> The ones with text inside them, or the other ones with text inside them? I don't understand how you decide between good and evil cookies.
Yes, of course, on a basic level, there is no difference between cookies but I think it's reasonable to say that they can achieve different purposes, particularly in terms of the information that they can allow third parties to collect on a user.
> Why is there a temporal component ( a couple of months ), surely new visitors come all the time? Why is the content relevant? According to their stats, 10% of the users explicitly consented. Switching to implied consent on that basis makes no sense.
Of course there will be new visitors who will have no idea about the opt-in approach previously taken by the ICO. You are quite right to identify that to those users, the previous opt-in approach was irrelevant. Rather than focusing on individual users, to me, the ICO's approach is to identify what steps a site is taking to educate its users in general.
In reality, I'm sure a large proportion of users will click whatever box they are told to if it means they can access a site or remove a banner but that doesn't mean that a site should be excused of its obligation to at least provide information to those users who may want to learn more about the cookies being set.
In terms of content, I should have been clearer, I meant content providing clear information on the types of cookies being set.
> I'm pretty sure it's not OK to say 'You might be breaking the law, but we'll let you know once we decide to prosecute'. 'Very little information' is a terrible metric; there's an implication that quality is also necessary. If I populate my user-tracking page with mathematical proofs, I've encoded information on that page - potentially a lot. It doesn't mean anything.
Yes, any law should provide clear limits to its effect to people can know when they are breaking it. From what I have read, the ICO is likely to adopt a consultative approach to enforcement in terms of letting a site know that they consider that the site could do more to educate its users as to the cookies that are being set when a user visits. By information, I mean relevant information in the form of a policy clearly explaining to users the cookies that will be set when a user visits the site.
> I appreciate that you didn't create this law (I hope). Ambiguity is bad. And expensive. All this backtracking they've been doing, it wastes my time, it wastes some civil servant's time, and it accomplishes nothing. It seems like these policies should be like trademarks; subject to dilution if they aren't suitably enforced. If Disney decided to give everyone two years to use their logo free and clear, or they only prevented 'content-free' uses, they would lose that mark.
Heh, no, I did not create this law. I agree that ambiguity is bad, and that responsible businesses who sought to implement solutions before the ICO's u-turn on implied consent last May have incurred expenses unnecessarily which is not how laws are meant to operate.
The elephant in the room is that in certain quarters, the UK's approach to interpretation/enforcement falls short of that required to comply with the terms of the Directive. Whilst this may be the case, I'm sure sites would prefer to be subject to the ICO's softer approach at this stage than have to implement a full opt-in and be subject to harsh enforcement.
Your proposal might make a degree of sense - however, a trade mark owner's rights would generally not be revoked for lack of enforcement. A grant of trade mark rights as you mention would be subject to an implied licence which Disney could arguably revoke at any time. At worst, if they did not take action against an unlicensed use, they could be deemed to have acquiesced in the usage, and be prevented from taking enforcement action subsequently. This may be a more appropriate analogy than simply having the underlying rights (mark or legislation) removed.
I'm not particularly positive about the law itself and acknowledge that it is adding confusion and additional costs to businesses in terms of compliance. My only concern is that posts like the Silktide one are unnecessarily bias against the law and are essentially just preaching to the converted (developers/IT professionals etc are aware of how cookies work and what purposes they achieve).
The position I laid out above is only really my interpretation of the ICO's current stance. Although completely anecdotally, only last week, some colleagues who I would consider to be your average internet user were commenting on how weird it was that adverts in relation to sites that they had previously visited were appearing on other sites. If the cookie law means even a small proportion of users are educated about cookies, I think this is a good thing.
>>> "Yes, of course, on a basic level, there is no difference between cookies but I think it's reasonable to say that they can achieve different purposes, particularly in terms of the information that they can allow third parties to collect on a user."
And the arbitrator of this decision is: Some lawyer? This is why this entire law is so fantastically absurd.
Technically under the directive, any storage of information on the user's system should have the full consent of the user, with the exception of information which is strictly necessary for the functioning of the service requested by the user (see 2009 amendment to the original directive[1]).
Consequently, it's not necessarily at the determination of a lawyer, but I think the ICO has acknowledged that this is a difficult proposition so is taking a softer approach to enforcement.
At the very least the distinction could very easily be drawn between cookies which facilitate the sharing of information on the user's usage of multiple sites, to cookies which deal solely with the user's usage of the site where the cookie is set.
No, consent is not assumed. From my understanding, most browsers are generally set up to accept cookies automatically. If it was the other way round, and users had to physically change their settings, this could be an appropriate opt-in.
The E-Privacy Directive specifically contemplates browser solutions as being a potential solution, however, I understand that at this stage, there isn't an acceptable implementation.
If for example a browser on first load asked what I wanted to do with cookies during that session, that might be acceptable.
I suspect browser makes are hesitant to work towards a solution because it would obviously be a blanket policy when it may be more appropriate for a more nuanced one dependent on each each site's cookie usage.
You can obviously configure cookies in your browser settings but I imagine for most users this option is overly complex for them to understand.
Sorry for the brevity, but the only thing I can think of is: A-fucking-men. This is a colossal waste of time and resources, and it's a completely distraction from other -real-, -actual- privacy concerns that every day citizens should have. This is not one of them, and there is already a solution.
Actually that would be a good potential solution to have cookies on browsers automatically disabled but one that advertising networks and companies that rely heavily on advertising revenue (Google for example) are lobbying hard against for obvious reasons. As a result, I don't think this option will make an appearance anytime soon.
Yes, of course, on a basic level, there is no difference between cookies but I think it's reasonable to say that they can achieve different purposes, particularly in terms of the information that they can allow third parties to collect on a user.
> Why is there a temporal component ( a couple of months ), surely new visitors come all the time? Why is the content relevant? According to their stats, 10% of the users explicitly consented. Switching to implied consent on that basis makes no sense.
Of course there will be new visitors who will have no idea about the opt-in approach previously taken by the ICO. You are quite right to identify that to those users, the previous opt-in approach was irrelevant. Rather than focusing on individual users, to me, the ICO's approach is to identify what steps a site is taking to educate its users in general.
In reality, I'm sure a large proportion of users will click whatever box they are told to if it means they can access a site or remove a banner but that doesn't mean that a site should be excused of its obligation to at least provide information to those users who may want to learn more about the cookies being set.
In terms of content, I should have been clearer, I meant content providing clear information on the types of cookies being set.
> I'm pretty sure it's not OK to say 'You might be breaking the law, but we'll let you know once we decide to prosecute'. 'Very little information' is a terrible metric; there's an implication that quality is also necessary. If I populate my user-tracking page with mathematical proofs, I've encoded information on that page - potentially a lot. It doesn't mean anything.
Yes, any law should provide clear limits to its effect to people can know when they are breaking it. From what I have read, the ICO is likely to adopt a consultative approach to enforcement in terms of letting a site know that they consider that the site could do more to educate its users as to the cookies that are being set when a user visits. By information, I mean relevant information in the form of a policy clearly explaining to users the cookies that will be set when a user visits the site.
> I appreciate that you didn't create this law (I hope). Ambiguity is bad. And expensive. All this backtracking they've been doing, it wastes my time, it wastes some civil servant's time, and it accomplishes nothing. It seems like these policies should be like trademarks; subject to dilution if they aren't suitably enforced. If Disney decided to give everyone two years to use their logo free and clear, or they only prevented 'content-free' uses, they would lose that mark.
Heh, no, I did not create this law. I agree that ambiguity is bad, and that responsible businesses who sought to implement solutions before the ICO's u-turn on implied consent last May have incurred expenses unnecessarily which is not how laws are meant to operate.
The elephant in the room is that in certain quarters, the UK's approach to interpretation/enforcement falls short of that required to comply with the terms of the Directive. Whilst this may be the case, I'm sure sites would prefer to be subject to the ICO's softer approach at this stage than have to implement a full opt-in and be subject to harsh enforcement.
Your proposal might make a degree of sense - however, a trade mark owner's rights would generally not be revoked for lack of enforcement. A grant of trade mark rights as you mention would be subject to an implied licence which Disney could arguably revoke at any time. At worst, if they did not take action against an unlicensed use, they could be deemed to have acquiesced in the usage, and be prevented from taking enforcement action subsequently. This may be a more appropriate analogy than simply having the underlying rights (mark or legislation) removed.
I'm not particularly positive about the law itself and acknowledge that it is adding confusion and additional costs to businesses in terms of compliance. My only concern is that posts like the Silktide one are unnecessarily bias against the law and are essentially just preaching to the converted (developers/IT professionals etc are aware of how cookies work and what purposes they achieve).
The position I laid out above is only really my interpretation of the ICO's current stance. Although completely anecdotally, only last week, some colleagues who I would consider to be your average internet user were commenting on how weird it was that adverts in relation to sites that they had previously visited were appearing on other sites. If the cookie law means even a small proportion of users are educated about cookies, I think this is a good thing.