Every time I hear this cookie debate, I feel I must be missing something.
If you don't want to be tracked. TURN. COOKIES. OFF.
There is a reason all web browsers come with per-domain cookies policies. We don't need a cookie law. We need some common sense. Everyone is looking to make this someone else's responsibility. Guess what: Your digital security and privacy is your responsibility. I hate this entire debate because:
1) Cookies serve a very, very valuable purpose in website development. Client-side storage is used in basically every major website on the internet.
2) This is hardly low-hanging fruit, and we have much, much bigger problems.
3) Who is the arbiter of what "allowed use" cookies are? We're going to have someone who actually decides, for individual websites, whether cookie use is proper or not? Is it going to work like a DMCA take-down request? An individual sends a request to review a website's cookie policies, and that IT department will have to submit a technical analysis and provide reasons for their cookie usage when a user feels their rights have been violated?
4) You know where this is going? Every single website that you register on is just going to give you a EULA-type agreement when you create an account. New to Facebook? Enter your username, click this checkbox that says "I accept your terms", and that's it.
Normal users will just roll with basically any terms you present to them. Making this entirely ineffective except for the small minority of people, like many here, who are hyper vigilante about digital privacy.
For the people this is meant to protect, they will likely never even think about it and opt-in anyway.
5) I completely reject the notion of getting politicians to dictate requirements to the tech industry in terms of how to handle the web stack. Let the politicians get back to blaming each other for X failures and make Y promises to the public, and get out of my internet.
> If you don't want to be tracked. TURN. COOKIES. OFF.
...except that's not going to be enough to make you untrackable[1]. As far as I know, short of some extreme Tor practices (new Tor connection for every session, no simultaneous sessions), there's no way to make yourself truly untrackable.
Of course not. Just as no system is truly secure. But let's not dive off into hypotheticals, let's talk practically. With cookies off you are practically untrackable.
I just tried your link. Here are my results: "Your browser fingerprint appears to be unique among the 2,399,190 tested so far."
I'm one in roughly 2.4 million. That's untraceable enough for me :p
One in 2.4 million means you are unambiguously uniquely identified out of 2.4 million clients, which is the exact opposite of untraceable. If your browser fingerprint was similar to 2.4 million other browser fingerprints, then you would be untraceable.
1 in 2.4m is being similar to ~150 other Americans. Not good odds for hiding among the crowd once non-client browser specific identifying clues are taken into account, such as browsing habits. 1 in 2.4m is being similar to ~400 other facebook users, and facebook knows a lot more about its users than just the client browser fingerprint.
Within the group of people using Panopticlick, you're just as trackable without cookies as with cookies -- that doesn't seem very untrackable to me. Note that it's one in 2.4M at the moment, but that's the best it's going to get because the number of people trying Panopticlick is only going to go up.
> Your browser fingerprint appears to be unique among the 2,399,190 tested so far
That isn't 1:2.4e6, that is at best 1:2.4e6, they have only run 2.4 million tests and so can't say anything more than that. Your browser fingerprint could easily could be unique in the whole world.
Until I change just one of those identifiable metrics, that is, right? As soon as I change, for instance, my screen resolution I am another unique user and am no longer identified with the previously unique fingerprint.
Surely, if someone installed insidious software on every single page of the internet and tracked me everywhere, there could be a way to use some fuzzy logic to re-identify myself. But we're way into the deep end on hypothetical again, right?
My main point is that, practically speaking, it isn't very.
Not really. If you change those metrics and then re-login to any account that is cooperating with the person trying to track you, you've lost your anonymity again.
Wow, great link! Does anyone know if that is as effective with mobile browsers (e.g. iOS)? I'd expect mobile browsers to be far more alike than your typical desktop browser is...
The problem with just turning cookies off (in the UK anyway) is that with the new cookie law every second site now has an annoying message telling you about their cookie policy and you are now going to see it on every page.
Some are even modal which could render the site useless.
If "the masses" don't like being tracked in indefinite detail on the internet, and want the government to do something about it, then the government should be teaching people how to configure their browser cookie settings... or maybe funding development in open-source browsers (or extensions to same) to make such configuration easier... something like that, anyway. Whatever the specifics, client-side's the place to do it.
I nearly stopped reading after the second sentence, and I definitely stopped after your first "argument".
I don't want to be stalked, period. Not turning cookies off should not mean I immediately relinquish my rights, just like I don't relinquish my right to privacy by stepping into the street.
Yes, cookies server a very valuable purpose in website development, and guest what: for those purposes the so-called cookie law (which btw covers all forms of tracking, calling it the "cookie law" is sheer propaganda in itself) doesn't affect any website in any fucking way.
This underhanded tactic of spreading deliberate misinformation in order to justify the massive violation of privacy caused by commercialized stalking disgusts me.
It's like the mafia bitching about how it's so unfair and stupid that politicians have made racketeering illegal.
> I don't relinquish my right to privacy by stepping into the street.
Yes you do. You might not be happy about it, think it's wrong and lobby for draconian laws to try and protect it. Physics and technology don't care. Someone can walk by, take your picture with a pin hole camera, upload it via tor to a torrent network.
I had not realized that I was not the emperor of the United States. I appreciate you cluing me in on the situation. It would have made for awkward conversation at my High School reunion when people ask what I do for a living now-a-days :p
And I ask: what is your point? Do you disagree with any of the points I have made? I am talking about a specific concept of a "cookie law".
I am not talking about the generalities of privacy and security, which you are. I have never stated that I think the government has zero role in the area of digital privacy and security.
You said "Guess what: Your digital security and privacy is your responsibility." and then later you referred to "the small minority of people, like many here, who are hyper vigilante about digital privacy." Those are just your opinions and characterizations and they don't have anything to do with cookies.
Yes, that is my opinion. That is my take on life: Everything is your responsibility that you can reasonably manage. In my view, you can't depend on the government or anyone else to take that mantle of responsibility from you as an individual. If they can help, great. But I'm not depending on it.
If there is something practical and cost effective that the government has the responsibility to enact, I'll hear out the idea. But this is not one of those ideas--as you said--in my personal opinion.
I think the general attitude here is pretty bad and I'm disgusted with the replies. I hope the hell they do get sued.
The reason that the law exists is that people have abused the cookie functionality terribly to track people all over the Internet using every possible loophole that they can. Now the price is being paid through not very good legislation.
You wrote functionality that tracks people and now you're whinging when people are given their privacy back? Forget it - I have no sympathy.
Regarding legitimate use, you click accept and the problem goes away.
With respect to analytics, stop being cheap and lazy and do it from your logs.
I'm the founder of Silktide and they guy who wrote that page.
Whilst I appreciate the law exists for a good reason, that doesn't mean the law is good. In it's current form it simply doesn't help user privacy or website owners. I'm hardly alone in saying as much.
We ourselves wrote no "functionality that tracks people" - our site merely uses Google Analytics (anonymous measurement of visitors) and social plugins like Disqus, the Tweet and Like buttons. By the letter of the law those have to be concealed until a user has manually opted in to display them.
In practice everyone instead started showing slide-down banners which accomplish nothing for privacy but piss off users.
Anyone who uses analytics properly knows there's no equivalent log-based solution. Understanding the path users take through a site, how long they view pages for, whether they buy when they came from one advert versus another - these are common practice for good reason and they have ABSOLUTELY ZERO implication for user's privacy, as all this data is anonymous.
The relatively few websites which genuinely might be jeopardising user's privacy - Facebook, Google, Amazon etc - tend to be large, ubiquitous and mostly ad networks. The average 10 page company website is not technically sophisticated enough to subvert a user's privacy nor do they have the visitors to do so.
I agree the law is bad. I actually stated that the legislation is not very good. However, suing people is probably the best approach bar forcing Firefox, Chrome and IE to ship Ghostery (then what are you going to do?) I mean you're obviously annoyed, aware and scared of the consequences.
However, the fact that you plug oddles of stuff into your web site that intentionally tracks people and hide under the banner of "we merely use" is the sort of attitude we don't want and the sort that should get you sued.
Ignorance and laziness is not an excuse.
I don't want to be tracked by Google Analytics and for my usage to be profiled and tracked across different sites (this almost certainly does happen as GA is capable of reading enough info from the browser to identify a user or at least build a persistent profile). Google do not have to operate under EU privacy laws as they aren't EU based.
Disqus, Twitter, Facebook all track users through these buttons just by them simply being there. None of these have to operate under EU privacy laws as they aren't EU based.
Your buttons and analytics MUST be disabled until someone agrees because you operate under EU privacy laws. That's your problem.
Either put the banner up or get rid of all the junk that you've plugged into your web site.
Regarding analytics, it sounds like analytics has grown to encompass too much of your business model. Have you thought that perhaps you are possibly not entited to the information that you gather?
As for advertising - if your revenue is derived from that, good luck. You're going to die miserably. Find a better model. Build something you can sell rather than something you can scatter with crap to pay your bills.
Sorry don't I don't buy your argument. It seems naive and arrogant.
Suing websites is going to force browser makers to do something? Perhaps that chain of reasoning can be expanded upon...
Fighting urge to flame the revolutionary baiting in this post, such as use of we don't want in paragraph 2, and possibly not entitled in paragraph 8. I usually don't like deconstructing posts, but the tone rubbed me the wrong way for an intellectual discussion.
All that laws designed to limit technology do is limit technology.
Not really. It's more that browser vendors are worried that it'll shoot their market share so they won't turn this on by default. If users get used to it, that is likely to be less of an issue.
You know, I'm the type of person that operates as you would like most people to (i.e. NoScript, Adblock, RequestPolicy, BetterPrivacy, etc.), and by reading your comments you've made me realize how I've been kind of a jerk for installing these things on friends' machines. They get annoyed and call me asking what I did to their machines (and how to "fix" it).
Obviously, I should've explained the use of and showed them how to use these add-ons, but such things are difficult to do in a casual/ social context. Many of the concepts are foreign, and there is a whole set of jargon that requires explanation in the first place. These are non-technical, yet educated, people in their 30s for whom most of this seems academic. So, I've just installed, and hoped they'd figure it out. I wish it were easy, but it's not; now, I'm certain I will no longer do this because I don't want them to "get used to it" for any reason other than that is what they choose to do.
That's a great approach and I admire your honesty. I think users should always have a choice. At the moment, there is a big assumption made which is the problem.
"Either put the banner up or get rid of all the junk that you've plugged into your web site."
then we'd still be setting cookies, but we'd be telling users about it after we did so. This is exactly what most sites are doing right now, and it's clearly farcical.
When you start attacking anyone who depends on advertising on the Internet - by which I guess you mean Google, Facebook, Twitter and every commercial news site in existence - then I start to lose you. Those services cost billions, and somebody has to pay for it.
Google and commercial news is fine - advertising is a big chunk but Google have other products and commercial news still sells paper and has television slots. Legislation will not kill them.
Neither Facebook or Twitter have a sustainable model and will fall in time. They don't actually do much of value really apart from enslave people into walled gardens full of noise and bombard them with advertising.
If you put all your eggs in the advertising basket, get pumped on VC cash and act like a dick, yes you will lose billions.
I quote: You have no right to make money shoveling magic unicorn shit.
Those of us who have a real product and earn from that, it's not a problem. We'll be here in 10 years. We were 10 years ago (in fact we started in '92). Empires have risen and fallen in our time. We have never advertised at all.
I appreciate you don't like ads; I'm not a big fan either (not that this is what the law is about). But consider the implications of it not becoming viable.
And for the record my company doesn't advertise anything. We just want to be able to use non-invasive features of the Internet like every other country.
You refer to Facebook, Google, Amazon as the real culprits, and not yourself -- but right above that you admit to embedding those same services on your site.
Whether you wrote it or use it makes no difference, your users privacy is compromised when they visit your site.
You're right of course, but as the only solution would be for:
(a) Us to remove said services
(b) Our competitors to not
(c) Us to suffer unjustly, while they prosper
Then no. The obligation should be on the provider of those services, or the law should be enforced equally. It's not enforced at all.
We clearly explain what those services do in our privacy policy and we include in that an explanation of why we see there being no meaningful privacy implication for users. What's the worst Facebook/Google could do with your information - know you looked at our website? It's hardly porn.
The fact that non-European companies can abuse their users privacy in this manner, is not a good enough reason to allow European companies to do the same. If this is the way we wanted things to be, we'd get rid of the minimum wage so we could compete with Chinese labour costs better.
It's a trade-off. We gain privacy, and some companies potentially lose some business.
The law is not enforced in the UK at all. Accordingly those who do comply are being penalised unjustly.
The ICO (body responsible for enforcing) have themselves said they probably won't prosecute people for using analytics, because even though that's against the law it's not really all that bad. That's just one example of how vague the law has become.
So we're left in a mess where no-one knows what to do, and those doing the least possible profit. Hence our stance.
Honest question -- why do we assume our actions deserve privacy on the internet, when we access someone else's site? We don't have the same expectation for e.g., when I walk into a shop (eg I may desire, but do not receive, privacy from being tracked if I were to walk into a sex toy shop).
When you visit a website, that website gets a lot more information about you than when you walk into a shop. All I want is that websites are limited to the same information as a simple shop. I published the following blog post last year which covers my thoughts on it: https://grepular.com/2011_EU_Cookie_Legislation_Opinion_of_a...
Shops don't know the last shop you visited, but websites do know the last website you visited (referrers). Shops don't assign you a unique ID the moment you walk through the door which they use to identify you on subsequent visits, websites do (cookies).
I see what you're saying. But excepting the cross-site tracking, aren't all of those privacy leaks just data that my browser is sending? Seems to me that's more my responsibility than the site owners. (FTR, I do use a bunch of the privacy controls and find trackers like the FB bug a bit creepy.)
I have one suggestion for you: stop blaming everyone else.
The law itself is just fine. It's insufficient in itself, but so is the law making theft illegal.
If you use Google Analytics and third party social widgets, you're aiding and abetting, you're aiding and abetting companies that violate people's privacy rights on a massive scale. You choose to do so, so you should accept the consequences and the responsibility instead of pointing the finger to everyone else.
As an industry, we've had over a decade to fix this problem until the politicians finally took action. We, Silktide include, have not only done fuck all to solve the problem, we've participated in making is massively worse by putting Google Analytics and Facebook like-buttons on every site we put our hands on.
The politicians you're ridiculing are at least trying to fix the mess we created. We took a dump on privacy rights, and are now bitching about how bad politicians are in cleaning it up.
You really think they're going to listen to us as long as we keep acting like spoiled children with zero sense of responsibility?
> The relatively few websites which genuinely might be jeopardising user's privacy - Facebook, Google, Amazon etc - tend to be large, ubiquitous and mostly ad networks. The average 10 page company website is not technically sophisticated enough to subvert a user's privacy nor do they have the visitors to do so.
What this law should have required is a way to opt out of the tracking systems themselves. I should be able to opt out Adsense tracking wholesale if I want to (although, tbh, I think I might prefer targeted ads over generic random BS appearing in the sidebars of every site I visit).
Having to opt out on every different European site that embeds Adsense is thoroughly retarded, especially when you consider that many sites don't even give you an option to opt out -- they just tell you to leave if you don't consent to being tracked!
With respect, people like me who delete all tracking stuff routinely now have to put up with constant cookie notices.
The proper solution to this would have been for browsers to have a more prominent "delete cookies" button, for those who care.
The way it's done now is just dumb: the bad guys are still going to track cookies, and it's a massive time sink for every other website out there that wants to comply with the law.
Actually you're solving the wrong end of the problem.
There should be no step which is "delete all tracking stuff".
You should be asked when you hit a web page if they can add a cookie.
At the moment, this is done by the page by legislation, but the next step is to do this at the browser level. I'm quite happy as it's training users to do this nicely.
It took us about a day to sort it out on our corporate site and web applications. If you've got loads of social crap plugged in, don't whinge - think before you do something.
No. I know how this stuff works, and I still don't want to be asked this every time I visit a new site. I suspect most other users don't either -- and a majority of them probably don't even understand the question.
The new cookie law is annoying because it results in a barrage of sliding/popup tickbox crap during one's daily browsing.
What we need is browsers with sensible privacy defaults, and easily-understood alternative settings. Safari's standard no-third-party-cookies rule is nice in this regard.
> You should be asked when you hit a web page if they can add a cookie.
>
> At the moment, this is done by the page by legislation, but the next step is to do this at the browser level. I'm quite happy as it's training users to do this nicely.
Firefox used have an option to ask you whether you wanted to receive cookies sent by websites. Turning it on made your browsing experience quite unpleasant. And that was several years ago; I imagine it'd be worse today.
You wrote functionality that tracks people and now you're whinging when people are given their privacy back? Forget it - I have no sympathy.
This is the bit of your comment I take most issue with. I have done nothing of the sort - and neither have the majority of companies's sites - and yet everyone is being punished for what boils down to abuse by online advertisers.
How can abusers get away with this? By relocating elsewhere. So the problem's not solved in the slightest. Meanwhile, the good guys are the ones left dancing around.
I have done nothing of the sort either. Our corporate site and web applications have had to have some re-engineering done to not issue cookie straight away. That's the price of operating in the UK and I have no problem with that.
Just remember, the good guys stay good.
The bad guys are easy to pick off now at the browser or the IWF firewall.
Many people will not click/not allow if they see a warning message. In fact many people will be either confused and scared and leave.
I.e. its not theoretically a problem if you assume that most users are rational users who read what is in front of them and make reasonable choices.
De facto though that is not the case and that means that a lot of business who put it up will see a drop in revenue even if they normally play by the books.
Furtermore it really does not help anything since those with malicious intentions can just put it up and still do all sorts of shady business on the back.
People should be scared. There are companies that know nearly every website they visit, how often, and how they get there. People don't expect this to be the case, but it is.
You complain about bad UX but the solution is obvious: don't use the tracking services and you won't have bad UX.
I personally never understood the problem. I want adds that are better targeted, I want them to know more about me so they don't waste my time with crap I am not interested in.
You're in the lucky position of being informed, and being able to make that choice. 99% of people are not informed on this subject, so their data is being gathered without their knowledge, and without their permission.
I think most people ignore the warning and click through based on the amount of toolbars I have to remove from PCs.
The drop in revenue hasn't happened for us and we've been compliant for months now. I think, based on the quantity of sites this is occuring on, that it's a non issue. People are used to it now.
The malicious people can be identified easily. Think of these changes as covering your arse rather than an inconvenience.
Different websites have different audiences and monetization schemes making your anecdotal observation uninteresting. It's also at odds with reams of conversion rate optimization data. What did Amazon report - something like a 500ms delay produces a 1% drop in conversion rate. I wonder how long it takes the average pensioner to click through?
Popups/dropdowns etc semi-forced upon UK websites are extremely anti-competitive in my opinion.
- Visitors who the law is trying to protect (less savvy web users) could easily be scared by cookie messages
- It's another barrier to actually accessing content on the site
- It's time consuming and difficult to implement sometimes. For example, if your site requires cookies to function, what should it do if a visitor declines permission?
These new laws seem to be addressing peoples irrational fears, and not the actual problem. I'd like to see them go down the pan. I hope next year when they start enforcing it they don't make examples of companies with cherry picked large fines.
> For example, if your site requires cookies to function, what should it do if a visitor declines permission?
If I'm reading the guidance[1] correctly (and I've only skimmed it), you don't need permission for essential cookies. Most sites just display a message along the lines of "We're using cookies; your continued use of this site gives consent" etc..
> These new laws seem to be addressing peoples irrational fears, and not the actual problem.
What is the problem, to you? To me the problem is that websites track my movement across the internet and I don't want them to invade my privacy in that way.
Utter props to silktide to pushing this, I feel like half my posts on HN have been about this retarded legislation. Those who misuse cookies will soon use even more insidious means, those who don't are being forced into implementing stupid confusing boilerplate, utterly ridiculous!
Thanks! (I'm the founder of Silktide and author of that rant).
We had some constructive suggestions on what could be done instead, although these are definitely up for debate. The gist would be using a rel element like so:
and then using that as a means of consistently linking to a privacy policy. As a result, policies would have consistent language for users ('look for the "Privacy" link') but could also be detected automatically by browsers or testing tools.
That way you could actually test your site is properly linking to a policy, and users could have browser preferences like "disable cookies until I've seen a policy" or whatever.
It's just an idea but we've implemented it on our sites and will be interested to see what others think:
Until the ICO start taking people to court it will stay ridiculous, but I think the intent of it is important. Using etags to track individuals is really no different to a cookie with a unique ID...
Having a 10 page complaint form is what is dumb. Why can't you just send a suspect URL, then have it scoured for dubious cookies?
I'd like to see this legislation deleted and chalked up to a learning experience for government.
In principal yes, I do want websites to be open about their cookie use, but leaving the implementation down to the website owners has spawned many different ways of dealing with the issue. This makes it less clear and likely more confusing for the end user.
"Let's try a solution at the user & browser level."
That's not enough. Only the website really knows what the cookies are actually being used for. That information needs to be surfaced in a manner where customer preferences can be tailored.
Trying to keep track of which cookie domains are used for cross-site tracking (which is what a user/browser level mechanism will max out to) becomes a big game of whack-a-mole. Cheap domains, endless supply of subdomains; IP address filtering can help, but there's a fair bit of collateral damage.
We have P3P, but it's too much of an all-or-nothing thing. It's quite ardous for a website to implement correctly, and too easy to be unforthcoming with accurate information. But, we need to be able to understand the purpose of every cookie (and similar client-side storage mechanisms), and they need to be done in a way that tracking-related storage can be disabled without disrupting the storage related to the primary purpose of the site (from the customer's point of view).
But the root cause of all this is that there are website owners who do not accept that their customers or visitors have a right to privacy. That perception needs to change for a viable solution to exist. It's a social issue, solving it in a technical manner runs into a similar set of issues that a legislative approach is currently doing.
You're right, it is a whack-a-mole situation, which is why I'd move more towards a browser and user level solution. The OP made a fine suggestion that bridges responsibility between user, website owner and browser
> The gist would be using a rel element like so:
<a href='privacy.html' rel='privacypolicy'>Privacy</a>
and then using that as a means of consistently linking to a privacy policy. As a result, policies would have consistent language for users ('look for the "Privacy" link') but could also be detected automatically by browsers or testing tools.
That way you could actually test your site is properly linking to a policy, and users could have browser preferences like "disable cookies until I've seen a policy" or whatever.
I think the ICO has acknowledged the issues with the law and as a result is taking a gentle approach to enforcing the law (which the OP's crusade seems at odds with...).
I think it's a good idea to attempt to increase user awareness of how information about a person's visit to a site will be used. As the guidance acknowledges, the type of most interest are third party advertising cookies and if the law helps to increase awareness of such usage, then it will have succeeded.
In terms of geographical location, my understanding is that the location of the provider is irrelevant as if they are providing a service in the EU, they should be complying with the law.
Having spent a good chunk of time implementing cookie permission popups across our sites, Google Analytics showed a drop down to 10% of the normal traffic. (The traffic is a bit higher according to the logs, but not normal. Also as someone else pointed out the funnelling and reporting is harder to decipher)
Putting in an implied statement and removing the pop-up and we're back to the regular levels.
Sorry but this law is flawed and I'm glad its getting a bit of airing again. Come on ICO and the EU peeps who created this directive please rethink this with some expert advice.
Good to see them taking a stance. It is a great shame that this law does absolutely nothing to improve privacy.
I typically do my casual browsing in incognito mode, which means that I'm constantly bombarded with these cookie warnings. So this law has significantly reduced the quality of my experience, for no benefit at all.
The people who want to track me still continue to do so.
You're right to have that concern, I won't block a site if it's doing that but practically it's not an issue. I've yet to encounter one that requires opt-in before setting cookies.
Can anyone who is more law savvy than I answer this question for me: Does a European company have to put the cookie message on their site if the site is hosted in the US?
Found a (sort of) answer in their cookie_guidance_v3.pdf
"An organisation based in the UK is likely to be subject to the requirements of the Regulations even if their website is technically hosted overseas. Organisations based outside of Europe with websites designed for the European market, or providing products or services to customers in Europe, should consider that their users in the UK and Europe will clearly expect information and choices about cookies to be provided."
Of course, much like the rest of this legislation, the phrase "likely to be subject to" is vague and ill defined. Sometimes I hate being base in England.
If instead of using cookies we would swap to using the browsers storage, wouldn't we circumvent this entire rubbish law (+ the other advantages it already provides)?
The law states: "a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met."
Paragraph 2 then sets out how consent needs to be obtained, and the test that the subscriber needs to have given their consent before information is stored on their computer.
Cookies, flash cookies, HTML5 databases, etc. are all covered under the general concept of storing on a subscriber's computer.
I don't know the exact law, but the law might not refer to cookies explicitly, but instead refer to tracking users. Switching from one tracking type to another will not avoid the law then.
If you don't want to be tracked. TURN. COOKIES. OFF.
There is a reason all web browsers come with per-domain cookies policies. We don't need a cookie law. We need some common sense. Everyone is looking to make this someone else's responsibility. Guess what: Your digital security and privacy is your responsibility. I hate this entire debate because:
1) Cookies serve a very, very valuable purpose in website development. Client-side storage is used in basically every major website on the internet.
2) This is hardly low-hanging fruit, and we have much, much bigger problems.
3) Who is the arbiter of what "allowed use" cookies are? We're going to have someone who actually decides, for individual websites, whether cookie use is proper or not? Is it going to work like a DMCA take-down request? An individual sends a request to review a website's cookie policies, and that IT department will have to submit a technical analysis and provide reasons for their cookie usage when a user feels their rights have been violated?
4) You know where this is going? Every single website that you register on is just going to give you a EULA-type agreement when you create an account. New to Facebook? Enter your username, click this checkbox that says "I accept your terms", and that's it.
Normal users will just roll with basically any terms you present to them. Making this entirely ineffective except for the small minority of people, like many here, who are hyper vigilante about digital privacy.
For the people this is meant to protect, they will likely never even think about it and opt-in anyway.
5) I completely reject the notion of getting politicians to dictate requirements to the tech industry in terms of how to handle the web stack. Let the politicians get back to blaming each other for X failures and make Y promises to the public, and get out of my internet.