Funniest thing I found this morning. In all seriousness I can't see the EU actually being able to enforce these new rules at all.
Under what sort of jurisdiction would it function? On websites visited from the EU? On websites hosted in the EU? More probable websites with EU domain names? On companies registered within the EU?
Just seems like a system that will be impossible to enforce and will drive businesses out of different domain spaces or hosting geographies. The companies will merely go around these rules, making them a waste of time, sanity and money.
Then comes the real argument: are storing cookies on a website a privacy risk? Don't we consent to it by default by using a modern (circa 1995) web browser?
Coming from Germany, where these kinds of things have become law, I can say that this is intended against European website owners (both private and corporate). It's a money-making scheme that allows lawyers to send out what would accurately translate as "Admonishments", one step up from the US-style "Cease and Desist", allowing them to legally rip people off to the tune of 1000 € or more. It's already commonplace in Germany. To profit from this scheme, you just have to be a certified attorney, then you can send out as many of these costly and legally-binding letters as you want. No recourse, no appeal, no trial.
This is simply not true.
"This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service", taken from the directive, states that most uses of cookies will not force to explicit consent!
Without storing UUIDs (unique user ids) in cookies you're severely limited in gathering metrics for scaling up your business. For example:
- you cannot determine if the user that just made a sale today by coming directly to your website is the same user that saw your Google Ads 3 days ago and clicked on it. You have no idea if paying 1 USD per click is worthy since you can no longer track that 1-to-10 conversion rate for your $20 product.
- you cannot determine in A/B user testing if the increased metrics are for the users seeing the homepage layout for the first time or for the users that are at a returning visit.
- you cannot get visibility into your acquisition costs (except for users buying something or logging in on their first visit) which prevents you from increasing budget on good-performing marketing channels and killing the rest, which in turns prevents you from scaling your business (while your competitors have free reigns in doing so).
Of course that you can, but your users must be aware of this practice, even if they enabled it on a browser level (Something that the comments to the directive, used for the enforcement, clearly write).
I wonder, should this terrible idea actually move forward, if console.log() would be a viable replacement for using alert().
This would kill two birds with one stone: the first being the annoyance of constant alerts and the second being a faster death to (older versions) of IE since they can't handle console.log without using extra JavaScript.
So, has anyone actually read the actual document. From his tone it doesn't appear this blogger has done so..
Here's the specific piece of text that covers this new legislation:
Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities
There is a very clear exception in there when the service is explicitly requested by
the subscriber or user; so that covers login cookies, perference cookies etc.
It also talks about making the process user friendly; so popup boxes don't seem to comply with that specific suggestion (ironically meaning that the attempt here to stick to "the letter of the law" actually goes dead against it :P).
My feeling here is "meh", this doesn't strike me as an attempt to deal a crushing blow to the use of cookies. It looks to me like some specific piece of legislation that can be used to hit the more evil users of tracking cookies and those circumventing the "I don't want any cookies pls" settings of browsers (i.e. Flash Cookies). A piece that has been badly worded.
On the other hand it does seem to cover the use of 3rd party analytics software that use tracking cookies. Which is unfortunate and potentially a problem in places like Germany where the lawyers will just love to make merry hell with such legislation :) (privacy laws are a favourite of their legal eagles for some reason!).
Either way; they really need to iron out the ambiguity just to stop this firestorm of moaning.
But at this stage, as an EU based web host/developer etc, my state of being is "not worried yet".
11 comments
[ 3.1 ms ] story [ 36.5 ms ] threadUnder what sort of jurisdiction would it function? On websites visited from the EU? On websites hosted in the EU? More probable websites with EU domain names? On companies registered within the EU?
Just seems like a system that will be impossible to enforce and will drive businesses out of different domain spaces or hosting geographies. The companies will merely go around these rules, making them a waste of time, sanity and money.
Then comes the real argument: are storing cookies on a website a privacy risk? Don't we consent to it by default by using a modern (circa 1995) web browser?
Websites operated by companies registered in the EU seem like a reasonable guess.
Or maybe they'll go ICE on everyone and enforce this on .eu and each of the national ccTLDs. You never know, better start spreading FUD!
- you cannot determine if the user that just made a sale today by coming directly to your website is the same user that saw your Google Ads 3 days ago and clicked on it. You have no idea if paying 1 USD per click is worthy since you can no longer track that 1-to-10 conversion rate for your $20 product.
- you cannot determine in A/B user testing if the increased metrics are for the users seeing the homepage layout for the first time or for the users that are at a returning visit.
- you cannot get visibility into your acquisition costs (except for users buying something or logging in on their first visit) which prevents you from increasing budget on good-performing marketing channels and killing the rest, which in turns prevents you from scaling your business (while your competitors have free reigns in doing so).
This would kill two birds with one stone: the first being the annoyance of constant alerts and the second being a faster death to (older versions) of IE since they can't handle console.log without using extra JavaScript.
Hilarious implementation in the link though :)
Here's the specific piece of text that covers this new legislation:
Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities
There is a very clear exception in there when the service is explicitly requested by the subscriber or user; so that covers login cookies, perference cookies etc.
It also talks about making the process user friendly; so popup boxes don't seem to comply with that specific suggestion (ironically meaning that the attempt here to stick to "the letter of the law" actually goes dead against it :P).
My feeling here is "meh", this doesn't strike me as an attempt to deal a crushing blow to the use of cookies. It looks to me like some specific piece of legislation that can be used to hit the more evil users of tracking cookies and those circumventing the "I don't want any cookies pls" settings of browsers (i.e. Flash Cookies). A piece that has been badly worded.
On the other hand it does seem to cover the use of 3rd party analytics software that use tracking cookies. Which is unfortunate and potentially a problem in places like Germany where the lawyers will just love to make merry hell with such legislation :) (privacy laws are a favourite of their legal eagles for some reason!).
Either way; they really need to iron out the ambiguity just to stop this firestorm of moaning.
But at this stage, as an EU based web host/developer etc, my state of being is "not worried yet".