The general gist seems to be, that if you use a cookie to track the communications between you and the user (à la sessions), no problem. But if you are using a cookies to track where and/or what the user has been doing across sites then you need to make said user aware.
Thanks for posting the link - upvoted. However, I'm interpreting it a little differently. Consent is not just required for tracking across sites according to point 50 of that document. Their example of something that would require consent is storage of language preferences. That has nothing to do with cross site tracking.
The bit in question: "For example, pursuant to the last sentence of this Article a data subject may not
benefit from information and the right to oppose the processing of his/her data if a cookie collects his
language preferences or his location (e.g. Belgium, China) as this kind of cookies could be presented as
having as objective the facilitation of the transmission of a communication"
I think this regards storing the users locale information in a cookie .. you wouldn't need to store this in a cookie if you can store it on your server which links the locale information via a session cookie.
I don't think that kind of difference matters in the eyes of those who created the directive. I believe if you store a cookie that is later used to recover locale information stored on your server, that would not exempt you from the consent and refusal provisions. But I could be wrong.
[Edit] In any event, I agree with you that the article blows this issue completely out of proportion.
> I don't think that kind of difference matters in the eyes of those who created the directive.
Note: what matters is the difference in the eyes of those who interpret the directive. In this sense, the actual verbiage (and not authorial intent) is paramount.
The linked document looks to me like a recommendation to alter the tabled amendment - and as things currently stand then language preferences and the like will not be exempt. Hence clause 51 stating "to prevent this we propose the following amendment to the article ..."
But I've only skimmed through it and it's making my head hurt.
You are not wrong. Some examples: A login for your site needs no concent. A session to store some status-message to a user ("comment posted!") is allowed just fine. But Google (analytics) must provide a warning before it is allowed to track people, because it tracks people across domains and sites.
edit: I wrote opt-in but meant to say "provide a warning"
Google Analytics is a third party service that is tracking users' behaviour around the Internet, quite possibly without their knowledge or consent. It doesn't matter what the original site operator can see. Google can see everything. This is exactly the kind of shady behaviour that this law is supposed to prohibit, and Google getting screwed on this point appears to be in keeping with both the letter and the spirit of the law.
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/...
Read point 50.
The general gist seems to be, that if you use a cookie to track the communications between you and the user (à la sessions), no problem. But if you are using a cookies to track where and/or what the user has been doing across sites then you need to make said user aware.
Please correct me if I am wrong.