As numerous commenters have noted, this article twists/omits facts, blows things out of proportion, and doesn't talk about the benefit to consumers.
Tracking is currently a hot topic in the US as well, where a different approach, labeled Do Not Track is being pursued. I happen to be at the thick of it, so I thought I'd add that to the discussion.
Do Not Track (http://donottrack.us/) is fundamentally an opt-out from tracking rather then an opt-in, which makes it much harder to claim that it will threaten the ad industry, startups, puppies, or anything else [1]. It is an HTTP header which, if enabled, signals to advertisers and other trackers to stop tracking you across multiple third-party websites. First-party tracking is OK.
The Do Not Track option has already been implemented in Firefox 4. As of yesterday it is an Internet-Draft[2], and on the legislation side, Congresswoman Speier recently introduced a bill to give the Federal Trade Commission powers to enforce Do Not Track.[3]
I'm a computer scientist and this is my first major foray into the policy arena, and having worked with most of the people/entities involved in this effort, I have to say I've been pleasantly surprised how the disparate parts of the technology/policy/regulatory machinery started to work together.
I don't want to get into which approach is better, but just wanted to describe how we're doing it in the US. Feedback welcome.
I'm always skeptical of a legal solution to a technical problem, but I wonder how this is to keep me safe from trackers on foreign soil? Wouldn't these companies just move there server a country over? What if our ISP allowed us to block traffic from those who don't comply with the don't track header, would that solve our problem?
This could be a good complementary way to tell the i.e. content provider you don't want to be tracked so it'd be no need to issue warnings.
Otherwise this measure is bland as it'd totally rely on the way the legislation is implemented or in the trackers' good faith.
Liability should be owned by the one providing the service you're consuming. The same way as they'd if I were paying them with my credit card in their commerce, I'm giving them my personal information as a retribution but instead of my credit card number.
It also gives flexibility back to site owners. If you business model depends on tracking (so much that a visitor who opts out of tracking costs you money) they are free to redirect the user away or throw up a paywall.
The general gist seems to be, that if you use a cookie to track the communications between you and the user (à la sessions), no problem. But if you are using a cookies to track where and/or what the user has been doing across sites then you need to make said user aware.
Thanks for posting the link - upvoted. However, I'm interpreting it a little differently. Consent is not just required for tracking across sites according to point 50 of that document. Their example of something that would require consent is storage of language preferences. That has nothing to do with cross site tracking.
The linked document looks to me like a recommendation to alter the tabled amendment - and as things currently stand then language preferences and the like will not be exempt. Hence clause 51 stating "to prevent this we propose the following amendment to the article ..."
But I've only skimmed through it and it's making my head hurt.
You are not wrong. Some examples: A login for your site needs no concent. A session to store some status-message to a user ("comment posted!") is allowed just fine. But Google (analytics) must provide a warning before it is allowed to track people, because it tracks people across domains and sites.
edit: I wrote opt-in but meant to say "provide a warning"
And stupid enviromental laws don't allow excessive mining and require costly procedures when handling waste. It hands the advantage to China, and other less restrictive countries.
'This is how its always been done' is not reason enough. Many sites require you to accept terms&conditions. Another checkbox really won't matter.
I can't figure out how this will hit EU startups. Actually, this is promoting transparency and I really like it. I won't be suspicious if the site is gathering some data from me or not; if it is, it'll just display a friendly warning.
This is actually beneficial for users; and the ones who refuse are probably not the users you are looking for.
"It clearly makes UK companies less competitive because sites we build will need to be plastered with warnings – and our competitors will not. It is a well known fact that at each stage of a signup process you lose customers – if you have to have a big warning sign just for a cookie that will remember you for purely convenience so that it keeps you logged in. The user wont read that detail – they will just think your a privacy nightmare and wont sign up."
Both the EU and US regulations will backfire badly. They both interfere with site optimization and advertising targeting, and both site optimization and advertising targeting impact profits.
Rather than taking the hit to their bottom line, publishers will adjust by making explicit user opt-in mandatory. Since explicit opt-in is nice and unambiguous, the targeting itself can then be a lot more invasive.
I really don't understand the desire to mess with the current system we have today, which works well enough. The small percentage of users who truly care about tracking have simple and effective technical solutions available to them. Publishers turn a blind eye to these unprofitable users, since their numbers are small. Finally, since most ad targeting currently falls in a policy 'grey area', the ad industry self-polices reasonably well.
At least there's going to be some interesting startup opportunities in detecting tracking circumvention and forcing compliance.
The current system does not work. Tracking people around the Internet is shady behaviour any way you cut it, and a lot of people don't like it.
A lot more people don't even know about it, which is why the effect on sites today is still relatively small. Try sampling a population who have been fully informed about what is going on and see the reaction you get.
Ultimately, businesses do not have carte blanche to engage in whatever shady practices they like in the interests of increasing profits. This is why we have laws and why we punish businesses that break those laws.
If publishers who want to spy on everyone make opt-in mandatory in response to measures like this, they will just create a market for publishers who are willing to share their content with ads based on that content alone rather than on tracking individual visitors' personal details. This worked well enough to establish things like Google ads in the first place, after all.
I have about as much sympathy for any company hit by these measures as I have for cigarette companies who are forced to display a warning about the proven health implications of their product in big letters on the packet.
The article does NOT describe the situation. The situation is different and is explained by this part of the Directive:
"This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service"
And by the further comments to the text, clearly reducing the so claimed 'stupidity'.
The real problem about this Directive (it's not a law, European Union does not make laws!), is how it will be converted in law by the single Countries; this could be the real source of confusion.
The real purpose of this directive is forcing to ask explicit consent for behavioral targeting purposes, not for simple analytics' cookies.
We can't create buzz based on a misunderstanding!
As a web-publisher, I find the general distaste of (advertising) tracking cookies a little hard to swallow. At the end of the day, tracking cookies exist because they allow the sites you visit (and probably don't pay for directly) to earn more money (on average) across all their visitors.
Advertising is the life-blood of publishers on the Internet. Without advertising (and by extension, tracking) many of the sites you enjoy every day would cease to exist.
At least using cookies you CAN opt out (via browsing settings and plugins). All that will happen is that the tracking networks will switch to browser fingerprinting making tracking harder to control and more opaque.
> At least using cookies you CAN opt out (via browsing settings and plugins). All that will happen is that the tracking networks will switch to browser fingerprinting making tracking harder to control and more opaque.
It's been a little while since I talked to a specialized lawyer about this, but if I remember correctly, the same regulations would apply to this tracking strategy.
Your post is one unsubstantiated claim after another.
Just because you fund your content through ads, that doesn't mean someone else can't use a different model. Sorry to be brutal, but if you can't find a viable alternative model when ads aren't cutting it any longer, maybe your content simply isn't worth that much and losing your site isn't a great loss to anyone else.
Moreover, just because you associate ads with tracking, that doesn't mean everyone else does. The most lucrative advertising deals I know about are between sites catering to particular interest groups and advertisers who also cater to those groups and make a direct agreement with the site. It takes actual work to set this up, but can be very lucrative for all concerned, particularly without any middleman ad network taking a big cut of any money changing hands. Many models from classic sponsorship deals to modern product placement approaches are based on this idea.
> All that will happen is that the tracking networks will switch to browser fingerprinting making tracking harder to control and more opaque.
That's probably going to be illegal, too.
In any case, browser fingerprinting is becoming a hot topic for all the wrong reasons. I expect near-future browsers will basically kill it as a technique anyway.
If you don't want to be tracked with a long-term cookie just configure your browser to not accept long-term cookies or to delete all cookies on shutdown. Problem solved.
In 10,20 years people around the world may ask the europeans how they got such a rather high privacy standard. While I don't agree to all of the regulations, the tendency here is to make everything private by default and only disclose what is needed. We should be able do decide ourself what to disclose without having to install add-ons to block everything.
That said: I also use tracking, but anonymize as soon as possible. And: there are enough laws that contradict regulations like these (such as the goverments force the ISPs to store the communication data from the users).
I won't be asking that until places like London get rid of all the police cams. Although, apparently they are highly effective:
http://news.bbc.co.uk/2/hi/8219022.stm
While I applaud the EU's efforts on this, it seems a bit of stepping over dollars to pick up pennies. The bigger battles for privacy still need to be fought.
I'm usually not a proponent of EU regulations, but i don't think telling customers the truth should be considered harmful by any serious entrepreneurs.
Customers will probably be scared at first, but once they understand a bit more about tracking (which are harmful, which are not), opt-in system will definitely add to customer's confidence, and thus benefit to business in the long term.
if you have to have a big warning sign just for a cookie that will remember you for purely convenience so that it keeps you logged in. The user wont read that detail – they will just think your a privacy nightmare and wont sign up
The only times lay surfers have heard about cookies is in the news when severe privacy invasions have occurred. To those that have never heard of it, it is new, so they are cautious. Some parts of the industry have misused that technology and now the whole industry is called to gain back the users trust.
The EU law's intention is to shift the responsibility from the companies to the user, i.e. they will be the ones to decide weather they want to use cookies or not. To make that decision they need to be informed about it's positive and negative sides.
Regarding opt-out models, how many people will know about that? So if I'm not aware of opting-out, is it my fault if some company goes berserk with my privacy rights?
There are some lawyers in Germany that already now presume that Google Analytics is illegal: http://eu.techcrunch.com/2009/11/24/google-analytics-illegal.... And due to the German "Abmahnung" law (see http://en.wikipedia.org/wiki/Abmahnung) it's rather easy for them to "fine" you if you use it anyway: "One German lawyer that gets cited in the article says the penalties could amount up to €50,000 (about $75,000) per website that uses Google Analytics to keep track of its visitors’ usage patterns."
There are already lawsuits in Germany against websites using AdSense or Google Analytics. Also the Wordpress plugin Akismet (distributed spam filter) is apparently a no go in the future.
Just some examples - so yes, I think this could definitely hurt EU startups, or at least smaller projects that rely on adsense.
It is by no means against the law in Germany to use adsense or Google Analytics. You just have to get the consent of the user before you are allowed to have their personal information processed by a third party.
It will be interesting if this actually works out worse for privacy; say the site decides instead to remember you (for ad purposes) by ip address instead of by cookie, so everyone from that ip address ends up in the same profile target.
e.g. i visit a website to buy a birthday present for my wife, but later everywhere she browses she suddenly sees adverts for the shop or product that i bought.
They will use a combination of user-agent, IP address and other browser profile information. This is surprising good at uniquely identifying most computers.
It only really falls down when there are a large number of totally identical machines in the same IP range, where the machines are locked down so plugins (etc..) cannot be installed. E.g. a large office or university lab.
Try configuring your browser to ask for your permission every time a cookie needs to be stored. Some websites have 4-5 cookies and clicking "accept" (or "deny") several times over for a site is just unusable.
I use the Cookie Monster addon for Firefox. it provides a similar interface to that provided by NoScript. It blocks cookies by default, and lets you permanently/temporarily accept full cookies/session cookies, on a per domain basis.
I can use news.ycombinator.com because the first time I came to this site after installing Cookie Monster, I set it to accept session cookies from ycombinator.com, and to permanently remember that setting. I don't need to let ycombinator set long lived cookies, and I certainly don't need to let clickpass.com set a cookie on my computer when I visit the news.ycombinator.com login page.
[+] [-] randomwalker|15 years ago|reply
Tracking is currently a hot topic in the US as well, where a different approach, labeled Do Not Track is being pursued. I happen to be at the thick of it, so I thought I'd add that to the discussion.
Do Not Track (http://donottrack.us/) is fundamentally an opt-out from tracking rather then an opt-in, which makes it much harder to claim that it will threaten the ad industry, startups, puppies, or anything else [1]. It is an HTTP header which, if enabled, signals to advertisers and other trackers to stop tracking you across multiple third-party websites. First-party tracking is OK.
The Do Not Track option has already been implemented in Firefox 4. As of yesterday it is an Internet-Draft[2], and on the legislation side, Congresswoman Speier recently introduced a bill to give the Federal Trade Commission powers to enforce Do Not Track.[3]
I'm a computer scientist and this is my first major foray into the policy arena, and having worked with most of the people/entities involved in this effort, I have to say I've been pleasantly surprised how the disparate parts of the technology/policy/regulatory machinery started to work together.
I don't want to get into which approach is better, but just wanted to describe how we're doing it in the US. Feedback welcome.
[1] http://cyberlaw.stanford.edu/node/6592
[2] http://cyberlaw.stanford.edu/node/6633
[3] https://speier.house.gov/index.cfm?sectionid=48&itemid=6...
[+] [-] smokeyj|15 years ago|reply
[+] [-] escanda|15 years ago|reply
Otherwise this measure is bland as it'd totally rely on the way the legislation is implemented or in the trackers' good faith.
Liability should be owned by the one providing the service you're consuming. The same way as they'd if I were paying them with my credit card in their commerce, I'm giving them my personal information as a retribution but instead of my credit card number.
[+] [-] al_james|15 years ago|reply
It also gives flexibility back to site owners. If you business model depends on tracking (so much that a visitor who opts out of tracking costs you money) they are free to redirect the user away or throw up a paywall.
[+] [-] xd|15 years ago|reply
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/...
Read point 50.
The general gist seems to be, that if you use a cookie to track the communications between you and the user (à la sessions), no problem. But if you are using a cookies to track where and/or what the user has been doing across sites then you need to make said user aware.
Please correct me if I am wrong.
[+] [-] fauigerzigerk|15 years ago|reply
[+] [-] rahoulb|15 years ago|reply
But I've only skimmed through it and it's making my head hurt.
[+] [-] berkes|15 years ago|reply
edit: I wrote opt-in but meant to say "provide a warning"
[+] [-] lwhi|15 years ago|reply
EDIT: This [1] seems quite useful.
[1] http://www.google.com/support/forum/p/Google+Analytics/threa...
[+] [-] gacek|15 years ago|reply
'This is how its always been done' is not reason enough. Many sites require you to accept terms&conditions. Another checkbox really won't matter.
[+] [-] john-n|15 years ago|reply
[+] [-] paolomaffei|15 years ago|reply
[+] [-] borism|15 years ago|reply
[+] [-] csomar|15 years ago|reply
This is actually beneficial for users; and the ones who refuse are probably not the users you are looking for.
[+] [-] anigbrowl|15 years ago|reply
[+] [-] fmavituna|15 years ago|reply
"It clearly makes UK companies less competitive because sites we build will need to be plastered with warnings – and our competitors will not. It is a well known fact that at each stage of a signup process you lose customers – if you have to have a big warning sign just for a cookie that will remember you for purely convenience so that it keeps you logged in. The user wont read that detail – they will just think your a privacy nightmare and wont sign up."
[+] [-] gyardley|15 years ago|reply
Rather than taking the hit to their bottom line, publishers will adjust by making explicit user opt-in mandatory. Since explicit opt-in is nice and unambiguous, the targeting itself can then be a lot more invasive.
I really don't understand the desire to mess with the current system we have today, which works well enough. The small percentage of users who truly care about tracking have simple and effective technical solutions available to them. Publishers turn a blind eye to these unprofitable users, since their numbers are small. Finally, since most ad targeting currently falls in a policy 'grey area', the ad industry self-polices reasonably well.
At least there's going to be some interesting startup opportunities in detecting tracking circumvention and forcing compliance.
[+] [-] Silhouette|15 years ago|reply
The current system does not work. Tracking people around the Internet is shady behaviour any way you cut it, and a lot of people don't like it.
A lot more people don't even know about it, which is why the effect on sites today is still relatively small. Try sampling a population who have been fully informed about what is going on and see the reaction you get.
Ultimately, businesses do not have carte blanche to engage in whatever shady practices they like in the interests of increasing profits. This is why we have laws and why we punish businesses that break those laws.
If publishers who want to spy on everyone make opt-in mandatory in response to measures like this, they will just create a market for publishers who are willing to share their content with ads based on that content alone rather than on tracking individual visitors' personal details. This worked well enough to establish things like Google ads in the first place, after all.
I have about as much sympathy for any company hit by these measures as I have for cigarette companies who are forced to display a warning about the proven health implications of their product in big letters on the packet.
[+] [-] Facens|15 years ago|reply
Pascal Van Hecke wrote a useful comment explaining the situation and clearing the misunderstandings. The comment can be read here: http://eu.techcrunch.com/2011/03/09/stupid-eu-cookie-law-wil...
The real problem about this Directive (it's not a law, European Union does not make laws!), is how it will be converted in law by the single Countries; this could be the real source of confusion.
The real purpose of this directive is forcing to ask explicit consent for behavioral targeting purposes, not for simple analytics' cookies. We can't create buzz based on a misunderstanding!
[+] [-] al_james|15 years ago|reply
Advertising is the life-blood of publishers on the Internet. Without advertising (and by extension, tracking) many of the sites you enjoy every day would cease to exist.
At least using cookies you CAN opt out (via browsing settings and plugins). All that will happen is that the tracking networks will switch to browser fingerprinting making tracking harder to control and more opaque.
[+] [-] thomasz|15 years ago|reply
It's been a little while since I talked to a specialized lawyer about this, but if I remember correctly, the same regulations would apply to this tracking strategy.
[+] [-] Silhouette|15 years ago|reply
Just because you fund your content through ads, that doesn't mean someone else can't use a different model. Sorry to be brutal, but if you can't find a viable alternative model when ads aren't cutting it any longer, maybe your content simply isn't worth that much and losing your site isn't a great loss to anyone else.
Moreover, just because you associate ads with tracking, that doesn't mean everyone else does. The most lucrative advertising deals I know about are between sites catering to particular interest groups and advertisers who also cater to those groups and make a direct agreement with the site. It takes actual work to set this up, but can be very lucrative for all concerned, particularly without any middleman ad network taking a big cut of any money changing hands. Many models from classic sponsorship deals to modern product placement approaches are based on this idea.
> All that will happen is that the tracking networks will switch to browser fingerprinting making tracking harder to control and more opaque.
That's probably going to be illegal, too.
In any case, browser fingerprinting is becoming a hot topic for all the wrong reasons. I expect near-future browsers will basically kill it as a technique anyway.
[+] [-] wladimir|15 years ago|reply
Sites could simply stop tracking users with long-term cookies. In this case, no warnings and popups need to be added. And everyone is happy...
[+] [-] gst|15 years ago|reply
[+] [-] patrickg|15 years ago|reply
That said: I also use tracking, but anonymize as soon as possible. And: there are enough laws that contradict regulations like these (such as the goverments force the ISPs to store the communication data from the users).
[+] [-] nhebb|15 years ago|reply
While I applaud the EU's efforts on this, it seems a bit of stepping over dollars to pick up pennies. The bigger battles for privacy still need to be fought.
[+] [-] obiwan421|15 years ago|reply
Customers will probably be scared at first, but once they understand a bit more about tracking (which are harmful, which are not), opt-in system will definitely add to customer's confidence, and thus benefit to business in the long term.
[+] [-] jujjine|15 years ago|reply
The only times lay surfers have heard about cookies is in the news when severe privacy invasions have occurred. To those that have never heard of it, it is new, so they are cautious. Some parts of the industry have misused that technology and now the whole industry is called to gain back the users trust.
The EU law's intention is to shift the responsibility from the companies to the user, i.e. they will be the ones to decide weather they want to use cookies or not. To make that decision they need to be informed about it's positive and negative sides.
Regarding opt-out models, how many people will know about that? So if I'm not aware of opting-out, is it my fault if some company goes berserk with my privacy rights?
[+] [-] nodata|15 years ago|reply
[+] [-] xsltuser2010|15 years ago|reply
[+] [-] gst|15 years ago|reply
[+] [-] joebananas|15 years ago|reply
[+] [-] speleding|15 years ago|reply
[+] [-] Tichy|15 years ago|reply
Just some examples - so yes, I think this could definitely hurt EU startups, or at least smaller projects that rely on adsense.
[+] [-] biafra|15 years ago|reply
[+] [-] jsvaughan|15 years ago|reply
e.g. i visit a website to buy a birthday present for my wife, but later everywhere she browses she suddenly sees adverts for the shop or product that i bought.
[+] [-] al_james|15 years ago|reply
It only really falls down when there are a large number of totally identical machines in the same IP range, where the machines are locked down so plugins (etc..) cannot be installed. E.g. a large office or university lab.
[+] [-] olalonde|15 years ago|reply
[+] [-] prodigal_erik|15 years ago|reply
[+] [-] lwhi|15 years ago|reply
http://www.davidnaylor.co.uk/eu-cookies-directive-interactiv...
[+] [-] iwwr|15 years ago|reply
[+] [-] mike-cardwell|15 years ago|reply
I can use news.ycombinator.com because the first time I came to this site after installing Cookie Monster, I set it to accept session cookies from ycombinator.com, and to permanently remember that setting. I don't need to let ycombinator set long lived cookies, and I certainly don't need to let clickpass.com set a cookie on my computer when I visit the news.ycombinator.com login page.