Please kill this cookie monster to save Europe's websites
Crummy cookie cutting law really takes the biscuit
Opinion Visit any website and there's a good chance that it will send a cookie to your computer. But unless that cookie is essential, its delivery could become illegal under a strange new plan that has, very quietly, won EU support.
Under plans endorsed by the European Commission, the Council of Ministers and the European Parliament, we would have a choice: stop using Google Analytics or ask visitors for permission to send that cookie when they visit. Like an over-enthusiastic greeter, the latter approach requires us to welcome even casual passers-by with a "Hi, how are you today?" and an invitation to wear a visitor's badge.
Most websites use Google Analytics (including the site of the UK's privacy chief, at ico.gov.uk) or a similar traffic analysis tool, and that is just one use that sites make of cookies. We’re all subject to this requirement for prior consent – or so it seems. The trouble is, we don't know what the law really means. Nobody does, because the proposed law is ambiguous. (See the relevant sections or full text.)
This simple approach to cookie compliance is under threat.
The new law says that cookies can be delivered to a user's computer only if that user "has given his/her consent, having been provided with clear and comprehensive information" unless it is "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
So if I'm shopping at Amazon.co.uk and I put a book in my shopping basket, Amazon can use a cookie to remember which book I want when I proceed to the checkout. That is a cookie that's essential to the service I've explicitly requested. But if Amazon wants to use a cookie for another purpose, e.g. to monitor shopping basket abandonment, it needs my consent.
This sounds bad, but a recital to the new law sounds like an escape clause. In any Directive, recitals are listed before the formal 'Articles'. They provide an introduction to the new law, sharing the lawmakers' rationale for the provisions that follow. Curiously, the cookie recital includes a suggestion that conflicts with the main Article.
The new cookie recital says: "The user's will to accept processing may be expressed by way of using the appropriate settings of a browser or other application."
Most browsers have a default setting that allows cookies. Most people never change that (and many don't know that the setting exists). So a court might reasonably question how consent can be implied from a default setting. If no question is asked, silence does not convey consent.
A lot of us just don't want some marketing company tracking of movements and trying to sell us crap.
What you say is all well and good now, but there is a large potential for abuse, and that is what most people would be concerned with. Last night I clicked a link on a blog and ended up reading some other blog that was very right-wing and kind of scary. I do not like the idea that such information is recorded, and might be able to be used against me. What if I'm accused of a crime and the police demand my records from google? they might put up a fight NOW, but you only have to look at how things were 10 years ago to see how quickly things change. Such a thing could become common procedure.
But really, the bottom line is people enjoy their privacy, and this is a matter of privacy.
"When someone visits OUT-LAW.COM for the first time, our site endeavours to send that visitor's computer a cookie. We do this with some help from Google, which offers a free service called Google Analytics."
Get a grip. Collect your own data and do your own analyses, it's not that hard.
Also, I wonder whether it's possible to link Google analytics cookies to the different sites that produce them. Or if Google can do it - a quick skim suggests they can - and you can't be sure what they are actually doing with the data.
The proposed law doesn't go far enough, but well done EU so far!
There was a big scramble in the last few months of this package. Pro-phorm UK policy makers were weakening the 'choose to refuse'. There was also a page and half from Ofcom suggesting Internet could be treated like a Cable TV network leading to net discrimination clauses - the wiki amendments and AT&T amendments. There was also the 'three strikes' clauses being pushed by UK and French civil servants.
Parliament did catch the three strikes and pushed the package to conciliation. In the UK the Lib Dems Sara Ludford and Caroline Lucas of the Greens were active, as were UKIP and the Scottish Nationalists. As late as last week iptegrity.com was reporting on meetings to squeeze the legislation through. Tory MEP Malcom Harbour (the rapporteur - the proposer) keeps re-assuring fellow MEPs he is acting in the customer interest, but putting a Tory on a Customer Protection committee is a bit like Alastair Campbell being in charge of a Truth commission, it's just not in their genes, they do not get it. Mr Harbour is Mr Cameron top internet expert, be worried!
Amidst the arguing, Internet access was declared a right and thus much of the net discrimination clauses were weakened, but they were adopted. It remains to be seen whether the conciliation process opens up the nasties in the adopted clauses or whether they remain. The lack of scrutiny and accountability is awful as the conciliation process happens behind closed doors.
What is clear is that tens of thousands made their voice heard and those in the smaller parties listened, so I will voting for them on June 4th.