Yes, the lack of tracking cookies is doom and gloom for those who want to track people.
That's kind of the point of the law. People should be free not to be tracked.
Here's an interesting question, though. Does the law prevent you from preventing users from using the site if they don't accept the cookies? Free websites each some of their money from advertising, and they optimize that advertising (among other things) with tracking cookies. If websites start demanding that you accept cookies, it won't be long before there are 'auto-accept cookies' plugins and such for lazy web users.
Because let's be honest. If people -really- cared they'd block the cookies with a plugin or refuse to visit sites that use them. And most people haven't.
I find it extremely ironic that the end result of the scenario you describe is that the people who right now make a conscious decision and effort to avoid being tracked will end up screwed.
I hadn't thought of it like that, but it's true. If things happen like I suggested, it will actually result in less freedom for people who care about it, and the same for those who don't.
This is why the effect of laws should be thoroughly researched before they are passed. Hoping for the best isn't good enough.
"Yes, the lack of tracking cookies is doom and gloom for those who want to track people."
I believe that some level of tracking should be allowed by default, unless a user goes out of their way to avoid it.
Much the same as walking into a supermarket, I don't want them knowing what shop I just came from, and what I usually buy (unless I sign up for that stuff), but if they want to count how many times I visit in a week, or what sex I am, anonymously, why should I get a say in stopping that?
Possibly biased given I work in digital marketing, but I don't think so.
Maybe a good compromise would be to disallow session based cookies without opt-in. Sites could still store values like 'visits=11;opt-in=rejected;zip=94304;locale=en_US'.
It would be much more transparent as to what the site is tracking and relatively easy to police.
For what it worth, The Netherlands accepted a law last tuesday that requires excplicit opt-in for all third-party cookies for all websites that are aimed towards a Dutch audience. The industry is required to comply by the summer of 2012, altough it claims it's not possible to implement this law, since it requires the use of cookies to keep track of the visitor's preferences.
The industry in The Netherlands continues to implement the opt-out registry found at www.youronlinechoices.org, since it sees the law as not technically possible.
Go visit http://www.ico.gov.uk/ and notice the large cookie warning at the top of the page. I'm all for empowering users and increasing their privacy, but it's going to become very annoying if this starts to appear on a lot of web sites.
EU citizens will complain about this law when the web starts to act like Windows Vista, constantly asking for your permission.
This issue is directly relevant to something I'm working on, so I went to visit the ICO page when the rules changed a few days ago. I actually laughed out loud. The sort of totally-overdone-in-your-face-don't-ignore-me-I'm-important presentation they have chosen is completely unnecessary under the new rules, and just makes them look like fools (which is a shame, because most of the time the ICO are reasonably clued up and some of the good guys).
I also had cause to visit a handful of other government web sites that day. Every single one of them was blatantly illegal under the new laws.
This isn't surprising, people don't want to be stalked online anymore than they want to be stalked in the real world. If sites are worried about having to bring up a big dialog saying "please let us track you and everything that you do" hurting their site traffic perhaps they should just give up on tracking users.
If 90% say no to a dialog there probably isn't much point in asking, and asking probably turns people away from your site. The only reason that this kind of stalking didn't turn people away in the past is because it was hidden from them.
When Parliament went to ban the practice, the cable monopolies had the giant brass balls to complain that if they actually had to ask consumers if they wanted to spend money on new channels, the consumers would say "no," which would hurt the television industry. Whereas if they could just start charging money and force consumers to pick up the phone and cancel the service, well, people wouldn't do that.
Appalling, and it seems to be the same mentality at work.
Your analogy to real-world "stalking" breaks down a bit. For one, real stores do record customers. It's called security cameras. If you're in someone's store you should assume that they have video of you there. Why should that be any different on the internet? If you visit my "store" I should be free to record that.
Secondly, and more importantly, you make it seem like the user is merely an innocent victim, however the user is choosing to use a browser which accepts and explicitly sends cookies with every request. If they don't like that they are free to turn off cookies in their browser, or use a browser which doesn't accept cookies.
> If you're in someone's store you should assume that they have video of you there. Why should that be any different on the internet? If you visit my "store" I should be free to record that.
The ethics of that position break down if you're offering an essential service and everyone takes the same view: now people have no choice but to be recorded, even though on privacy grounds that isn't necessarily a good thing.
The solution to that problem is to legislate that people's personal privacy outweighs a business's desire to track them, and while the specific rules we're talking about here are perhaps not ideal, I think going in that direction is going to become more and more important in the next few years as automated data mining technology can be used to profile ever more details about ever more people.
Your analogy to an online store breaks down as well ... you have a users IP address, and what part they accessed, thus you have logged this user.
What supermarkets don't do and what cookies do allow now is for you to track said user over multiple visits. If I go to a supermarket and buy food and pay with cash, they don't have a record of me having come in three days ago to purchase the exact same items. With a cookie that is set for 12 years in the future you will know it is me visiting again, and again, and again.
Devil's advocate here. What about all the content producers and services that rely on advertisements for the bulk of their income? I'm afraid the result of this law will be a drop in online advertising, or at least a drastically lower price due to less demographic information about visitors. Less advertising money means more incentive for content producers and service providers to charge users directly, instead of charging advertisers. As much as I value my privacy, I don't want the rest of the web to follow the example set by The New York Times. I realize we'll have to see how things play out, but I don't think my fears are baseless, and I certainly don't think a law is the answer to this problem.
It would be nice to think that this will lead to a workable micropayments system. Relying on ad funding has never been a sustainable business model (edit: for the kinds of site you're talking about) if only because ad blockers will eventually kill it.
Rather than trying to prop up a dying business model, we need to develop new ones that do cater to the needs of both consumers and providers. I suggest we try the radical "we make something you find useful, and you pay us a fair price for it" model that I hear was used by a couple of bricks 'n' mortars places with some success. :-)
Edit: I would gladly pay a small flat fee for, say, a month of access to the BBC's web site, provided that this could be done with trivial effort and with decent tools to track my total spend and some sort of simple refund/guarantee policy that works for any site using the system. If that also means I can throw a bone to other sites I value to help with their running costs, I don't have a problem with that either.
Ok, so the law makes cookies illegal. What about browser fingerprinting? Does the law say anything about that? (I did a quick Google search and was unable to find the text of the law)
If browser fingerprinting or other covert tracking devices aren't spelled out in the law, this isn't going to mean squat. If you're not familiar with this technology, go to http://panopticlick.eff.org/ and see just how unique you look. You'll be surprised.
This is the pinprick in the balloon: the rules relate to storing information on your visitor's system, not to anything they send you anyway that you keep on your own server. Given that (for reasons I've never understood) most browsers are quite happy to send a near-unique set of data every time they request a page, I expect a whole bunch of tools will rapidly rise to prominence over the next few months for precisely this purpose.
Edit: Also, the law does not make cookies illegal. There is way too much FUD in the discussions of this topic. The rules are about restricting cookie use (a) without explicit user consent and (b) to do things that aren't necessary to provide a service the user has requested.
The basic position is not unreasonable, they're just perhaps not going about it in the most helpful way. But most of the vehement criticism is coming either from people who don't understand or from people who have built a business model by doing unsavoury things and don't like that they just got spanked for it.
Someone correct me if I'm entirely wrong, but I thought the point of the law was to stop third-party cookies being used to track users.
That is, if you want to track your users - that's fine, use as many cookies as you like and don't ask anyone's permission. But it's your job to do the tracking, you can't outsource it to Google.
I'm afraid you are indeed entirely wrong. The rules are not specific to third party cookies. There are some very tight exemptions for cookies or similar technologies where their use is genuinely necessary to provide a requested service, such as for remembering that someone is logged in or the contents of a shopping cart. Anything outside that scope, including using the same cookies for tracking/advertising purposes, is against the rules without explicit user consent.
Thanks. After reading the ICO's guidance, so it seems. I was, in fact entirely wrong.
As someone elsethread pointed out, if this is taken seriously, people will just start browser fingerprinting. That at least means that the information is stored server-side rather than client-side, which the new directive seems particularly concerned about.
The spirit of these regulations was undoubtedly to inhibit the practice of cross-site tracking using third party cookies or cookie-like technology. However, neither the EU directive nor the laws that implement it make a distinction between first and third-party cookies. They only distinguish between those that are "strictly necessary" (which I take to mean cookies that if you block them would prevent the site from functioning at all) and those that are not.
Tracking within your own website for analytical purposes doesn't fall under the functional interpretation of "strictly necessary"; your site continues to function just fine if the Google Analytics beacon isn't fired, or can't distinguish between a first-time visitor and a repeat visitor or follow a particular user through the site.
I have heard people argue that analytics are operationally strictly necessary; that we need some insight into the behaviour of site visitors in order to operate an online business effectively. There may be something in that interpretation, but I'm a lowly web architect, not a lawyer. As such, I would be wary of accepting this more lenient interpretation without significant input from someone more schooled in the laws of our land (or any land, for that matter) than I.
23 comments
[ 3.5 ms ] story [ 60.2 ms ] threadThat's kind of the point of the law. People should be free not to be tracked.
Here's an interesting question, though. Does the law prevent you from preventing users from using the site if they don't accept the cookies? Free websites each some of their money from advertising, and they optimize that advertising (among other things) with tracking cookies. If websites start demanding that you accept cookies, it won't be long before there are 'auto-accept cookies' plugins and such for lazy web users.
Because let's be honest. If people -really- cared they'd block the cookies with a plugin or refuse to visit sites that use them. And most people haven't.
This is why the effect of laws should be thoroughly researched before they are passed. Hoping for the best isn't good enough.
I believe that some level of tracking should be allowed by default, unless a user goes out of their way to avoid it.
Much the same as walking into a supermarket, I don't want them knowing what shop I just came from, and what I usually buy (unless I sign up for that stuff), but if they want to count how many times I visit in a week, or what sex I am, anonymously, why should I get a say in stopping that?
Possibly biased given I work in digital marketing, but I don't think so.
It would be much more transparent as to what the site is tracking and relatively easy to police.
The industry in The Netherlands continues to implement the opt-out registry found at www.youronlinechoices.org, since it sees the law as not technically possible.
http://www.iab.nl/2011/06/21/kamer-stemt-voor-ondubbelzinnig...
Google translate: http://translate.google.com/translate?js=n&prev=_t&h...
EU citizens will complain about this law when the web starts to act like Windows Vista, constantly asking for your permission.
I also had cause to visit a handful of other government web sites that day. Every single one of them was blatantly illegal under the new laws.
If 90% say no to a dialog there probably isn't much point in asking, and asking probably turns people away from your site. The only reason that this kind of stalking didn't turn people away in the past is because it was hidden from them.
http://en.wikipedia.org/wiki/Negative_option_billing
When Parliament went to ban the practice, the cable monopolies had the giant brass balls to complain that if they actually had to ask consumers if they wanted to spend money on new channels, the consumers would say "no," which would hurt the television industry. Whereas if they could just start charging money and force consumers to pick up the phone and cancel the service, well, people wouldn't do that.
Appalling, and it seems to be the same mentality at work.
Secondly, and more importantly, you make it seem like the user is merely an innocent victim, however the user is choosing to use a browser which accepts and explicitly sends cookies with every request. If they don't like that they are free to turn off cookies in their browser, or use a browser which doesn't accept cookies.
edit: fixing typo
The ethics of that position break down if you're offering an essential service and everyone takes the same view: now people have no choice but to be recorded, even though on privacy grounds that isn't necessarily a good thing.
The solution to that problem is to legislate that people's personal privacy outweighs a business's desire to track them, and while the specific rules we're talking about here are perhaps not ideal, I think going in that direction is going to become more and more important in the next few years as automated data mining technology can be used to profile ever more details about ever more people.
What supermarkets don't do and what cookies do allow now is for you to track said user over multiple visits. If I go to a supermarket and buy food and pay with cash, they don't have a record of me having come in three days ago to purchase the exact same items. With a cookie that is set for 12 years in the future you will know it is me visiting again, and again, and again.
Rather than trying to prop up a dying business model, we need to develop new ones that do cater to the needs of both consumers and providers. I suggest we try the radical "we make something you find useful, and you pay us a fair price for it" model that I hear was used by a couple of bricks 'n' mortars places with some success. :-)
Edit: I would gladly pay a small flat fee for, say, a month of access to the BBC's web site, provided that this could be done with trivial effort and with decent tools to track my total spend and some sort of simple refund/guarantee policy that works for any site using the system. If that also means I can throw a bone to other sites I value to help with their running costs, I don't have a problem with that either.
If browser fingerprinting or other covert tracking devices aren't spelled out in the law, this isn't going to mean squat. If you're not familiar with this technology, go to http://panopticlick.eff.org/ and see just how unique you look. You'll be surprised.
Edit: Also, the law does not make cookies illegal. There is way too much FUD in the discussions of this topic. The rules are about restricting cookie use (a) without explicit user consent and (b) to do things that aren't necessary to provide a service the user has requested.
The basic position is not unreasonable, they're just perhaps not going about it in the most helpful way. But most of the vehement criticism is coming either from people who don't understand or from people who have built a business model by doing unsavoury things and don't like that they just got spanked for it.
That is, if you want to track your users - that's fine, use as many cookies as you like and don't ask anyone's permission. But it's your job to do the tracking, you can't outsource it to Google.
I'm afraid you are indeed entirely wrong. The rules are not specific to third party cookies. There are some very tight exemptions for cookies or similar technologies where their use is genuinely necessary to provide a requested service, such as for remembering that someone is logged in or the contents of a shopping cart. Anything outside that scope, including using the same cookies for tracking/advertising purposes, is against the rules without explicit user consent.
As someone elsethread pointed out, if this is taken seriously, people will just start browser fingerprinting. That at least means that the information is stored server-side rather than client-side, which the new directive seems particularly concerned about.
Tracking within your own website for analytical purposes doesn't fall under the functional interpretation of "strictly necessary"; your site continues to function just fine if the Google Analytics beacon isn't fired, or can't distinguish between a first-time visitor and a repeat visitor or follow a particular user through the site.
I have heard people argue that analytics are operationally strictly necessary; that we need some insight into the behaviour of site visitors in order to operate an online business effectively. There may be something in that interpretation, but I'm a lowly web architect, not a lawyer. As such, I would be wary of accepting this more lenient interpretation without significant input from someone more schooled in the laws of our land (or any land, for that matter) than I.