Forgot your password?
typodupeerror
Privacy United Kingdom Your Rights Online

UK "No Tracking Law" Now In Effect 208

Posted by samzenpus
from the no-cookies-for-you dept.
Fluffeh writes "The British Gov might have more cameras up on street corners than just about anywhere else in the world, but it seems that the Gov doesn't want anyone else stepping on the privacy of their folks. In what the media have dubbed the 'Cookie Law' all operators of websites in Britain must notify users of the tracking that the website does. This doesn't only cover cookies, but all forms of tracking and analytics performed on visitors. While there are potential fines up up to 500,000 pounds (Over US$750,000) for websites not following these new rules, the BBC announced that very few websites are ready, even most of its own sites aren't up to speed — and amusingly even the governments own websites aren't ready."
This discussion has been archived. No new comments can be posted.

UK "No Tracking Law" Now In Effect

Comments Filter:
  • by Nyder (754090) on Monday May 28, 2012 @05:09AM (#40133503) Journal

    Been hearing this my whole life.

    • by Anonymous Coward on Monday May 28, 2012 @05:15AM (#40133523)

      You have the voice of god in your head!

    • In this case, it seems to be more a case of "Do as the European bureaucracy says, not as we do, but our guys won't really go after you if you're being reasonable about the spirit of the rules anyway, as long as you don't take the piss."

    • by Splab (574204) on Monday May 28, 2012 @08:10AM (#40134153)

      Silly to post something like this when European obviously aren't around to debunk the crap in TFA.

      It's not about the British Government not wanting others to snoop on their citizens; the no cookie law is a European mandate and all member nations are required to implement it within the next few years.

      And yes, most sites are going to have some real trouble implementing this.

      • by DrXym (126579) on Monday May 28, 2012 @09:00AM (#40134431)
        It's not too hard to conform with the rules. It mainly involves getting user consent before issuing tracking cookies. i.e. a web filter might test for a user-has-consented-to-tracking cookie and redirect them to an informational page explaining what cookies or data is stored on the user's machine and what it does. If they click OK then the user-has-consented-to-tracking cookie is set and it's business as usual.

        Cookies to do with security, checkout baskets etc. are largely exempt. The law is to control analytics cookies from advertisers, sites that remember users and so forth.

        A bigger issue is this law is going to be hideously hard to enforce, there are plenty of edge cases to consider (such that the guidelines are 30 pages long) and at the end of the day it's not really doing much for the user. I think it would have been better to oblige EU sites under law to honour a "do not track" cookie sent by the browser with various levels of privacy control.

        • This is key, making the distinction for what the *purpose* of the cookie is. I hope they got that right in the legislation. Tracking cookies are probably fine to regulate. But they need to make sure they're not interfering with the stateless nature of the protocol we have to work around by using cookies, for keeping people logged in, shopping carts, or knowing this person has consented in the first place.

          • * It's reasonably clear (from most guidelines) that session cookies are fine, (because they are essential to functionality). Furthermore, implict consent is given by the act of logging in,

            * Long term preference cookies "remember my name and my customisations" are also OK, though it's usually good practice to notfiy the user (the T&C is sufficient for this).

            * Analytics cookies (eg Google Analytics) really should be covered by the directive, but basically aren't.

            * Evil (cross site advertiser tracking cook

        • by shiftless (410350)

          It's not too hard to conform with the rules.

          Sure, that's always how it starts. Then eventually they pile more and more and more and more fucking rules on everybody, until the whole goddamn thing collapses inward on itself from the weight of all the "know better than yous" and their "this is for your own good, I promise" "rules."

          Fuck this bullshit. If I don't web sites tracking me, then I should not a) run insecure software which allows them to do so, or b) visit said web sites. More laws is NOT the answer.

    • by dave420 (699308)
      I'd like to know which site they are referring to, as it seems there are plenty of cookies which are allowed to be used without any notice at all. It would appear, so far, this is just more "lol! stoopid government!" stuff. It would help you to check this stuff out before leaping on the bandwagon and making it worse.
  • by jholyhead (2505574) on Monday May 28, 2012 @05:14AM (#40133519)
    This is another example of what happens when you let computer illiterate politicians have a say in technology regulations

    To be fair, the ICO has proven itself utterly inept when it comes to enforcing its own regulations - I can't see them doing any better with this idiocy.
    • by bbn (172659) <baldur.norddahl@gmail.com> on Monday May 28, 2012 @05:51AM (#40133661)

      Why is killing ad-tracking "blowing it up"? Are you sure it is not you that is illiterate? Try reading up on the subject...

      They did not ban cookies. They are banning tracking. Not the same thing.

      Cookies are ok when necessary for the functionality of the website. Login cookies, webhops and so on are all ok.

      • by Anonymous Coward on Monday May 28, 2012 @06:42AM (#40133853)

        They are not banning anything. They are requiring notifying user about tracking. Not the same thing.

        If this means that every site just shows something like "We use cookies to give you best experience and provide relevant advertising. We also use few analytics scripts", people will simply start ignoring it just like they're clicking through EULAs now. After that, websites could even easily get people to consent to "... and also we'll watch you while you touch yourself. Here, we warned you" - most won't even notice.

        • by bbn (172659)

          People need to actively accept that you are tracking them. Just showing such text somewhere is not enough. Few sites are going to want people to read terms and require people to click accept before giving access to the site. Also you need to provide a way for people to opt out again (required).

          You need to be specific about each cookie and what you are going to use it for. If you ever add another cookie or change the use of the cookies, you need to ask permission again. Text such as "we use a few analytics s

          • by Anonymous Brave Guy (457657) on Monday May 28, 2012 @08:25AM (#40134251)

            People need to actively accept that you are tracking them. Just showing such text somewhere is not enough.

            Actually, the ICO seems to have pulled a complete U-turn with 48 hours to go, and now says that implied consent can be enough [ico.gov.uk].

            Whether that will stand up to the seemingly inevitable legal challenge in the European courts remains to be seen, but I suspect even the ICO think this is a dumb law behind the scenes, and their language has been softening substantially in recent weeks relative to their early advice.

            • by bbn (172659)

              They are confused. It is not possible to tell the user and at the same time not tell the user. It is very clear what you have to tell the user BEFORE setting any cookies, implied or not. So you need a landing page either way.

              The problem with Google Analytics is that Google is not telling what they are going to use the data for. You can not tell the user what you do not know yourself. So it is impossible to use Google Analytics until Google change their ways.

          • by Angostura (703910)

            Actually a new interpretation of the rules from ICO last week changes this. Presumed consent is now OK-ish.

    • It is the Civil Service. It has been commented, both by a retiring senior civil servant and an experienced Minister, that the Civil Service is full of people with dumb-as-a-very-dumb-thing ideas. The usual objection is that the proponents assume that everybody is exactly like them, and so once a law is passed people will just automatically obey it, and once an agency is set up it will instantly work perfectly.

      Normally these people are kept in warm environments with soft lighting so they can't hurt themselve

      • by jc42 (318812)

        It has been commented, both by a retiring senior civil servant and an experienced Minister, that the Civil Service is full of people with dumb-as-a-very-dumb-thing ideas. The usual objection is that the proponents assume that everybody is exactly like them, and so once a law is passed people will just automatically obey it, and once an agency is set up it will instantly work perfectly.

        Yeah, and in this case there's an even worse aspect to the problem: This is a law pertaining to the actions not of people, but of software. All the AI dreaming to the contrary, software doesn't act the least bit like a human mind. The chance of any software being written that satisfies this and other laws will differ only infinitesimally from zero. We have a lot of software people here on /., and they should all be a bit nervous about being held responsible for their software that tries to satisfy this

  • by Anonymous Coward on Monday May 28, 2012 @05:14AM (#40133521)

    because atm, ghostery reports 10 diffrent tracking entities.

  • by Anonymous Coward on Monday May 28, 2012 @05:19AM (#40133529)

    At the same time as this happens across all of Europe, they roll out INDECT and the Data Retention Directive.

    How about I follow each of the MEPs around and write down on a list everyone they speak to, when they speak and where, over the course of 6 months? That would probably mark me as a terrorist.

    • by 1s44c (552956)

      That would probably mark me as a terrorist.

      Didn't you see the news for the last few years? Under current UK laws everyone is a terrorist.

      • by tehcyder (746570)

        That would probably mark me as a terrorist.

        Didn't you see the news for the last few years? Under current UK laws everyone is a terrorist.

        Yeah, and there's like this book called 1984 which I just read, and it's a sort of prophecy of what happens in the UK when you let socialists like George Osborne take control.

  • by stiggle (649614) on Monday May 28, 2012 @05:20AM (#40133543)

    While the British government might have implemented, the law comes from the EU.
    It actually came in last year and websites were given a year grace to enable the features required.
    Its that grace period which has expired, not that the law has now suddenly been introduced.

    • by Chrisq (894406)

      While the British government might have implemented, the law comes from the EU.

      It will be interesting to know if there was much gold plating [wikipedia.org] though.

      • by Rogerborg (306625)

        I wouldn't expect so, avoiding gold plating (or claiming to) seems to be a particular hobby horse of the current bunch of clown in Westminster.

        Anyway, enforcement is what matters, and given the utter contempt in which the toothless watchdogs at the ICO are held by the industry, I doubt they'll be falling over themselves to comply with this latest dictat.

  • by Gordonjcp (186804) on Monday May 28, 2012 @05:30AM (#40133575) Homepage

    The British Gov might have more cameras up on street corners than just about anywhere else in the world

    It doesn't, though. The whole "eleventy billion cameras in the UK" thing was made up by one of the screaming right-wing tabloids a few years ago, by counting all the CCTV cameras in about a half-mile stretch of the main street of a fairly scummy part of London, and multiplying by the total length of all the roads in the UK. So, the figure is probably accurate *if* you assume that every single road in the UK has lots of off-licenses, bookmakers, cheque cashing centres, "we buy scrap gold" shops the like - but, it isn't. For the figures to be correct, you'd have to have something like one camera every 60 metres or so on *every single road* right down to farm tracks.

    Most cities in the UK have no more CCTV than cities in the US - and if you think US cities don't have CCTV then I wonder what you think CCTV cameras look like...

    • by Anonymous Coward on Monday May 28, 2012 @05:52AM (#40133671)

      The British Gov might have more cameras up on street corners than just about anywhere else in the world

      It doesn't, though. The whole "eleventy billion cameras in the UK" thing was made up by one of the screaming right-wing tabloids a few years ago, by counting all the CCTV cameras in about a half-mile stretch of the main street of a fairly scummy part of London, and multiplying by the total length of all the roads in the UK. So, the figure is probably accurate *if* you assume that every single road in the UK has lots of off-licenses, bookmakers, cheque cashing centres, "we buy scrap gold" shops the like - but, it isn't. For the figures to be correct, you'd have to have something like one camera every 60 metres or so on *every single road* right down to farm tracks.

      Most cities in the UK have no more CCTV than cities in the US - and if you think US cities don't have CCTV then I wonder what you think CCTV cameras look like...

      Slash-groupthink at its best. This is a group that will argue for hours over each subclause of copyright law, but will never question statements like this. (That and figure out that the UK != England).

  • by beebware (149208) on Monday May 28, 2012 @05:50AM (#40133657) Homepage
    48 hours before the law came into force, the ICO issued new guidelines at http://www.ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx [ico.gov.uk] which basically reads as "If the user's browser accepts cookies, then they agree to the cookies being stored". Making the whole things pretty moot. Why they waited until the "11th hour" to state the obvious is annoying...
    • by digitig (1056110) on Monday May 28, 2012 @06:32AM (#40133829)

      48 hours before the law came into force, the ICO issued new guidelines at http://www.ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx [ico.gov.uk] which basically reads as "If the user's browser accepts cookies, then they agree to the cookies being stored". Making the whole things pretty moot. Why they waited until the "11th hour" to state the obvious is annoying...

      I can't find that in there. The nearest I can find seems to be "If the user's browser accepts cookies, and the user has a good understanding of what cookies are and how they are used then they agree to the cookies being stored", with the onus being on the site owner to prove that the users have that level of technical knowledge before setting cookies. That would probably be ok for a tech site, but not for a site aimed at the general public. The one site I manage doesn't use cookies, but if I wanted to implement analytics for example then I reckon I'll still need to implement a landing page.

      • I think he means the following from the website link:

        • "Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
        • If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
        • by mrbester (200927)

          Quite. There's nothing to see here any more. For implied consent you just need a suitably descriptive privacy policy page, which most sites already have. The 11th hour relaxing means everybody can pretty much carry on as usual

          • by digitig (1056110)

            Quite. There's nothing to see here any more. For implied consent you just need a suitably descriptive privacy policy page which the users pass through before any cookies are set, which most sites don't already have. The 11th hour guidance means things are as bad as was feared.

            FTFY

            .

            More quotes from the guidance:

            "It has been suggested that the fact that a visitor has arrived at a webpage should be sufficient evidence that they consent to cookies being set or information being accessed on their device. The key here is that the visitor should understand that this is the case. It is important to note that it would be extremely difficult to demonstrate compliance simply by showing that a user visited a particular site or was served a particular advertisement unless it could also be d

            • All of which seems to mean I would need to provide a landing page to explain about cookies before taking the user to any pages on which analytics are applied

              Most of the implementations I have seen so far just land the user on the page, but don't load the analytics javascript. The page has a "Accept cookies read more on our cookie description page" bar across the top and when the user clicks Accept it then loads the javascript. Others just have a bar that states "By continuing to use this website you are con

  • by jcupitt65 (68879) on Monday May 28, 2012 @05:59AM (#40133697)

    The regulations are not actually as crazy as this story makes them out to be. Here are the latest guidance notes from ICO:

    http://www.ico.gov.uk/news/blog/2011/~/media/documents/library/Privacy_and_electronic/Practical_application/guidance_on_the_new_cookies_regulations.ashx [ico.gov.uk] (PDF)

    Page 10 has a summary table with some examples of banned (ie. explicit permission required) and OK cookies:

    ALLOWED

    shopping basket cookies
    security cookies (banking, session id, etc.)
    load balancing track things

    BANNED

    analytical cookies (eg. count unique users)
    advertising, both first and third party
    remembering users between sessions for trivial purposes, eg. display a "welcome back" banner

    • by alexgieg (948359)

      analytical cookies (eg. count unique users)

      Because God forbid website owners aggregate information for optimization purposes. After all, let's all just pretend IE is everything everyone uses, all our users male, there's no purpose in trying to figure out anything precisely, optimizing for our best wild guesses and/or for whatever industry marketers says is fine, and only evil people engage in this newfangled silliness called "math".

      Jokes aside, I predict UK will see a surge in AWStats usage, plus a resurgence of very long URLs (including old-style w

      • by radio4fan (304271)

        I predict UK will see a surge in AWStats usage, plus a resurgence of very long URLs (including old-style web bugs with very long URLs).

        This wouldn't get around the law. Non-cookie based tracking is also covered.

        The media may call it the 'Cookie law', but the article title's "No tracking law" is more accurate.

      • by mvdwege (243851)

        And God forbid you should actually read the EU directive and the UK law and think instead of jerking your knee.

        'Banned' cookies means they are banned if you place them without prior consent.

        Mart

  • by Zocalo (252965) on Monday May 28, 2012 @06:17AM (#40133779) Homepage
    Where sites have actually implemented this new directive, the implementations often suck just as much as the law, which is not particularly surprising given how poorly it's worded. If you have cookies disabled through your default browser policies the end result on many sites where is a permanantly visible prompt to "Click here to read and accept our cookie policy". Yep, that's right. You have to enable cookies to let them set a cookie that says they will not use cookies to track you.

    I'm fairly sure that some of these sites realise that you could set a cookie, immediately try to read it back and if that fails assume cookies are blocked skipping the display of the prompt, and either way you remove the cookie. But no, this law is so poorly written it's not totally clear whether even this would be a breach of the legislation or not and clarification has still not been provided, so as usual for the EU the intention might be good, but the implementation leaves a hell of a lot to be desired. In this case, I can see a number of people are going to end up re-enabling cookies just to get rid of the prompts and end up getting tracked by all those sites who don't implement the law because they are outside the EU's jurisdiction and/or just don't care - completely the opposite of the desired effect.
  • by Geeky (90998) on Monday May 28, 2012 @06:53AM (#40133903)
    All this will do is harm European companies at the expense of ones based elsewhere.

    I've seen UK based sites start to implement this, but there's no chance that Facebook, Google etc will follow suit - so if the tracking actually does have monetary value, we've just guaranteed that only non-European companies can benefit from it. Woohoo.

    • by AmiMoJo (196126)

      Facebook and Google will follow suit because they have significant business interests in Europe. They have to comply with local laws to do business here, it is as simple as that.

      • by Geeky (90998)

        Facebook and Google will follow suit because they have significant business interests in Europe. They have to comply with local laws to do business here, it is as simple as that.

        I'm not sure, every article I've read seems to refer to websites based here rather than visible from here. I have yet to see anything that implies the law would be applied to sites hosted elsewhere or by companies based outside of the UK.

        • by 0123456 (636235)

          I'm not sure, every article I've read seems to refer to websites based here rather than visible from here. I have yet to see anything that implies the law would be applied to sites hosted elsewhere or by companies based outside of the UK.

          Don't forget 'The Cloud'. Last time I tried a traceroute to my web site it appeared to be in Germany... I've no idea where it might be running today.

        • by AmiMoJo (196126)

          Google and Facebook do host services in Europe. Otherwise latency to the US would be terrible and their sites about as slow as crap like PayPal. Both Google and Facebook have offices in the UK with registered UK subsidiaries.

          Look at Microsoft. Fined millions by the EU for breaking competition rules. They are a US company.

  • by hack slash (1064002) on Monday May 28, 2012 @07:42AM (#40134037)
    This new law is fucking ludicrus, I generally block all cookies except certain websites, and one of the UK websites I visit has put a pink banner at the top warning about the cookie crap saying I will only see it once, but it relies on cookies to tell wether the banner has already been displayed, meaning it's ALWAYS there because I've blocked cookies on that site.

    Who the fuck came up with the idea of using cookies to warn you about the use of cookies?
  • FTA, " amusingly even the governments own websites aren't ready." I'd be in favor of an Eat-Your-Own-Dogfood law that stipulates that a) laws that apply to private businesses also apply to the government, and b) no law need be implemented by the private sector until implemented by the government.
  • you don't need some govt to tell ( companies | you ) what ( they | you ) can or can not do.

    NO - you, the user, need to learn how to properly setup and use your browser.

    Cookie-Whitelist in Mozilla Firefox [youtube.com] setting up a cookie whitelist in Firefox requires no add-ons. It uses default functionality present in Firefox.

"Just Say No." - Nancy Reagan "No." - Ronald Reagan

Working...