back to article Planned 'cookie law' update will exacerbate problems of old law – expert

Newly proposed reforms to EU ePrivacy rules could exacerbate problems that stem from existing rules governing the use of "cookies". The plans, outlined by the European Commission earlier this year, would not resolve the problem businesses currently have in finding mechanisms for obtaining device users' consent to cookies that …

  1. Spindreams

    Cookie permission laws by individual countries are pointless, the very people who you would rather not allow cookies from are the very people who don't give a shit about it and won't offer you the option. Until the option is baked into the browser all it does is make the experience worse for those sites that bother to implement the rules.

  2. Anonymous Coward
    Anonymous Coward

    Really, it's much simpler.

    Ban tracking cookies. Completely. They have no reason to exist.

  3. Anonymous Coward
    Coat

    What is this all about anyway?

    Or put differently: what is the underlying intent exactly? Is this still about protecting customers from getting tracked, or is this about throwing weight around and patting yourself on the back on how great you are? Maybe secretly trying to secure a nice income in the form of fines?

    I mean, really? 10 million fine for something as trivial as a cookie? Who comes up with those braindead ideas?

    And while thousands if not millions of Euro's are wasted over endless debates about this whole trivial issue the "European citizens" have yet to get any formal ruling or law on how Europe will deal with compromised servers and all the problems those generate. I've yet to see a politician suggest better safety and regulations around all the modern IoT crapola.

    But a vending machine which is capable of knocking out an entire network is obviously much less important than a cookie on a website. A cookie which any modern webbrowser knows how to get rid of in this day and age I might add...

  4. Anonymous Coward
    Anonymous Coward

    "anyone who picks up their friend's smartphone"

    I'm not a lawyer, but IMHO I'd classify them as an "end user" anyway - they are still on this side of the screen. Then if he or she performs an unlawful action there should be other laws to apply.

    Also, those writing the rules should stop thinking in a "web centric" way, and extended the rules to any kind of data stored and transmitted to identify and track the user - regardless if it is a web site, an application or the OS (and even the hardware) itself - no matter how they are stored and transmitted. Any kind of collection and transmission should be clearly opt-in, and no service limitations must occur if anybody opts-out. I'm more worried of what Android and Windows 10 can collect, because from web sites I can try some protection measures, against apps and the OS is far harder.

    No exception should also occur for "beacons" or other annoying technologies (I already hate salespeople approaching me when I'm just looking at something...) - especially since I'm maybe just with someone else and I'm not interested in your offerings at all.

    Fine should be also multiplied for the number of users...

  5. Anonymous Coward
    Anonymous Coward

    "...This includes IP addresses and MAC addresses and, for mobile phones, IMEI and IMSI information.

    Collection of such "emitted" information would be permitted in one of two circumstances. It would be permitted:

    to the extent necessary to establish a connection; or on displaying a clear and prominent notice outlining at least the "modalities" of the collection..."

    So weblogs would require you to have a notice displayed saying that you are collecting IP addresses (as opposed to a notice saying you are using cookies)?

  6. Haku

    I hope it means an end to this bollocks:

    "This in-your-face annoying popup is obscuring part of our website because by law we have to tell you we use cookies to track you. You can go ahead and click that little X in the corner but it won't do any good other than make this message go away, we're still going to track you. [X]"

    Because browsing in incognito mode or using cookie scrubbers makes browsing the web bloody frustrating with all those mandated by law popups.

  7. Baldy50

    But...

    Flash and zombie cookies that are not removed so easily?

    1. Dan 55 Silver badge

      Re: But...

      BetterPrivacy extension.

    2. edge_e
      Facepalm

      Re: But...

      You still have flash installed ?

      1. TRT Silver badge

        Re: You still have flash installed ?

        Required component for the CISCO ISE dashboard.

        Yes, I know!

  8. Mage Silver badge
    Devil

    Cookies

    They should only be on sites you explicitly log on to. Anything else is probably evil and abusive.

    I block 3rd party cookies entirely and that doesn't break anything. Why isn't that the default in Firefox?

    Some newspapers block all images if you block their cookies, so I set cookies on newspapers to be deleted on session exit.

    Google Analytics and third party icons with javascript is also an abuse of privacy. Problem is amount of money and effort some companies spend on lobbying and propaganda.

    1. Rhyd

      Re: Cookies

      "Google Analytics ... is also an abuse of privacy."

      Please elaborate.

      1. TRT Silver badge

        Re: third party icons with javascript

        Like the SSL badges that provide quick and dirty second verification of certificate and page identity?

  9. Anonymous Coward
    Anonymous Coward

    This is nothing, I'm waiting for the GDPR wailing to start...

    Slightly off-topic for the ePrivacy bits, but small and micro businesses are going to be bitten deeply by the new GDPR regulations - and not just IT companies or managers, as it is all personal data records. The big change from current DP regulations is that businesses and other organisations have to demonstrate they comply. 'Demonstrate' means a whole bunch of documentation, policies, processes, formal audits and reviews - it's not enough just to behave responsibly, or simply state what is collected and why, as at the moment. Instead they will need to provide "all necessary information" to show that they are "implementing technical and organisational measures" and for this to be done every three years.

    As a result GDPR is going to (and already is) unleashing an army of data protection compliance consultants. And as non-IT companies and organisations (like the local sports clubs) start to understand the requirements I'm expecting a howl of protest. It's one thing to say 'you must not' - to say 'you must' with a consequential financial cost is another thing entirely.

  10. Spudley

    The main problem with the "Cookies law" is the use of the word "cookies". It is trying to address a general practice but it targets a specific technology,

    There are several means of tracking people other than cookies. Organisations that want to track you can skirt the cookies law entirely by simply not using cookies, and tracking you via some other technique instead.

    In the meanwhile, cookies are the most convenient way of achieving several other goals, such as logging in and maintaining your site preferences, all of which are inconvenienced by the cookies law.

    In order to be effective, a new rule would need to:

    1. Not mention cookies or any other specific technology by name, except possibly by way of giving an example.

    2. Target the actual use cases that are deemed to warrant user confirmation, namely persistent tracking of users.

    Even with these changes, there would still be a lot of scope for problems, where the rules are ambiguous or where technology has moved on, but hopefully this would be a better starting point than the one we have now.

    1. TRT Silver badge

      Yes. A very loosely worded use/abuse law that could be tested in court in particular use cases.

      "It is illegal for any company, individual or other legal entity to use electronic communications in such a manner as to undermine or bypass the freedoms and privacies of individuals or groups."

      "Exceptions apply for the purposes of law enforcement, fraud prevention where the entity is regulated," etc etc

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like