Hacker News new | past | comments | ask | show | jobs | submit login

This is being blown out of all proportions.

http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/...

Read point 50.

The general gist seems to be, that if you use a cookie to track the communications between you and the user (à la sessions), no problem. But if you are using a cookies to track where and/or what the user has been doing across sites then you need to make said user aware.

Please correct me if I am wrong.




Thanks for posting the link - upvoted. However, I'm interpreting it a little differently. Consent is not just required for tracking across sites according to point 50 of that document. Their example of something that would require consent is storage of language preferences. That has nothing to do with cross site tracking.


The bit in question: "For example, pursuant to the last sentence of this Article a data subject may not benefit from information and the right to oppose the processing of his/her data if a cookie collects his language preferences or his location (e.g. Belgium, China) as this kind of cookies could be presented as having as objective the facilitation of the transmission of a communication"

I think this regards storing the users locale information in a cookie .. you wouldn't need to store this in a cookie if you can store it on your server which links the locale information via a session cookie.


I don't think that kind of difference matters in the eyes of those who created the directive. I believe if you store a cookie that is later used to recover locale information stored on your server, that would not exempt you from the consent and refusal provisions. But I could be wrong.

[Edit] In any event, I agree with you that the article blows this issue completely out of proportion.


> I don't think that kind of difference matters in the eyes of those who created the directive.

Note: what matters is the difference in the eyes of those who interpret the directive. In this sense, the actual verbiage (and not authorial intent) is paramount.


The linked document looks to me like a recommendation to alter the tabled amendment - and as things currently stand then language preferences and the like will not be exempt. Hence clause 51 stating "to prevent this we propose the following amendment to the article ..."

But I've only skimmed through it and it's making my head hurt.


You are not wrong. Some examples: A login for your site needs no concent. A session to store some status-message to a user ("comment posted!") is allowed just fine. But Google (analytics) must provide a warning before it is allowed to track people, because it tracks people across domains and sites.

edit: I wrote opt-in but meant to say "provide a warning"


Google Analytics does not track user behaviour across domains and sites, unless those domains and sites are specifically linked.

Google Analytics uses a 1st-party cookie set by the website that runs it.

http://code.google.com/apis/analytics/docs/concepts/gaConcep...


Google Analytics is a third party service that is tracking users' behaviour around the Internet, quite possibly without their knowledge or consent. It doesn't matter what the original site operator can see. Google can see everything. This is exactly the kind of shady behaviour that this law is supposed to prohibit, and Google getting screwed on this point appears to be in keeping with both the letter and the spirit of the law.


So how does the police distinguish between a harmless session cookie and an evil tracking cookie?


So we'll be able to use a cookie to store the user's preference once they've selected to allow or disallow tracking via Google Analytics?

EDIT: This [1] seems quite useful.

[1] http://www.google.com/support/forum/p/Google+Analytics/threa...




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: