts.

If the shopping carts asked for explicit permission to store the session and your information then it might be legal.

The big problem seems to be with the current method of tracking individual people for the purposes of building an Advertisement profile based on their interests.

Sometimes it is called behavioral advertising.

http://en.wikipedia.org/wiki/Online_advertising#Behavioral_targeting

So, if there are 25 cookies on this website, and 23 of them are from advertisers, then it effects the critical nature of how this website might make profit, if it is indeed profiting an sustaining from increased advertising performance based on targeted advertisements.

Read through the directive again, there’s nothing in there about session cookies or anything else that’s required for site functionality – it’s tracking for advertising purposes this is aimed at. The nuances of which cookies are impacted though will come down to how various countries implement this into their own laws.

Of course I understand that Mike, I have run startups depending on advertising (not very successfully admittedly), and I don’t advocate ad blockers for this reason, but it’s not going to stop advertising on websites, it’s just going to stop them tracking you without your knowledge, not that I care too much about that but I know a lot do. Your article talks about having to get express permission for things like login and settings which in my understanding of the directive is just not true.

So are you saying that it’s the problem with advertising that will kill startups? If so then maybe it will affect things a little by not being able to target ads quite as effectively but to say it will kill statrups is a bit over the top I think.

There’s a specific section covering eCommerce and excluding cookies used for shopping carts from expected legislation. Ignore the alarmist article above and have a read through the actual directive, that should put most of your worries to rest.

Actually that’s an interesting point, will Facebook now have to alter settings for EU citizens to get express permission to use the like button once the directive starts to be built into laws?

The privacy settings as they stand aren’t nuanced enough to separate out functional cookies, from advertising cookies, flash cookies etc. Sure that’ll come in time.

Just put it somewhere in the terms… Like anybody ever reads that.

[...] Read the rest of this entry » via feedproxy.google.com [...]

How exactly are you supposed to save the user’s preference that they don’t want to be tracked with cookies without using a cookie to track that preference?

Just because things have been done one way up til now, doesn’t make that the only way. I mean, FFS, the EU are asking programmers to come up with a new way of doing stuff. How dumb is that? You’d think they’d suggested storing all dates with 4 digits for the year or something completely unnecessary like that.

[...] Read the rest of this entry » [...]

“The exact steps are being drawn up by the Department for Culture, Media and Sport”.

It’s like a Terry Gilliam movie – the mind boggles.

A session token generates, one copy is stored server side and the other client side. The client passes the cookie back via HTTP headers, or in some rare cases the Session is embedded within the link which is clicked, generated uniquely to each visitor, or each page served from the server.

I’m just saying that websites work without Cookies. Its third party advertiser cookies which seem to be the only real losers in this deal. Besides those who make money displaying their ads, and that’s only if personalized, targeted cookie based advertising makes more money.

You can not personalize a website reliably via IP, javascript or a gif.

It’s about reducing friction in the conversion path. This law puts European startups at a distinct disadvantage.

It’s about reducing friction in the conversion path. This law puts European startups at a distinct disadvantage.

The UK has many laws that hurt the growth of the Internet. They have a law that can stop you from using the Internet if you are find guilty of infringing someone’s copyright. They also have a law that restricts the listening of UK radio stations from outside the UK.

Let’s put it this way: Facebook would have to break crucial pieces of their functionality if they were based in Europe. This law puts European startups at a distinct disadvantage.

TechCrunch’s anti-European bias has just jumped the shark. 99% of this article is a pure and deliberately misrepresentation of the actual law and its implication.

Session-cookies and remember-me cookies for instance are perfectly legal under this law.

Let me rephrase “deliberate misrepresentation”: TechCrunch lies.

Of course, author (deliberately or not) ignores specifically that the EU legislation in question clearly states that user may give his or her consent by appropriate setting in browser, as well as the fact that consent is not required for purely technical needs (eh. for keeping track of web session.). I wish the article emphasizes more on WHY on earth would european council and the parliament want to promote better protection of user data. Surely it can’t be to give advantage to non EU companies. But perhaps it may be because we, in Europe, have a much better culture of protecting personal data then, perhaps, in other parts of the world. So, instead of competing to lower standards of protection I would argue to promote our way outside of the EU.

Of course, author (deliberately or not) ignores specifically that the EU legislation in question clearly states that user may give his or her consent by appropriate setting in browser, as well as the fact that consent is not required for purely technical needs (eh. for keeping track of web session.). I wish the article emphasizes more on WHY on earth would european council and the parliament want to promote better protection of user data. Surely it can’t be to give advantage to non EU companies. But perhaps it may be because we, in Europe, have a much better culture of protecting personal data then, perhaps, in other parts of the world. So, instead of competing to lower standards of protection I would argue to promote our way outside of the EU.

Wonder if this applies to HTML5 offline storage.

Wonder if this applies to HTML5 offline storage.

It is privacy by design instead opt-out. Today stupid / lazy / ignorant people get tracked = ideal target group for advertising. Tomorrow the most dump people don’t get tracked = bad for companies that want to sell overprized useless products.

This won’t help. If your service targets people in EU you must comply to the rules – moving servers is no option this time.

They would have to add a pop up to ask consent to track user information. For them, maybe they only have to ask once, and every third party cookie they serve thereafter is okay. (I have seen FB comments know who I am without asking on third party websites. But maybe that is not true, because technically it should be impossible shouldn’t it? Unless it is an iframe. Right? Or an asset served directly from the FB domain where the cookie resides, or somehow people are sharing session tokens in the cloud from one server to the next, or they are all requesting session tokens from a centralized server.)

So yes, they would get a free ride in comparison to all the new comers that might be an annoyance. Unless 3rd party cookies required a new pop up consent window.

Would like to see Mike Butcher reply to this – I think that this analysis should have been done before this linkbait article was written.

Nick am sruprised at your reaction thought you would not be so knee jerk – have your read the comment by : Pascal Van Hecke?

Read the comment by Pascal Van Hecke and reply to that is this still a FAIL?

Aren’t all big “startups” based in the EU already? I mean Ireland?

But you get better ROI if you’re targeting people who want to be advertised to opposed to people who don’t.

Do you think the Queen will be updating her site to comply? She uses Google Analytics.

Yes, they would.

Good stuff.

I don’t see a bug fuss about this if the popup is created with some logic behind it. Just put a big title where it states cookies are made to keep you automatically logged in and then in smaller that the cookies would also track X, Y, Z then have big green yes button etc.

No one is going to click no. It’s just like the Next Next Next Finish installs on Windows or installing an application on the Android Market.

I don’t see a bug fuss about this if the popup is created with some logic behind it. Just put a big title where it states cookies are made to keep you automatically logged in and then in smaller that the cookies would also track X, Y, Z then have big green yes button etc.

No one is going to click no. It’s just like the Next Next Next Finish installs on Windows or installing an application on the Android Market.

Also cookie management in browsers it total crap. You can enable, disable, delete them but you don’t know what is stored in them.

[...] of an uproar because US based businesses are not in need of compliance once this comes into play. As TechCrunch Europe reports From 25 May, new European laws will dictate that “explicit consent” must be gathered from web [...]

What do you think is being collected?

Most of the time we’re talking about a user ID. Advertisers and analytics companies don’t even know you’re called Nick, nor do they care. All they care about is that User ID “X” browsed the North Face site, so let’s show them some ads for North Face jackets. That is all.

[...] Blogs ######## ######### The Forbes 400 Vs. Everybody Else | Michaelmoore.com ######## ######### Stupid Eu Cookie Law Will Hand The Advantage To The Us, Kill Our Startups Stone Dead ######## digg Hands-on with iOS 4.3 [PHOTOS] What Do Athletes' Salaries Say About [...]

Not quite.

The session ID passed as a cookie. Yes, you can use Trans SIDs, but you shouldn’t because they expose the Session ID in the URL which means it ends up in the history, proxies, logs etc and leaves the session vulnerable to a hijack.

The only thing it prevents is an absolute association from one client page request to another, and even that is susceptible to hijacking.

It’s not an HTTPS issue. I think we all understand what a cookie is.

I was about to write the same thing!

This:
“This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”
Clearly states that if a cookie is necessary in order to provide a service that the user requested (Es. registration), there is no explicit consent duty!

Andrea Giannangelo

The directive has been voted by the EU parliament and is a compromise between EU parliament, EU commission and EU council of ministers.

All of these institutions are under your control as an EU citizen via the elections for the EU parliament and your national elections (the latter determine who represents your country in the Council of Ministers and who is appointed in the Commission for your country).

You can influence this debate via your M(E)P or by either supporting the privacy argument via your local branch of http://edri.org/ or the industry argument via your local branch of http://www.iabeurope.eu/

Yes, it would have been better for the quality of democracy if the weight of the directly elected EU parliament would have been bigger in the proces vis-a-vis that of the Council or the Commission. That was the intent of the so-called “EU constitution” in the early 2000′s that has been watered down to the Lisbon treaty. Ironically (or not) it were the EU sceptics that always opposed more power for the EU parliament…

Websites won’t work very at all well without cookies. Sure, you can pass the session ID in the query_string as you mention, but now all of your URLs have a load of ugly gibberish at the end of them.

As well as that, if you bookmark a URL and return to it later, the session ID in the URL will likely be invalid (so you’ll be logged out). If you manually type in an address (e.g. example.com/news/) you’ll be logged out (no session ID).

Also you’ve now made all of your users susceptible to session theft by passers-by – if they can note down your session ID from the URL, they can then go to another computer as be logged in as you.

There’s likely a whole raft of other things that this will play havoc with that I haven’t thought of – e.g. centralised login services – openID / facebook / steam.

We’ve added security risks, decreased usability, added extra stress for users in terms of popups and caused loads of extra hassle on the development front.

The net effect will predictably be that sites will now ask you to authorise their use of cookies or get lost.

Without going into the detail of the directive itself, I’d like to comment on this post specifically:

I would argue that customers will be more likely to buy from EU based companies/sites BECAUSE they will (if they comply) open with respect to how they deal with customers’ personal information. It’s only if a company sticks up a message that says something like “we’re going to resell your personal information to everyone”, will customers move to an alternative – and they’d be right to do so. I welcome anything that encourages companies to rethink what they do with customers’ personal information – I’m not all that concerned with ‘how’ it’s gathered.

Web users don’t use the browser controls for many reasons:

1. They’re not aware of them
2. They’re not effective (P3P is pretty useless – just like the IE Content Advisor)

I don’t agree that customers don’t use controls because they don’t care. People might not care about ‘how’ their personal information is gathered. But they do care how it is used. This is demonstrated by Facebook.

“your a privacy nightmare and wont sign up.”

Really? Someone needs to fire their editor, or stop writing crap.

[...] topic of privacy law and the upcoming EU has been well publicised. Techcrunch’s article is particularly direct about its [...]

Pascal is absolutely correct. This is all about 3rd party cookies. And this law is a good thing, should it be enforced.

The relevant RFCs state that browsers should not even allow 3rd party cookies by default, yet they all do, apart from Safari. Hopefully this law will force Google, MS et al to change the default!

Pascal is absolutely correct. This is all about 3rd party cookies. And this law is a good thing, should it be enforced.

The relevant RFCs state that browsers should not even allow 3rd party cookies by default, yet they all do, apart from Safari. Hopefully this law will force Google, MS et al to change the default!

“they will just think your a privacy nightmare and wont sign up”
think you are a
think you’re a
hell even:
think youre a
or:
think you a
but:
think your a ? come on

But we clearly all don’t understand the best way of ensuring they are secure…

Yes, you can carry session id’s in URLs, just like you can carry a huge poster with your password written on it.

*Facepalm!* The “Red Flag” law was repealed in 1896. You can’t really blame it for events 70 years later. http://en.wikipedia.org/wiki/Locomotive_Acts

But they are not equivalent. “remember me” does not mean “I accept a cookie”. When you leave “remember me” unchecked you can still log in, right? You get a cookie.

The new message is different, it says: “either check the box, or else you are not in”.

This directive makes no sense.
I understand that all ‘necessary’ first party cookies won’t require any consent from the user and this is a good frontier to argue about which are really required, if the website builds user profile in order to deliver better service to its subscribers does it require explicit consent, etc.

But what about 3rd party cookies often out of control by the first party? Does it mean that for example google ads will contain extra dialog to ask for permissions? Websites affiliate with 3rd parties for many reasons and these parties usually put ‘unwanted’ cookies.

@ScRyX Then you will appreciate the extra privacy more than most people

@ScRyX Then you will appreciate the extra privacy more than most people

“less than perfect, personalized to an individual, or everyone behind a sub-network regional slightly aggregated”

maybe it should have read…

“individually personalized less than perfect , or everyone behind a sub-network regional slightly aggregated”

“less than perfect, personalized to an individual, or everyone behind a sub-network regional slightly aggregated”

maybe it should have read…

“individually personalized less than perfect , or everyone behind a sub-network regional slightly aggregated”

Cookies or anything passed over HTTP is susceptible to hijack. Unless it is encrypted. Then it is susceptible to decryption.

I think Pascal is technically correct. Yet, as a European I am fed up with this geriatric nanny-state and wish I had been born elsewhere.

In the context of this thread, and the requirement for website operators to provide a pop-up (what the article says)

“So, imagine a world where, after 25 May when the law kicks in, your startup has to explicitly make pop-up windows and dialogue boxes appear asking for a user’s permission to gather their data.”

Cookies themselves are still allowed. It is where in the policy or the procedure where the pop-up windows become critical.

So it isn’t critical to have a cookie stored on any of your clients browsers until they approve it. It does become an issue to third party cookie vendors though, because they would have to ask for authorization (according to what the article says) on your website if you are serving ads from their server, through your website.

In the context of this thread, and the requirement for website operators to provide a pop-up (what the article says)

“So, imagine a world where, after 25 May when the law kicks in, your startup has to explicitly make pop-up windows and dialogue boxes appear asking for a user’s permission to gather their data.”

Cookies themselves are still allowed. It is where in the policy or the procedure where the pop-up windows become critical.

So it isn’t critical to have a cookie stored on any of your clients browsers until they approve it. It does become an issue to third party cookie vendors though, because they would have to ask for authorization (according to what the article says) on your website if you are serving ads from their server, through your website.

While I agree strongly with most of your points (particularly those about certain tabloids and the relative usefulness of MPs and MEPs), the only thing I would quibble with is “that seems to be what this directive is about”. Tracking cookies are what this directive is _intended_ to be about, but the loose phrasing means that it can in practise be applied to a lot of non-intrusive uses of cookies (logins, shopping carts, storing and restoring user preferences, etc).

Many of these are either explicitly exempted in the directive (shopping carts) or result from a user action (logins), and so can be dealt with by a bit of legal jargon (next to the login button or whatever), but the remaining ones (e.g. storing and restoring preferences) are going to be a problem. UK sites will either have to have reduced functionality in these areas, or increased legalese on otherwise useless interstitial pages or pop-ups, and it’s this which is a valid concern.

The directive should have been drafted with tighter language – it’s intended to stop behavioural tracking cookies, so it should say that explicitly, instead of targetting all cookies and then having an inadequate list of exemptions.

I’ve a huge amount of respect for Mike, but I feel that this piece is either misguided or a deliberate attempt to be controversial.

The fact is that the intention of this directive seems fair enough, there needs to be some attempt to protect user data and this is designed to go some way to do that. As has been pointed out already by far better legal minds than mine, this affects only third party cookies, and even then the impact is by no means definitive (partly due to that age old curse of eu legalese). As we move towards a data economy the need for legislation and control on user data is imperative, as made clear in the recent World Economic Forum report on personal data (http://www.weforum.org/issues/rethinking-personal-data)

It’s also worth remembering that an EU directive is not the same thing as a national law – member states often delay / ignore implementation of directives – and implementation varies by member state:

“A directive is a legislative act of the European Union,[1] which requires member states to achieve a particular result without dictating the means of achieving that result. It can be distinguished from regulations which are self-executing and do not require any implementing measures. Directives normally leave member states with a certain amount of leeway as to the exact rules to be adopted. Directives can be adopted by means of a variety of legislative procedures depending on their subject matter.” (http://bit.ly/hADz4H)

It doesn’t matter what the actual law says: The point is that I lose time and money because I need to care about it. I need to consult a lawyer if I really want to be sure; I need to check my site whether all of its cookies, at all times, are legal. I maybe need to write a test that ensures this. I might need to upgrade the privacy policy, which means I need to write an email to all customers announcing the change. Perhaps I should even monitor my platform. And what for? Does this really protect anybody’s privacy, in a global network where all the black sheep have their servers on some godforsaken island anyways? No.
When it comes to technology, politicians just do something that seems to sound about right. That is not leadership, it’s not wise nor foresighted. It’s simply incompetent and pathetic.

One reason I love Europe, respect for privacy.
Exhibit A: Germans had the opinion to “blur” their houses on Google Streetview.

This still doesn’t make the U.S. a better place for start-ups. You ever see our tax rates?

I used the word FUD with a reason. The impact of the directive will depend on how individual member countries implement it. As the debate now rages in all of these countries, it’s nice for the behavioural advertising industry to discard the directive as some “loony luddite EU thing” and spread the myth that “it forbids cookies”.

If the industry’s browser settings interpretation gets accepted, _nothing_ actually changes compared to the current situation (in which you tuck away your data collection practices in the privacy statement – also for 3d party cookie tracking companies the user is not even aware of). It is hard to imagine that would be the intended result after 3 years of discussion.

If the “consent, having been provided with clear and comprehensive information” interpretation gets confirmed, behavioural targeting companies will be pressurized to come up with an acceptable implementation of “informed consent”. That probably will be a combination of further changes to the browsers (more user-friendly and transparent cookie management, explicit choice of the user for black- or whitelisting upon the browsers’ installation etc…) and with better information by the behavioural targeting companies (such as a mandatory icon, leading to a privacy and opt-out page, more transparency about and possible 3d party auditing of their data collection practices). Google is one of the companies that came up with useful improvements here (the “Ads by Google” link, the ad preferences dashboard etc).

True Mike, the advertising/targeting industry pays for those free sites we all enjoy, but it cannot live on distrust and ignorance either.

Agreed. We American’s are very egocentric with are communist-like “patriotism” and blatant disrespect towards other countries. We also like to destroy people’s privacy for political or financial gain.

wow

[...] The story is getting a lot of press and attention right now — most of it very negative indeed. The BBC says the rules are ”set to make cookies crumble”, while TechCrunch Europe says it will ”kill our startups stone dead”. [...]

Some of the most bone-headed arguments I have ever seen. Privacy restrictions are good, opt-ins are good. Why is it that so many cookies never expire?
“Plus there is massive competition in browsers already, so its not as if consumers need even more protection. ”
Total B.S.

You’re missing my point. Read the other posts here.

You can’t get the contents of the cookie (which contain the session identifier – which does not change between client requests) from the browser history, from looking over someone’s shoulder, or from a proxy log.

Where as you can if you use Trans SIDs. That is why Trans SIDs are not used for authentication.

Just because it is possible to get at the ID by sniffing the network does not mean we should just start broadcasting it everywhere!

You’re missing my point. Read the other posts here.

You can’t get the contents of the cookie (which contain the session identifier – which does not change between client requests) from the browser history, from looking over someone’s shoulder, or from a proxy log.

Where as you can if you use Trans SIDs. That is why Trans SIDs are not used for authentication.

Just because it is possible to get at the ID by sniffing the network does not mean we should just start broadcasting it everywhere!

I for one would be more than happy if indeed this turns out to be the case. However, I reserve the right bring it to the tech community’s attention and give my view on it, period. It’s somewhat disingenuous to call the post FUD, as it clearly states the worst possible implications if it went through unchallenged.

You have to admit, Mike – to headline this story as ‘kill our start-ups stone dead’ is sensationalist.

I thought I was reading The Sun for a minute

“so its not as if consumers need even more protection”

Wow. Nice attitude.

I find it rather ironic that the EU — the US government wants to do something like this as well — is creating this law in the name of “protecting privacy”, while at the same time it has no problems whatsoever violating its own citizens’ privacy without their permission, and without consequence.

And yet you want these fucking “companies” to maintain websites and give you content for free. Advertising drives the free web. Advertisers aren’t going to pay publishers as much to show their ads when they get a lower conversion rate because they can’t use anonymous user data to target ads.

1. Does the directive only concern European companies? It seems to concern only European people, even if the cookie is served by a US company, even if the site is in the US. US companies too can be fined in Europe if they don’t respect European laws. So, it’s not such a competitive disadvantage….

2. Will the directive push companies to store IP addresses instead and try to target on IPs? It would be worse, because IP addresses are personnal information.

[...] Ce qui a le don d’énerver passablement les observateurs comme Mike Butcher, rédacteur de TechCrunch Europe [en] : Cela se traduit par des avertissements qui irriteront les visiteurs de sites hébergés en [...]

I did read the posts here.

I myself, can go right into the preferences of my own browser and get the session ID passed to me from a third party website. That’s about it… I don’t know why this entire thread is an argument. You just don’t need Cookies to view a website. They are not essential unless you login or the page changes states and needs to remember it on another visit, but it was mentioned local storage and HTML 5 might even be a workaround possibility. That an Ajax to change the page state without ever needed to call a full page a second time. Like a Gmail.

So… Cookies are not essential for a website to actually work. If the functionality is required, worse case (according to this article, using your imagination), you might have to ask permission before passing cookies, but it does seem to apply to third party cookies, by reading the thread.

Did it get your attention? Then it did its job This isn’t designed to be a dry governmental PR machine.

See above.

Earlier on you suggested that passing a session identifier on the URL (aka Trans SID) was a viable way of tracking an ID instead of using a cookie. That is blatantly not true – in fact, it’s pretty close to the top of “List of things not to do”. I can send you a dozen references confirming that.

That’s all I’m (and Halil, and WubbleWobble and others) are saying.

I completely agree this law is a good thing (see my post way up top).

This is not a dumb law, everytime you read something on TechCrunch you need to follow up with your own research.

It got our attention by being misleading. That’s not the issue though, the issue is many readers have been misinformed and will only be corrected by reading the comments. Surely your job is to report the actual situation rather than the worse case scenario.

[...] But while most of the discussion and scrutiny in the online privacy realm, and specifically with respect to legislation has come from our side of the Atlantic, apparently the EU is proposing a new law that would require EU websites to get explicit permission from users in order to “track” them… [TechCrunch] [...]

Wow – a lot of comments! This morning I read the article and didn’t particularly “read around” the subject at hand before offering my reaction. It seems that after further reading, the situation may not be as grave as I thought (and made out in my rather black-and-white comment).

All this means is that you have to get creative in how you ask for consent. If you require 3rd party cookies for advertising, specify that, make the user hit a checkbox to agree to your terms or let the user pick another service of choice. Time over time, research suggests that consumers are simply confused about what tracking really means. Its all a play of words. A fight between new media and traditional media (Murdick, err Murdoch).

Are you saying all US sites must comply as well

sorry…. didn’t quite finish that. US pubs won’t give a crap about this. Thee are 9 third party tags on this page alone. How do you think pubs are going to survive without targeted ads. This is a stupid move by the EU. Madness.

Oh, I will keep a screenshot of your reply regarding what’s the purpose of article. Tell me, does this also apply on all Techcrunch articles that get published everyday?

B-I-G fail

(“Oh my god – I’m taking my company and going to the US heaven”, “EU sucks for startups”, “Oooo….”)

Oh, I will keep a screenshot of your reply regarding what’s the purpose of article. Tell me, does this also apply on all Techcrunch articles that get published everyday?

B-I-G fail

(“Oh my god – I’m taking my company and going to the US heaven”, “EU sucks for startups”, “Oooo….”)

hold on… the EU is in no position to police this. They haven’t got the resources.

agreed. This is cheap, sensationalist reporting, the sort of thing I’d expect from a eurosceptic tabloid, not techcrunch. Mike, if you wanted to trigger a debate then you’ve definitely achieved that, however to use a “worse case scenario” to put forward what appears to be your own political agenda is unfortunate.

It’s not my political agenda, get a grip dude. It’s about flagging the possible problems. Welcome to blogging.

Hmm. So what about analytics? It’s critical to any startup to know where their traffic is coming from and going to. But it’s not in any sense “strictly necessary in order for the provider of an information society service explicitly requested by the… user” (whatever on earth an “information society service” might be when it’s at home) or “technically necessary to provide the requested service”.

Even if it were only to apply to third-party cookies, it would then wind up being a ban on using useful simple services like Google Analytics, and make every startup wind up having to install some kind of tracking system on their own web server.

I’m not techy but run a website. I haven’t read all the posts, but surely this will affect millions of affiliate sites, affiliate programs, google analytics, etc etc. Correct me if I am wrong, but them’s a lot of dollars.

I don’t think its sensationalist at all. When I read about I started thinking about registering our company in the Isle of Man, Canada, the US, the Bahamas. Anywhere but an EU country…Also I do wonder how on earth this can possibly be policed? Will the cookie police check every cookie? What about a UK user clicking in the UK on a US website? What about a US user clicking a UK link?

An example.
I go into a popular high street major retailer supermarket shop. I buy something. I pay with cash. I leave. The shop gathers no information about me personally. I quite like that.
I use argos.com, I buy something, I *don’t* have to register, I buy something. I pay with an electronic card. Even doing that they know vastly more than me than the first example. They know my home address (from the card). They can tie up my whole previous buying history via the card and my home address or email address. They know what operating system, browser and screen resolution I have. They know my ISP. They know which site I visited previously and a whole host of other info.
and then we come to most sites. They know:
My browser name and version, which ports are open, my display size and browser size, my colour depth, flash version, connection speed, IP address, likely country I am based in, referring site and search string, Operating system and patch version, javascript version, device model (if using a phone), preferred language, time zone. This forms a fingerprint which pretty much identifies my PC regardless of cookies. If the site uses any of the popular in depth analytics tools they will also know which pages on a site you visit, what fields you fill in, what values you put in those fields, when you drop out of a buying process, probably your age (many sites request this have no business in doing so), how long you looked at certain pages, how long those pages took to load, what else you have done on the same site over the last few months, how the information they have just gathered relates to the information they previously gathered. Whether the fingerprinted information associated with your PC indicates more than one user and therefore if you live alone or not. When you used the site and therefore whether you have a job or not and if so when you work. Where you accessed the site from and likely your employer if you accessed the site during the day, probably when you have your lunch break, if you are a returning visitor and how many times you have visited the site recently. How many opportunities they have to upsell, cross sell and store your data and correlate it against public databases, phone numbers, electoral register, company records, etc.
Most of this is with just one include file on the relevant site that includes the markup and then modifies the DOM on the page load event.
and that’s just off the top of my head.
and we don’t worry about this?
Personally I’d just like to going back to buying my stuff without having to reveal 1000 bits of info about me to do so. We wouldn’t stand for this on the high street, why do we put up with it online?

Isn’t that the usual definition of FUD?

Mike, the thing is this is actually a hugely important subject. If, as people say, data is the new oil, then there needs to be a degree of legislation to protect individuals from having their data misused. This directive (and it’s a directive, not a law, there’s a big difference) is an important attempt to address that.
Rather than writing a sensationalist piece scaremongering, would it not have been more sensible to raise the subject in a more sober manner and encourage a more informed debate? You’re always talking about the importance of the European startup scene, surely giving potential entrepreneurs the (false) impression that a piece of legislation originally proposed over 18 months ago will kill the startup scene stone dead harms exactly the the thing you do so much good work to promote?

[...] la que el usuario podrá añadir o no las cookies de un alojamiento.Mientras tanto existen muchas voces críticas en cuanto a la implementación de esta nueva regulación. Una de las más claras es aquella que [...]

This is the sort of bull for them to save there country and enlist religious slaves they are nothing more then 158793 -

Daddy state once again. I think its FGreat:
- Lower income from advertising for free sites.
- All those sites operating in Asia sending cheap stuff to Europe won’t get affected.
- Everyone has to implement their own statistical tool in their own environment, bye-bye GAnalytics.
- EU countries with divergent laws concerning the same issue (once again) in another show of how united the EU is.
I honestly believe that there are too many wankrs in Brussels who just don’t know what to do with their time and need to produce a certain amount of directive-meters per year.

[...] tanto existen muchas voces críticas en cuanto a la implementación de esta nueva regulación. Una de las más claras es aquella que [...]

Looks like the EU are in breach of their ‘dumb law per week’ law. (/this week/)

The free market is not perfectly able to address the issue on its own, hence the point of the law.

Just because you, your friends and a group of people in the know understand what’s going on doesn’t mean that everyone else does. Nor does it mean that people know how to protect themselves from having their data collected.

If data wasn’t being collected and sold to the highest bidder then we probably wouldn’t have this issue.

The US is all about “innovation”, regardless of if it comes at the cost of exploitation. The EU seems to care more about their citizen’s privacy.

Obviously there are trade-offs, however, the concept of “privacy” seems to be going down the drain so it’s great that someone actually cares and is doing something about it before it is completely disregarded.

People would be up in arms if the they were physically monitored all day. Being tracked online isn’t much different but because it’s not obvious people seem to brush it off.

Hopefully the US can pull its head of out the sand and do something worthwhile too. However the US will probably just sit down with the companies and ask them to do something so that the government doesn’t have to.

I love the contrasts between the US and the EU because at least people can see how it could be, either the EU looking at the US or vice-versa.

The grass is always greener on the other side. And if you don’t pay attention to where and how your data is being used you’ll eventually find out when you get screwed one day.

Seems like EU citizens have more faith in their government as opposed to businesses and that US citizens have more faith in businesses as opposed to their governments.

Someone needed to do this. There needs to be full disclosure and consent when collecting data.

Just because I visit your site doesn’t mean that you own my information.

IF I agree to let you collect data on me for one purpose that doesn’t mean that I agree to let you use that data for secondary purposes or to sell my data to other companies. Because had I known you were going to do that I probably wouldn’t have visited your site.

And if your business model depends on you selling other people’s data then it’s probably time you came up with a real business model.

Well, the shop did record your person on surveillance video.

I bet the Swiss and Norwegians are really wishing they were in the EU now. #voteUKIP

People goverment people all slave to the machine- it’s there NWO not yours! why because they use a trick- something devious that goes unnoticeable because you haven’t found it yourself.

And they will use your birth time and place to convince you they are right… it’s the biggest heist that you think is finished but it just starts for you can’t see!! you believe in 2 choices- and the 4rd is controlled by the richest in the world. and even when they show themself you cannot see because you were using there machine !!

[...] Stupid EU cookie law will hand the advantage to the US, kill our startups stone dead [...]

How it this being policed? What’s the punishment for not doing it?

How it this being policed? What’s the punishment for not doing it?

what’s the problem? No spying on unsuspecting webusers? Indeed anyone who disrespects surfers privacy rights should move to the US! We do not need you in Europe.

I don’t get the fuss. You should not be tracking passing-by visitors at all, especially random stuff like Doubleclick. If you offer a ‘utility’ or ‘subscription’ as a start-up, it would seem ethical to ask for opt-in permission for preference and tracking files.

As for the assertion “Presumably if consumers wanted more protection then they would have shifted behaviour and adopted browsers with better controls.” – you can tell by the 60% IE share, that the majority of users have no clue about browser security. Really Tech Crunch? So if you mean by ‘Persumably’, ‘I’m just going to make something up that has no basis in logic’. then yes.

I see this is like junkmail – because you can junkmail people and make money, it doesn’t mean you should be allowed to in the name of commerce.

Roll-on more, harsher legislation to kill of banner-spam, hidden tracking and anonymity to non-subscribing users.

You know full well the peoples of EU countries have little or no control over the EU. The Parliament is out of touch, and part of the game itself. You do not have to follow proceedings for long to realise that. In any case, the commission is in power, not the Parliament.

If you think we are in control, how do you explain the ridiculous browser cookie law, drafted by a technically illiterate moron and yet driven into national law with no scrutiny?

[...] EU E-Privacy Directive and cookies: making companies less competitive or more transparent? [...]

Could this article be more misleading? Who owns the data? The agencies with their spotlight cookies? Specific companies that use zombie cookies? The publisher? NO! The user owns their own data and have a right to know what and how it’s being used. They have a explicit relationship with the publisher and have the option to opt out of that publishers data policy. If an agency demands to serve cookies then the advertiser is collected and profiting from illegally obtained information. The problem is, the agencies control the spend. Advertisers need to know exactly how is data is being collected. I assume if the agencies have to start paying the comsumer for it…they won’t.
The eu law protects, but is fair. It is self regulated and needs to be enforced. Start up data companies are everywhere now. Do you really think they are all above board? Come on get real. Know where your data comes from, and consumers know how it’s being used.

And yes, I live in EU and work in advertising.

Does this affect Google Adwords / Adsense ?
If so then Google management will talk to the EC as their business might fail in Europe.

I am really surprised with the discussion – so the regulation is not that stupid because it probably can be bypassed…?

But why the hack having something like that in the first place…?

The problem is in the mindset – that is actually killing the entrepreneurship in Europe… It’s the 260+ pages of the Lisbon Treaty versus 5 pages of the U.S. Constitution…

[...] Stupid EU cookie law will hand the advantage to the US, kill our startups stone dead (tags: legal eu privacy cookies) [...]

There’s too much confusion in this and BBC articles.

You argument appears to be that there should be no new laws ever because businesspeople might be put to some inconvenience. I respectfully disagree.

Other than the scrutiny provided by the heads of government at the Council, the elected MEPs and the elected MPs who approved the UK law implementing the Directive?

Oh, and the law was drafted after (as ever) much lobbying from every industry group known to man. So one technically illiterate moron was not involved.

Rather like TechCrunch, you’re letting your europhobia get in the way of reality.

No… it is not a better option, but it is possible. I just had people speaking to me like I didn’t understand the technology.

It’s really my own fault for not dumbing it down. Not that I am up there, but it seems like everybody else is.

Then use solutions like http://piwik.org

Sorry, Guys, cookies are not necessary to track users. Cookies are used by “startups”
(hohoho, staaaart ups) because they are maleducated, non-knowing script kiddies.
Go to the USA and suck your honey over there … this text is complete nonsense, Mike.
Greetings from Germany, Mick

Let me give you one example. Couple of weeks ago I was looking around for the GoPro (HD Hero) camera. OK, I wanted to have it for quite some time ago, but just recently went extra mile to get the best deal for me. And I have found it and bought it. But then something strange happened. I tend to see adds for the GoPro HD Hero cameras all over the web. Now, either I wasn’t paying attention to possible GoPro ads occurences in the past, or something really happened that now my web browser is bombarded by the GoPro ads.

If I turn a little bit of scary stuff in I may even start to suspect that I’m actually being manipulated into buying GoPro camera whereas I was merely looking for the best deal.

In any case, somehow I start to have second opinion about “targeted advertising”. I’m not saying that it’s just wrong or just good. I’m just saying that it definetely is not the same kind of advertising that we used to have. This kind of advertising is much, and I mean much, muct more personal. It targets specific individual, on massive and unprecedented scale.

EU Directive 2009/136/EC is a great tool to limit unchecked power of at least advertising companies, where such checking is needed.

In any case, recital (66) of said Directive clearly states that user may simply chose to trust whoever he/she may wish by appropriate setting in browser. So the consent given in browser setting (to eg. third party advertising) is simply a matter of choice of a user targeted by the individualized ads. What user aggrees to is not to just merely accept ads or not. He/she choses wether or not to accept individualized ads. Big difference, and I firmly believe that in light of A LOT of clluelesness around it’s way better system (opt-in as introduced with D2009/136/EC) then before (opt-out as in old Directive 2002/58/EC).

All those people worried about their “advertising revenue” are probably the people who did such a good job annoying millions of users with blinking, wobbling, up-popping, etc. ads until they installed AdBlock and now browse completely Ad-free. Good work, guys! (that’s sarkasm!)

The same will happen with cookies: as a result from this discussion, future browsers will just have a default setting to block all cookies – except for a few select ones or if the user explicitly allows it.

But the driving factor here will not be the EU – it will be the users!

It’s as possible as driving a car without seat belts. There are many possibilities that we shouldn’t make a reality.

So if the user agent doesn’t accept cookies, and it’s not a crawler… maybe session IDs can come in handy sometimes.

It is also possible to take the bus.

So if the user agent doesn’t accept cookies, and it’s not a crawler… maybe session IDs can come in handy sometimes.

It is also possible to take the bus.

[...] March 10th, 2011 by Derek Mehraban Tweet The EU has a new law that will go into effect on May 25 forcing websites based in Europe to implement an opt in system when tracking with cookies is involved. This means websites will need to use pop up windows and other undesired methods to convince the user to surrender some privacy. This law will have a serious affect on European firms, making American based sites more user friendly by comparison. Many clients of digital marketing may not notice a bump in sales or even much of a traffic bump. Some industries, however, will notice an increased return on their digital marketing budgets. While it seems the US Congress will not mandate efforts along the lines the EU has required, there is some doubt. Congress is holding hearings. The industry is trying to self-regulate. If anything, the EU example may only jumpstart American firms’ self-regulation attempts just to avoid any laws similar to the European model. EU’s new law for cookies [...]

@Anthony: That is not what I meant to say. What I’m saying is that politics should not intervene if there is no need to. I haven’t heard about people in the US being harassed by companies much more than here in Europe, despite the much more liberal laws in the US. Practically nobody disables their cookies or uses other privacy-enhacing features, because it is annoying: The benefits far outweigh the risks for most people.
There’s more: In Germany, we have a law that forces providers to keep your connection data for months (or even years, not sure atm), a highly dangerous practice I believe. The government shares your information with numerous private companies and religious institutions and you can’t do anything about it. Yet, as a private company, a single email to someone who opted out previously can lead to a EUR 5,000.- fine.
Likewise, there currently is a discussion over here about a “rubber eraser for the web”. The idea: when uploading images, you give them a limited lifetime after which they automatically delete themselves from the Internet. How could someone POSSIBLY come up with that idea? It doesn’t make any sense from a technical perspective, yet we pay people a lot of money to discuss this kind of ideas.

“the elected MPs who approved the UK law implementing the Directive”

You know full well that MPs cannot reject a directive without precipitating a crisis of membership of the EU.

Technology exists to serve people. If people don’t want their online behaviour tracked by unknown entities, technology should give them an option to opt out. For the vast majority of technically unsophisticated users there should be a requirement to opt in.

Technology is not some mystical force that exists above human needs, to say otherwise is a slightly more intelligent way of saying ‘computer says no’.

In fact real technology startups relish the challenge of developing products that respond to human needs.

[...] Stupid EU cookie law will hand the advantage to the US, kill our startups stone dead wow, Datenschutzhysterie auch auf EU-Ebene: "From 25 May, new European laws will dictate that “explicit consent” must be gathered from web users who are being tracked via cookies. That translates into warnings which will put off consumers from EU sites, while US-based startups will be free to continue as they are. How convenient huh." [...]

[...] very strict regulation that might devastate the industry. These concerns are mostly exaggerated.There is a lot of misunderstanding as to what the directive really means for Internet companies. Some industry observers have warned that EU-imposed data privacy solutions will hurt both [...]

[...] issue has been widely publicised by the BBC, TechCrunch and many other sites. But after reading these articles (and the rather fruity comments) I am none [...]

[...] D’après un article de Mike Butcher [...]

I have considered the EC Directive from a legal standpoint. On the assumption that the law as implemented by member states will exactly follow the Directive (which appears to be what will happen), I have concluded that although the changes are significant and websites will need to be reviewed to comply with the new law, the changes will not fundamentally change the surfing experience for internet users. You can see my article at http://www.sitecompliance.co.uk/ukcnewclaws.html

[...] Techcrunch skriver om hvordan forslaget rammer Europeiske bedrifter sin mulighet til å konkurrere m…. [...]

i agree with Jimmy and Steven. nobody cares about you, you are trend. you are a unique number to them maybe along with some other non identifiable information that is useless to anyone other than the publishers of the cookie. while cookies benefit the marketing companies they benefit the user too and significantly increase the quality of the web. By turning off cookies and while i’m at it ads you are basically stealing from website owners and in the long run if this gets enforced you will have to log in to every website you ever visit in order to read their content, which i’m sure just about every one will agree is far from ideal.

impressions pay the wages not ROI, so every impression counts.

“It targets specific individual” no it doesnt, unless you are logged in, it only targets the browser of a computer that it was dropped in.

[...] pundits from predicting the end of the world for the European advertising industry, as reported by TechCrunch Europe’s Mike [...]

[...] en la Directiva sobre la privacidad de la UE, su cumplimiento puede significar un serio varapalo para las startups europeas. Cualquiera que haga un uso frecuente de Google Analytics, verá lo útil que es para elaborar una [...]

[...] of cookies to track user behavior across the web by technology companies. Now, this directive is becoming law in many member states. It’s amazing how little has changed since I last wrote about [...]

[...] the past days there’s been a lot of buzz around an article posted on TechCrunch Europe, claiming horrible things about the next European E-Privacy [...]

This piece is utter twaddle, you clearly have not read the regulations at all nor have you made any attempt to research the debate which has been ongoing for over 3 years. This type of scaremongering is more damaging than any perceived consequence of those new regulations, mostly becauseitis complete rubbish and completely untrue. I expect more from a tech resource.

AlexAnder could you please clarify which piece you are referring to as being “utter twaddle”. I don’t recognise your comments as possibly referring to mine. Thanks

It was drafted with tighter language, the Industry are the reason the final amendments to the Directive are a little ambiguous. I was very active in lobbying for these changes and have followed the development of the amendment from the onset. Industry lobbied for substantial changes which resulted in what we have now.

Also with regards to your comment on preferences, I disagree for 2 reasons:

1: a customer who sets up preferences is quite clearly covered under the exclusion for technical cookies or cookies used for a service explicitly requested by a user, if a user is setting preferences clearly that is an explicit action.

2: it is perfectly feasible to have preferences without cookies as illustrated by Ixquick’s cookieless preference system.

We can discuss further on Twitter if you like, we are already following each other.

Regards,

Alexander Hanff

We are very much in control, the “cookie law” was drafted because “we” (being myself and other members of civil society) asked for it, it was not something that the Commission just pulled out of their hat to annoy industry.

Furthermore we (you and everyone else) had every opportunity to shape the drafting of the Directive but if you don’t engage in the political process you have no right to complain if you don’t like resulting policy.

Those of us who did engage had influence, whether you like that or not is really moot, it doesn’t change that this was an inclusive process open to literally every citizen in Europe.

Have you actually bothered to read the text? It doesn’t mention cookies it covers all files stored or accessed on an end user’s terminal equipment.

Look at Ixquick, they are able to customise a users preferences without cookies. Just because you haven’t considered it it doesn’t meant can’t be done.

You say “we” a lot, but you don’t speak for the collective. Nor does the Commission, or the Council of Ministers. There is such a long chain between us (you, me, everyone else) and those who decide that it does not resemble democracy. You might as well argue the Soviet Union was democratic because you could choose to join the Communist Party and influence things – the Party was “inclusive”, right?

[...] http://eu.techcrunch.com/2011/03/09/stupid-eu-cookie-law-will-hand-the-advantage-to-the-us-kill-our-... and http://www.bbc.co.uk/news/technology-12677534 (EU Stupid Cookie Law) [...]

You might want to read this article – http://bit.ly/fwtz1p Pretty negative comments about Google’s unethical profiteering from 3rd party cookies.

[...] Stupid EU cookie law will hand the advantage to the US, kill our startups stone dead Coverage in-equality: TechCrunch on EU privacy law http://bit.ly/hxOp3r. Hogan Lovells' on US legislation http://bit.ly/fEmDCd (tags: via:packrati.us) [...]

[...] van een grotere internet privacy directive van Europa gaat specifiek over cookies. Hoewel er wilde verhalen de ronde doen over de effecten van deze wet, liet het Interactive Advertising Bureau ons weten dat [...]

[...] The directive caused an explosion of outrage that tapped into widespread mistrust of politicians in Brussels and a deep Euro-phobic viewpoint that pervades the online business community. Those who criticized the directive were vehement: they foresaw a situation in which European users were forced to act every single time any company wanted to use a cookie — something they suggested was going to damage European competitiveness, impose an insufferable legal and regulatory burden on European startups and maybe even end up killing off the sector. [...]

[...] Stupid EU cookie law will hand the advantage to the US, kill our startups stone dead [...]

[...] leave 1000s of companies unsure as to whether they are breaking the law or not. I just hope that Mike Butcher is wrong and we are not handing business over to our state-side counterparts; based on these [...]

[...] megkönnyítő sütik között különbséget nem tevő szabályozás mennyire ésszerűtlen, sőt egyesek szerint egyenesen hülyeség, nem tudom, szorul e magyarázatra. Egyfelől már most van lehetőségünk olyan böngészőt [...]

[...] commentators have described (Techcrunch have come out of the corner fighting on this one ‘Stupid EU Law‘). However, the Swedish law just does not seem clear [...]

[...] This stupidity, if it were enforced (and there doesn't seem to be any way it can be) will kill the European internet industry dead. The most paranoid country of all when it comes to online privacy, Germany, already has legislation [...]

[...] guidelines might be like for you the user) it’s a nightmare in the making. @mikebutcher from Techcrunch Europe seemed very clean on his opinion on the cookie [...]

We have quite an elegant solution for those that want’s to be first on the bandwagon – released yesterday..http://www.wolf-software.com/Downloads/jpecrga/This jQuery plugin is the Wolf Software solution to the new cookie law that becomes law on 26 May 2011. The idea is to have a inobtrusive method of gaining user consent BEFORE using Google Analytics which requies cookies.An amendment to the Privacy and Electronic Communications Act (PECR) is a change to legislation that comes into force in the UK on the 26th May 2011.The code requests consent from the user if the user gives consent then the plugin will ‘inject’ the GA code into the page, if they do not give consent (or do not click yes or no), no code is injected.The user also has the option to store these preferences permanantly, which will set a cookie, dealing with this, this again is ‘optional’ and as such is still complient with the law.This class is designed to resolve the EPD / PECR regulations ONLY for google analytics and that is what we use at Wolf Software.Demo page at http://cookies.dev.wolf-software.com

[...] a result, some European businesses are making noises about abandoning Europe for the United States. The problem is, in the digital age with so much of [...]

[...] Stupid EU cookie law will kill our startups stone dead [...]

[...] TechCrunch article sums it all up. Tweet Share and [...]

You are correct, this law is restricting functionality too much. While it is shocking in what detail sites can track users (see http://www.privacy-test.info), a regional law can never be a solution for this.

[...] queda tiempo, se lanzan a acuerdos deontológicos de míninos, porque se dan cuenta de un mundo sin cookies imposibilita miles de “Web Apps” y hace la experiencia de usuario cuando menos extraña, ¿Quién quiere, como [...]

[...] into force, which requires explicit consent by users who are tracked by cookies. This has received much criticism, while actually aiming to protect citizens. Originally, this consent was given via the browser [...]

[...] came into force, which requires explicit consent by users before placing cookies. This has received much criticism, while actually aiming to protect citizens. Originally, such consent was given via the browser [...]

You risk data leakage if you go by IP as that IP can be recycled many many times a week between different customers of that ISP. Depending on what data is being stored via it. Also, even if a customer has a static, everyone in the house would see the same ads you do, same settings, and anything else that was customized or changed using your IP as a method of identifying you.

Statistical is fine, in fact this is how AWStats works. AWStats, as far as I am aware, uses the web servers logs instead. Google Analytics wouldn’t work though so you’d lose out on certain data, data which could be used to determine which areas of a site need improving.

I do hosting, and I’m waiting for this law to be defined in plain English. I don’t know if I have to begin warning my users on the front page in big red writing that my site stores cookies when you log in and that by continuing they agree fully or whether it applies only to 3rd party cookies, or what. From comments here, apparently this doesn’t affect me (I don’t run any advertising or use any analytics system that relies on cookies) but I am still not sure.

This IS a loony EU thing.
 
Browsers have the capability of filtering Cookies, do many use them?
 
This is a typical knee jerk reaction to EU rulings by the UK government, and will be subject to the laws of unintended consequences, like hosting moving to the States or out of the EU.
Do you think the far East will give a flying f about this?
 
You say “The impact of the directive will depend on how individual member countries implement it”
 
The British Government not lay down and die for EU rulings they positively gold plate them, they then employ minions to prosecute all and sundry for not obeying.
 
The UKs ICO site has a beautiful solution to this loony edict, a very large and intrusive banner across the top of the site. This is typical of the EU, nothing is thought through, and is left to the clueless interepretation of governments. I sent a long list of queries to the ICO I’m still waiting.

This law has been ill thought out and planned, and will no doubt be gold plated by the UK as to cause the most work and inconvenience for honest site builders. Why not chase the likes of doubleclick.

“True, the advertising/targeting industry pays for those free sites we all enjoy, but it cannot live on distrust and ignorance either. ”

Yes much better to have Nanny to force us into things, she knows best.

Why? I am perfectly happy with Google analytics, it does the job.

Rob
Your post is very silly.
There is no “typical knee jerk reaction to EU rulings by the UK government”.  The truth is that the UK government has no alternative but to implement the EU directive.
And to say that that UK will “gold plate” this law has no basis at all.
In fact the UK implementation of the law is the best that we could hope for.
Firstly there is the one-year moratorium.
And secondly, the UK implementation provides that a user can consent to cookies (sufficient to satisfy the regulations) by amending or setting controls on the browser or “by using another application or programme to signify consent”. This is paragraph 3A in regulation 6  of the amended Regs.  There was no obligation in the EU directive upon the UK government to add this let-out.
These two things show clearly that the UK government is looking for a way out of the dilemma using the browser solution – see my article at http://www.sitecompliance.co.uk/ukcnewclaws.html

[...] gorgonzola sandwich. Crumbs. B’fhearr liom uisce [...]

[...] up security around browser cookies, which would be extremely difficult to enforce. (TechCrunch has an article on these plans from a business perspective) The problem with such a plan would not only be enforcibility but also the fact that we’re, [...]

[...] re-design issues will be minimal from a developers' point of view), though nonetheless there's the usual scaremongering which predicts that this will kill off EU-based start-ups by presenting a further turn-off in the user sign-up process, which US companies would not be [...]

This is amazingly stupid- A better solution would be for the EU to simply require browsers to have third-party cookies disabled by default.

Good thing, In Europe we are very about our privacy, here the consumer decides what and who is trying to get info, example MS, example Firefox geo location, always customer has to fix unwanted spyware. Therefore our law now made a good statement. Best thing is to stop using Google Firefox Apple MS browsers. The stupid argument that internet sites cannot exist because of pop ups and other commercial advertisement. Ofcourse users do not want companies unwanted to harvest on their PCs for data by use of cookies that often do much more then they legally are allowed to do.

Thanks for the clear reply Tom. 
The facebook “Like” button was the first thing on my mind. One thing is still not clear to me: should the website using the like button explicitly mention that cookies from facebook.com will be stored?

Thanks

[...] immediately, the entire tech industry was up in arms, explaining how this would kill any chance European tech startups have to succeed, compared to the [...]

[...] Stupid EU cookie law will hand the advantage to the US, kill our startups stone dead – The problem of technically illiterate legislation, new EU cookie laws hurt the web: #eu #digital [...]

Fashionable Karen Millen dresses for women who do not use to wear? Then, throw the first stone, because here the Karen Millen sale accessory is designed to inform women about the latest trends, the latest developments in the market, however small.Because know that love is like a last these discount Karen Millen, is done in underwear, T-shirts, shirts, in which types of jackets are made, the type of Karen Millen dress, including underwear, and not on the bedding, pajamas, Karen Millen uk. are cute and love us and be informed of all because we knew that we intend to achieve in a Personal Shopper, where he trained as a professional fashion, trends fashion.They will teach the secret combination of discount Karen Millen dresses, as well as combinations of colors and fabrics. a personal shopper is a person to advise and assist others to do their shopping fashion accessories, as well as whether the client can not.Such courses can be found surfing the Web, but in these courses and teachers can find the form online, at home and without having to travel. Advisors to become discount Karen Millen dresses, will certainly be fun and entertaining for you.For the basic loop, you should buy earrings in white or black. With these slopes, use a flexible film. Do not mix with other jewelry. Use jewelry after using cosmetics, perfume and spray paint. This will prevent Karen Millen Coats on the surface of jewelry. Since the chain of jewelry can break easily, so you have to balance each ring year.Using silver jewelry will look at the situation and the state. If you go to the beach, it is best to put the jewelry before swimming. Do not wear jewelry when working in construction activities or rough. Your money can scratch easily. Silver Wash with mild soap and water. To clean the stain, you can use the money to Poland sold.

To makeMulberry Shoulder Bags even a more sensible choice for a child shower gift,yves saint laurent replica handbags the bags are comparatively cheap & you can find some great choices priced between $50 & $75.

Kalencom also offers a Fast Modify bag that is also very stylish & although not as sizable it folds out & is ideal for when you don’t need all the bells & whistles of the larger bags. They come in the same designs as the larger bags & provide an ideal matching Replica Tods Handbags when you don’t need thMulberry Shoulder Bags

Wallaboo bags come in a very fashionable style & colors that will fit any get-up a mom is wearing. This is of the things mothers out there’s taking in consideration. A child changing bag must be something convenient to carryover & the size ought to be right to be carried on a regular basis. These are the qualities you will find in Wallaboo bags! These bags are not over sized but have compartments & space to have all of your baby’s needs in place & organized. All bags from Wallaboo are made of quality material to provide maximum comfort so that it won’t be a hassle in carrying it on a regular basis.

GHD hair straighteners usually are combination of tresses hair straighteners straighteners by GHD that can assist you attain quick, exceptional hairdos in addition to tresses surface. The goods incorporates a state-of-the-art ceramic technological know-how.
Guru glasses undoubtedly are a lesser-known model that’s beencoach outlet online all around for quite a while. In addition, they complete excellent shopping bags, which they usually are superior regarded intended for. Guru glasses usually are coach bags outlet and so hip that they may likewise possibly be utilized seeing that equipment independent.
A couple high-heeled shoes and boots christian louboutin outlet usually are taking part in an essential purpose with ladies’ existence. High-heeled shoes and boots Christian Louboutin Boots Sale usually are rich in fascination to the majority of females intended for they will produce females think comfortable in addition to indicate the temperament.
Pandora Necklace in addition to Charm bracelets can certainly develop into the most beneficial treat due to people. Pandora necklace wristlets pandora charms on sale pandora bracelets sale         wilson tennis rackets dollars and get an economical just one or maybe devote in a lot more high priced tools? Which often model to settle on?

[...] To stimulate your thinking, here is another view written by Mike Butcher for TechCrunch. [...]

[...] Some experts believe that any site using cookies to collect data from users in the EU is subject to the Directive, but that it must still be decided how exactly enforcement will take place [16]. In an opinion on online advertising, the EU Working Party on Data Protection suggested that businesses outside of the EU who use cookies on EU users’ computers to collect personal data will fall under the e-Privacy rules [17]. However, the concerns of many EU e-commerce companies that the directive will drive online businesses to move operations to the US reflect a different expectation [18]. [...]

   tag: dr dre earphones
  beat headphones
  dr dre beats
  monster beats
  dr dre beat
  cheap monster beats
 
 
  discount monster beats
  discount beat headphones UK
  discount dr dre earphones UK
  discount beat headphones UK
  discount dr dre beats UK
 
 
  discount Monster Beats Solo
  discount Monster Beats Tour
  discount Monster Turbine
  discount Monster Diddy Beats
  discount Lady Gaga Headphones
 

Garments, that could aspect the United States kKaren millen dresses the partners, I really appeared to be very wealthy in a few on the methods, so I obtained Several with the Nordstrom outfits Betty Millen fur most women.online, they will found exposed to my house. Whenever i asked the actual alluring Calvin light-weight silk move attire you might be delighted by your darkish crimson strapless their tea time period angry tight outfit, as well as other forgotten about motivate white colored apparel. They are not only an authority, and so i ended up saving the rear of their own nhl jerseys karen millen coats attire.The earth is often more comfortable you have the sun’s rays mild will not be past an acceptable limit out, about a wise decision, so you often drastically Because of these kinds of components throughout minimal.costumes definitely not existing, just one based on a thingsummer leaned more detailed the actual karen millen outlet outfit. Though the advantages of the employment of the fact that, during summer, assisting you to basically minimize winter cover pickup limit knitted clothing in addition to mitts can be below the actual fast karen millen uk, zero, you do have to be at ease around the slow-moving purchase with mineral water dive bombs besides pants occasions ideal.

[...] the law they imposedUK websites crumble in face of EU cookie law – Cognique – Marketing by designStupid EU cookie law will hand the advantage to the US, kill our startups stone deadAn update on the EU cookie lawThe Webtrends Company Blog – More Clarity on EU Cookie LawsFirst [...]

[...] regulatory hand will ultimately do damage to both consumers and business. Congress should heed the warnings of European startups, and not follow down that same burdensome path. Cancel replyLeave a [...]

[...] regulatory palm will eventually do repairs to both consumers and business. Congress should mind a warnings of European startups, and not follow down that same fatiguing [...]

Moncler Doudoune Moncler Doudoune Prix Moncler Pas CherMoncler Doudoune Homme Moncler Doudoune Femmedoudoune monclerdoudoune moncler pas cherdoudoune moncler femmedoudoune moncler hommedoudoune canada goosekaren millen outlet karen millen dresses sale karen millen dresses karen millen coats karen millen online Air Max TN Pas CherTN Pas CherChaussure TN Pas CherTN Pas Cher Hommechanel chassic cheap chanel bags chanel bags sale cheap chanel necklace cheap nfl jerseysnfl custom jerseysnfl authentic jerseysnfl football jerseyscheap basketball jerseysDoudoune Moncler Pas CherDoudoune MonclerDoudoune Moncler FemmeDoudoune Moncler HommeMoncler Vesteskaren millen dresses salekaren millen dresseskaren millen coatskaren dresseskaren millen outletkaren millen dresseskaren millen coatsmax mara dressesmax mara coatburberry coatmonclermoncler prezzigiubbotti monclergiubbotti moncler donnamoncler cappottomoncler uomo cappottoTiffany On SaleTiffany SilverTiffany OutletBuy TiffanyTiffany Silver BraceletTiffany OutletTiffany Co OutletTiffany Jewelry OutletTiffany Silver NecklaceTiffany OutletTiffany Co OutletTiffany On SaleTiffany RingsTiffany Charm Braceletgiubbotti monclerpiumini monclergiubbotti moncler donnagiubbotti moncler uomomoncler cappotto donnagiubbotti moncler outlet
Chaussures TNAir Max TNChaussures TN Pas CherTN Requin Pas CherTN Pas Cher

beats by dre
monster headphone price
in ear headphone
Monster Butterfly by Vivienne Tam
Monster Headphone Cable

beats by dre
monster headphone price
in ear headphone
Monster Butterfly by Vivienne Tam
Monster Headphone Cable

thank you
very much for sharing this knowledge.

SEO
Services India   

We have put together a small site for people to be able to see how long they have left before the new law will start to be enforced.

http://countdown.wolf-software.com

We are also working on a complete cookie solution that will gain person for any type of cookie, we hope to have this available and verified by the ICO within a couple of weeks.

[...] en la Directiva sobre la privacidad de la UE, su cumplimiento puede significar un serio varapalo para las startups europeas. Cualquiera que haga un uso frecuente de Google Analytics, verá lo útil que es para elaborar una [...]

[...] [...]

Agreed Paul, there is nothing to paranoid about this new law. It’s about making a better experience for the user. It will take time for Chrome, IE to adapt this but I cannot see any reason for them to deny.

Joe from http://www.learnhowtomakearesume.com/

He moncler climbed to moncler prezzi the tree giubbotti moncler top, ate the giubbotti moncler donna apples, took  moncler cappotto a nap under the shadow… He loved moncler uomo cappotto  the tree and the tree loved to play with him.
One day, the boy Canada Goose  came Doudoune Canada Goose  back to the tree Canada Goose Pas cher and looked Dououne Moncler Femme sad. “Come and play with me Doudoune Moncler Homme Pas Cher ,” the tree asked the boy.
I am karen millen outlet  no longer karen millen dresses sale  a kid, I don’t play karen millen dresses  around trees anymore.” The boy replied karen millen coats , “I want karen millen online toys. I need money to buy them.”
Sorry, Bottes Ugg Pas Cher but I don’t  ugg Bottes femme have money Ugg Femme Pas Cher …but you can pick ugg classic  all my apples and sell them chaussures ugg pas cher . 
Today tiffany jewelry has been very popular With doudoune canada goose more than 170 years canada goose. canada goose parka is loved canada goose pas cher and worn by many women and girls  . canada goose femme is the witness and symbol of love and romance.
 doudoune canada gooseand canada goose femme , which do you love? Come to our site and buy the canada goose homme affordable . Your friends will be amazed to see the shiny and wonderful canada goose pas cher . canada goose parka let women be beautiful.
Maybe you love customized canada goose ; however there is something canada goose parka  much more special when you buy designer giubbotti canada . Designer canada donna  is very different to other forms of jewelry and stands out from the crowd. giubbotti moncler donna is the good example

A long Doudoune north face  time north face femme ago doudoune canada goose there was doudoune moncler femme  a huge doudoune moncler homme apple tree doudoune armani. A little boy loved doudoune AF to come and play around it every day .
The first day’s Tiffany Outlet sales total of 4.98 U.S. dollars Tiffany Co Outlet.Because tiffany jewelry is Tiffany On Sale so popular that Tiffany Rings replica tiffany jewelry appears. Replica Tiffany Charm Bracelet is copied by replica makers Tiffany Outlet for two reasons.
The first is to try and trick cheap nfl jerseys people. And then they will sell the replica nfl custom jerseys for you in high price tags nfl authentic jerseys. You may also like nfl football jerseys and cheap basketball jerseys
Another is to provide the good opportunity for TN Pas Cher people who do not have enough money getting authentic . Tiffany is considered as the best jewelry designer Chaussures TN around which is why many celebrities Air Max TN are proud to be seen wearing beautiful pieces of tiffany jewelry. Replica tiffany jewelry is much more affordable than Chaussures TN Pas Cher. Actually there are quite a few silver tiffany jewelry knock offs around. If you find a reliable seller, you can buy affordable TN Requin Pas Cher in top quality.
So, you will have money karen millen ” The boy was Karen Millen Dress so excited. He picked all Karen Millen UK the apples on the tree and left happily. The boy didn’t come back after Karen Millen Coat he picked the apples. The tree was sad.
Time went karen millen outlet by…The little boy karen millen dresses had grown up karen millen coats and he no longer max mara dresses  played  max mara coat around the burberry coat tree.
September 18, 1837, Charles Lewis Moncler Outlet Tiffany and John B. Young in New York Moncler Store , 259 Broadway, founded Tiffany & Young, an exclusive stationery and fashion goods boutique Moncler Down Jacket. They said that the sales of each commodity are marked “declined counter-offer Moncler Coat.” This initiative became the big news Moncler Women Jacket.

[...] wenn die Cookies gesetzt werden? Das würde allerdings die Benutzerfreundlichkeit stark senken und europäische Seiten stark benachteiligen. Die Gesetzgeber warten die Diskussion noch ab, was die aktuelle Situation allerdings nicht gerade [...]

[...] pointed out in March last year what a bad idea this would be for European technology companies. Entrepreneurs have held up their [...]