The ones with text inside them, or the other ones with text inside them? I don't understand how you decide between good and evil cookies.
> The ICO considers that due to having had explicit consent on their site for a number of months, and due to the information generally available on their site, it was ok to switch to an implied consent approach
Why is there a temporal component ( a couple of months ), surely new visitors come all the time? Why is the content relevant? According to their stats, 10% of the users explicitly consented. Switching to implied consent on that basis makes no sense.
> it is not guaranteed that an implied consent will be appropriate
I'm pretty sure it's not OK to say 'You might be breaking the law, but we'll let you know once we decide to prosecute'. 'Very little information' is a terrible metric; there's an implication that quality is also necessary. If I populate my user-tracking page with mathematical proofs, I've encoded information on that page - potentially a lot. It doesn't mean anything.
> I appreciate that this creates ambiguity
I appreciate that you didn't create this law (I hope). Ambiguity is bad. And expensive. All this backtracking they've been doing, it wastes my time, it wastes some civil servant's time, and it accomplishes nothing. It seems like these policies should be like trademarks; subject to dilution if they aren't suitably enforced. If Disney decided to give everyone two years to use their logo free and clear, or they only prevented 'content-free' uses, they would lose that mark.
How about "session cookies for ecommerce and other transactional style web interaction, that track users across multiple sites without their knowledge or consent"? Are these good or bad?
We can decide on a case by case basis whether any particular use of cookies is good or bad, but coming up with a generic rule to do so is fraught with difficulties.
Well those would be bad, as they've clearly strayed well beyond necessary use of cookies as a mechanic of the website operating and into tracking people without their knowledge or consent.
What about "Tracking people without their knowledge or consent" being A Bad Thing is hard to understand?
The original poster said " in certain cases, implied consent would be appropriate and this is judged on the basis of the type of cookies that a site is looking to set". Your example clearly goes beyond.
"...necessary use of cookies as a mechanic of the website [operation]..."
My shopping cart cookie that tracks you across multiple websites is necessary because it keeps my prices lower than my competition giving me the competitive advantage and my customers a better price on the things they want.
By tracking the user across many websites we can give personal recommendations of new products the user might like based on their surfing habits. For instance depression is correlated with erratic surfing behaviour. By making use of these types of relationships we can offer our customers what they need when they need it.
Another good feature is what we call multisite one-click shopping. Having to enter address, credit number, cvc etc on lots of websites is daunting for the customer and can hurt conversions.
Cool, all sounds useful, so you have no issue asking for the user's permission to do this?
Because it's still not technically necessary for the functioning of whatever it is that the user is trying to do on your particular site.
These are all fine business reasons but (AFAICT) the entire intent of the law is that business reasons are not good enough to track people without their explicit knowledge and permission that that is what you're doing.
(yes of course they fouled up on the coding and execution of the law, bureaucrats were involved)
You didn't originally say "technically necessary," but my argument is not with you. It's with half-baked legislation. Does the legislation make the distinction? You use the phrase "technically necessary for the functioning of..." and the business guys in the company will continue to argue that yes, this is technically necessary for the functioning of their company/website/business etc.
Ask the engineers whether these things are "technically necessary" to facilitate the business plan, because the business plan is the entire reason the company exists. The answer is yes. I'd suspect the workaround is that you just don't do business with people who don't want to be tracked.
Are we going to start legislating every detail of business?
"the business guys in the company will continue to argue that yes, this is technically necessary for the functioning of their company/website/business etc."
Except it's not.
"Ask the engineers whether these things are "technically necessary" to facilitate the business plan, because the business plan is the entire reason the company exists. The answer is yes."
The Business plan is irrelevant. You're clutching at (false) straws here and you know very well what I mean by technically necessary for the functioning of the site, the law and/or guidelines even talk about implied consent covering only what is needed to allow the interaction between a site (the site you are ON, not a third party) and the user). In any other circumstances you have to ask. I don't understand what you find so hard about this - are you setting the cookie to enable the user to have a session on your site? Cool. Are you using it to track their movement? Not cool. End.
"Are we going to start legislating every detail of business?"
Where it starts to impinge on personal privacy, I hope so, yes.
> The ones with text inside them, or the other ones with text inside them? I don't understand how you decide between good and evil cookies.
Yes, of course, on a basic level, there is no difference between cookies but I think it's reasonable to say that they can achieve different purposes, particularly in terms of the information that they can allow third parties to collect on a user.
> Why is there a temporal component ( a couple of months ), surely new visitors come all the time? Why is the content relevant? According to their stats, 10% of the users explicitly consented. Switching to implied consent on that basis makes no sense.
Of course there will be new visitors who will have no idea about the opt-in approach previously taken by the ICO. You are quite right to identify that to those users, the previous opt-in approach was irrelevant. Rather than focusing on individual users, to me, the ICO's approach is to identify what steps a site is taking to educate its users in general.
In reality, I'm sure a large proportion of users will click whatever box they are told to if it means they can access a site or remove a banner but that doesn't mean that a site should be excused of its obligation to at least provide information to those users who may want to learn more about the cookies being set.
In terms of content, I should have been clearer, I meant content providing clear information on the types of cookies being set.
> I'm pretty sure it's not OK to say 'You might be breaking the law, but we'll let you know once we decide to prosecute'. 'Very little information' is a terrible metric; there's an implication that quality is also necessary. If I populate my user-tracking page with mathematical proofs, I've encoded information on that page - potentially a lot. It doesn't mean anything.
Yes, any law should provide clear limits to its effect to people can know when they are breaking it. From what I have read, the ICO is likely to adopt a consultative approach to enforcement in terms of letting a site know that they consider that the site could do more to educate its users as to the cookies that are being set when a user visits. By information, I mean relevant information in the form of a policy clearly explaining to users the cookies that will be set when a user visits the site.
> I appreciate that you didn't create this law (I hope). Ambiguity is bad. And expensive. All this backtracking they've been doing, it wastes my time, it wastes some civil servant's time, and it accomplishes nothing. It seems like these policies should be like trademarks; subject to dilution if they aren't suitably enforced. If Disney decided to give everyone two years to use their logo free and clear, or they only prevented 'content-free' uses, they would lose that mark.
Heh, no, I did not create this law. I agree that ambiguity is bad, and that responsible businesses who sought to implement solutions before the ICO's u-turn on implied consent last May have incurred expenses unnecessarily which is not how laws are meant to operate.
The elephant in the room is that in certain quarters, the UK's approach to interpretation/enforcement falls short of that required to comply with the terms of the Directive. Whilst this may be the case, I'm sure sites would prefer to be subject to the ICO's softer approach at this stage than have to implement a full opt-in and be subject to harsh enforcement.
Your proposal might make a degree of sense - however, a trade mark owner's rights would generally not be revoked for lack of enforcement. A grant of trade mark rights as you mention would be subject to an implied licence which Disney could arguably revoke at any time. At worst, if they did not take action against an unlicensed use, they could be deemed to have acquiesced in the usage, and be prevented from taking enforcement action subsequently. This may be a more appropriate analogy than simply having the underlying rights (mark or legislation) removed.
I'm not particularly positive about the law itself and acknowledge that it is adding confusion and additional costs to businesses in terms of compliance. My only concern is that posts like the Silktide one are unnecessarily bias against the law and are essentially just preaching to the converted (developers/IT professionals etc are aware of how cookies work and what purposes they achieve).
The position I laid out above is only really my interpretation of the ICO's current stance. Although completely anecdotally, only last week, some colleagues who I would consider to be your average internet user were commenting on how weird it was that adverts in relation to sites that they had previously visited were appearing on other sites. If the cookie law means even a small proportion of users are educated about cookies, I think this is a good thing.
>>> "Yes, of course, on a basic level, there is no difference between cookies but I think it's reasonable to say that they can achieve different purposes, particularly in terms of the information that they can allow third parties to collect on a user."
And the arbitrator of this decision is: Some lawyer? This is why this entire law is so fantastically absurd.
Technically under the directive, any storage of information on the user's system should have the full consent of the user, with the exception of information which is strictly necessary for the functioning of the service requested by the user (see 2009 amendment to the original directive[1]).
Consequently, it's not necessarily at the determination of a lawyer, but I think the ICO has acknowledged that this is a difficult proposition so is taking a softer approach to enforcement.
At the very least the distinction could very easily be drawn between cookies which facilitate the sharing of information on the user's usage of multiple sites, to cookies which deal solely with the user's usage of the site where the cookie is set.
No, consent is not assumed. From my understanding, most browsers are generally set up to accept cookies automatically. If it was the other way round, and users had to physically change their settings, this could be an appropriate opt-in.
The E-Privacy Directive specifically contemplates browser solutions as being a potential solution, however, I understand that at this stage, there isn't an acceptable implementation.
If for example a browser on first load asked what I wanted to do with cookies during that session, that might be acceptable.
I suspect browser makes are hesitant to work towards a solution because it would obviously be a blanket policy when it may be more appropriate for a more nuanced one dependent on each each site's cookie usage.
You can obviously configure cookies in your browser settings but I imagine for most users this option is overly complex for them to understand.
Sorry for the brevity, but the only thing I can think of is: A-fucking-men. This is a colossal waste of time and resources, and it's a completely distraction from other -real-, -actual- privacy concerns that every day citizens should have. This is not one of them, and there is already a solution.
Actually that would be a good potential solution to have cookies on browsers automatically disabled but one that advertising networks and companies that rely heavily on advertising revenue (Google for example) are lobbying hard against for obvious reasons. As a result, I don't think this option will make an appearance anytime soon.
The ones with text inside them, or the other ones with text inside them? I don't understand how you decide between good and evil cookies.
> The ICO considers that due to having had explicit consent on their site for a number of months, and due to the information generally available on their site, it was ok to switch to an implied consent approach
Why is there a temporal component ( a couple of months ), surely new visitors come all the time? Why is the content relevant? According to their stats, 10% of the users explicitly consented. Switching to implied consent on that basis makes no sense.
> it is not guaranteed that an implied consent will be appropriate
I'm pretty sure it's not OK to say 'You might be breaking the law, but we'll let you know once we decide to prosecute'. 'Very little information' is a terrible metric; there's an implication that quality is also necessary. If I populate my user-tracking page with mathematical proofs, I've encoded information on that page - potentially a lot. It doesn't mean anything.
> I appreciate that this creates ambiguity
I appreciate that you didn't create this law (I hope). Ambiguity is bad. And expensive. All this backtracking they've been doing, it wastes my time, it wastes some civil servant's time, and it accomplishes nothing. It seems like these policies should be like trademarks; subject to dilution if they aren't suitably enforced. If Disney decided to give everyone two years to use their logo free and clear, or they only prevented 'content-free' uses, they would lose that mark.