The Cookie Law (in the UK at least)

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #30, on April 19th, 2012, 07:05 PM »
Quote
The unholy side-effect of that is that site owners based in Europe will have to know the applicable laws for each EU member as the Directive does not proscribe any particular wording.
That's true, but to a point one of the considerations is whether you're acting in good faith or not. If you're 'on the edge' but making an attempt in good faith to be compliant, you're probably going to OK, but if you're on the edge trying to bend the rules at every opportunity, when you do skirt the rules, it will come back to bite you a bit more.
Quote
The other bit of advice I've just been given is that site owners should clearly explain the content and use of any third-party cookies introduced on visitors' machines during their visit. But I note that even the ICO is unable to do this fully.
The ICO's own site is where I feel it's failing most: I accept that they may not know the specific details of each cookie - I don't know the specifics of what's in the Google Analytics cookies, for example, so that part I'm willing to accept the way they're doing it. What I don't like is the way they're using a single consent to accept *all* of those cookies, not bits and pieces.
Quote
The other rather laughable aspect of the ICO site is that it places a second cookie, in addition to their main one, if you agree to cookies -- surely the presence of their main cookie indicates that you've agreed to cookies!
It is, but at the same time, there's no other way to do it. They don't set any cookies, so there's no method other than this to indicate consent unless you're a registered member and have provided consent that way somehow.
Quote
Oh and thank you for posting a copy of your email to ICO. I am relieved and reassured to know that this issue is being taken seriously by the Wedge Team whilst those over at SMF are simply burying their heads in the sand.  You have just provided me with yet another in an increasingly long list of reasons to wait patiently for the release of Wedge! Thank you!
Well, as this discussion has shown, Nao and I both have reservations about how this will be enforced, and whether it actually will be or not. But I don't see that we - as platform stewards - can take that risk.

This is the problem I have with SMF: I understand their view that they're in the US and as such they take the view that it does not apply to them. But they're not offering advice on how to be compliant, and given what's involved, and how deeply rooted it is into SMF, with its session management and also the privacy concerns of Who's Online, and that's where the problem is. If the team isn't actively taking this on board, who is? Is anyone?

And that's the problem: it leaves people like you and me (taking off my platform steward hat for a moment) in the lurch because if the platform itself isn't going to take responsibility, that means the site owners have to, and without any guidance, how can they?

As I said in my email, I don't know if other platforms are taking this seriously, but I don't see big noises about doing so, put it that way.
Quote
'm still convinced that this is just 'for the show', and that this law is only going to be used in clear cases of privacy abuses, as legal grounds for action, rather than being mindlessly applied to every single blog or whatever.
Oh, I'm pretty sure that it is just for show, but until it's actually tested in a complaint, we have to assume that it isn't. Bear in mind that it is only to be used in the case of people complaining, rather than doled out by machine.

The thing is, even with the source code available, it isn't that easy to identify what the cookie does, especially if you observe that the PHPSESSID is actually potentially set for 3 years at a time when it is supposed to be a session cookie, it does make you wonder what's going on.

If we make it difficult or even impossible to be compliant, I myself can't use Wedge on my own sites, that's the bottom line. If I can't be reasonably sure that Wedge will be compliant, I don't see how I can in good faith or otherwise operate Wedge on my own sites, so even though I personally believe that it's for show, I can't take that chance for my own stuff, and I can't, thus, take that chance of dropping people in it who use Wedge in good faith.
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #31, on April 19th, 2012, 07:17 PM »
Quote from Nao on April 19th, 2012, 06:47 PM
Quote from markham on April 19th, 2012, 06:22 PM
Oh and thank you for posting a copy of your email to ICO. I am relieved and reassured to know that this issue is being taken seriously by the Wedge Team
Only half the team, I'm afraid :P
Ah but it's 100% more than over at SMF! :D
Quote
I'm still convinced that this is just 'for the show', and that this law is only going to be used in clear cases of privacy abuses, as legal grounds for action, rather than being mindlessly applied to every single blog or whatever.
In our case, the UK's Information Commissioner is legally obliged to investigate any complaints and the penalties are proscribed in law but whether anyone actually complains is another matter. Unless they live in Denmark, of course (where I believe this all originated).

That said though, I do wonder how many Forum sites operating from UK hosts actually comply with the requirements of the Data Protection Act. Very few, if any, would be my guess.
Quote
Quote
whilst those over at SMF are simply burying their heads in the sand.  You have just provided me with yet another in an increasingly long list of reasons to wait patiently for the release of Wedge!
Heck, even *I* can no longer wait for an alpha release...
That's the one they're promising by the end of the millennium, right?!

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #32, on April 19th, 2012, 07:28 PM »
Quote
That said though, I do wonder how many Forum sites operating from UK hosts actually comply with the requirements of the Data Protection Act. Very few, if any, would be my guess.
I actually did some investigation on this some time ago, when I first started running forums, and I don't believe anything's changed. Basically, a username and password is not considered personal information and as yet, neither is an email address. Consequently because you're not providing anything that comes under their definition of 'personal information', you don't have to get into the realms of being a registered Data Controller, and whatever's left regarding IP (which also, currently, is not considered personal information) is covered by the standard registration agreement, which is within the First Principle's approach to transparency.

Nao

  • Dadman with a boy
  • Posts: 16,079
Re: The Cookie Law (in the UK at least)
« Reply #33, on April 19th, 2012, 07:33 PM »
I'm sure Wedge will be fine with just a warning message at registration time. That could be disabled from the admin panel for users outside the UK or whatever.

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #34, on April 19th, 2012, 08:29 PM »
Quote from Arantor on April 19th, 2012, 07:05 PM
Quote
The unholy side-effect of that is that site owners based in Europe will have to know the applicable laws for each EU member as the Directive does not proscribe any particular wording.
That's true, but to a point one of the considerations is whether you're acting in good faith or not. If you're 'on the edge' but making an attempt in good faith to be compliant, you're probably going to OK, but if you're on the edge trying to bend the rules at every opportunity, when you do skirt the rules, it will come back to bite you a bit more.
Let's suppose Germany decides to require site owners to obtain separate op-ins for every cookie whilst apparently the UK does not - according to ICO a blanket opt-in is sufficient. A German user visits a UK hosted web site and is presented with a single "Do you agree to our placing cookies?" dialog box. The German user is happy to have the site's first-party cookie as, in all likelihood, that cookie would be rather essential to ensure a good experience, but he doesn't want the (potentially four) extra Cookies placed by Google Analytics or Facebook trackers etc. He feels aggrieved that those cookies have been stored and complains. The UK site has complied with the Directive as implemented in UK law but is not compliant under German law. As things stand, the Information Commissioner would have to agree that the web site concerned was in violation. But whether he would seek prosecution is entirely another matter.
Quote
Quote
The other bit of advice I've just been given is that site owners should clearly explain the content and use of any third-party cookies introduced on visitors' machines during their visit. But I note that even the ICO is unable to do this fully.
The ICO's own site is where I feel it's failing most: I accept that they may not know the specific details of each cookie - I don't know the specifics of what's in the Google Analytics cookies, for example, so that part I'm willing to accept the way they're doing it. What I don't like is the way they're using a single consent to accept *all* of those cookies, not bits and pieces.
But is there any other practical way of doing this? As a developer, you'd say "yes", I'll simply include hooks that cause the display of a cookie acceptance dialog so that developers of plug-ins that set cookies can get the user's acceptance. But from a user's point of view, to be presented with a succession of cookie opt-in dialogs is going to become tiresome to say the least. If we are going to go down that road, then I think two opt-in dialogs should suffice: one for first-party and the other for all the third-party cookies. That second dialog could optionally be re-presented to the user if additional cookies are added. How's that for compromise?


Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #35, on April 19th, 2012, 11:46 PM »
Quote
I'm sure Wedge will be fine with just a warning message at registration time. That could be disabled from the admin panel for users outside the UK or whatever.
If that were the case, we could just accept the fact it's in the registration agreement and go home. Except that it isn't the case, and until this is tested by a formal complaint, I at least have to assume that it will expected to be carried out as discussed.
Quote
The UK site has complied with the Directive as implemented in UK law but is not compliant under German law. As things stand, the Information Commissioner would have to agree that the web site concerned was in violation. But whether he would seek prosecution is entirely another matter.
This is my point. I agree that it would be found in violation, but I would expect that the ICO would not seek prosecution because what was being done was being done in good faith. (Assuming it was being done in good faith.)
Quote
But is there any other practical way of doing this? As a developer, you'd say "yes", I'll simply include hooks that cause the display of a cookie acceptance dialog so that developers of plug-ins that set cookies can get the user's acceptance. But from a user's point of view, to be presented with a succession of cookie opt-in dialogs is going to become tiresome to say the least. If we are going to go down that road, then I think two opt-in dialogs should suffice: one for first-party and the other for all the third-party cookies. That second dialog could optionally be re-presented to the user if additional cookies are added. How's that for compromise?
Bearing in mind the first- vs third-party cookies problem, the ideal solution to me seems to be offering an acceptance on first party cookies as a general consent, then a party by party acceptance of other cookies.

So the core cookies for a site itself with a single consent, then Google Analytics with a single consent for GA (ideally... I'd hold that in the browser with the assumption that opting me out of GA would opt me out of GA everywhere), then a single consent for whatever, etc.

Mind you, anyone who actually cares about privacy seriously wouldn't have GA on their site anyway.

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #36, on April 20th, 2012, 08:58 AM »
Quote from Arantor on April 19th, 2012, 07:28 PM
Quote
That said though, I do wonder how many Forum sites operating from UK hosts actually comply with the requirements of the Data Protection Act. Very few, if any, would be my guess.
I actually did some investigation on this some time ago, when I first started running forums, and I don't believe anything's changed. Basically, a username and password is not considered personal information and as yet, neither is an email address. Consequently because you're not providing anything that comes under their definition of 'personal information', you don't have to get into the realms of being a registered Data Controller, and whatever's left regarding IP (which also, currently, is not considered personal information) is covered by the standard registration agreement, which is within the First Principle's approach to transparency.
I agree entirely with your comments. But many Forum sites hold other personal information that has been voluntarily supplied by its members - such as their location, user names on social network sites and instant messengers, perhaps even their exact geographic location (for Google Map pins). Now I agree that all this additional information is not only supplied voluntarily by members but can be modified or removed by them at any time. Well almost: if that member receives a ban, he is no longer able to remove his personal details and whilst the site needs to retain that member's email address, user name and IP Address in order to enforce the ban, it does not - and should not (in my view) - retain any of the additional information that user supplied during his membership. That retention might fall foul of the DPA.

If my suspicions have any legs, then wouldn't it be wise for the site to automatically remove all additional informations - including all PMs sent/received - when a member is banned?

To the best of my knowledge - and according to some basic research carried-out by my lawyer - no UK-based Forum site has been found in violation of the DPA but there remains the risk that should the ICO be asked to investigate a site under the "cookie law", it might also check for other violations.

PantsManUK

  • [me=PantsManUK]would dearly love to dump SMF 1.X at this juncture...[/me]
  • Posts: 174
Re: The Cookie Law (in the UK at least)
« Reply #37, on April 20th, 2012, 11:49 AM »Last edited on April 20th, 2012, 12:04 PM
Quote from Arantor on April 19th, 2012, 07:05 PM
Oh, I'm pretty sure that it is just for show, but until it's actually tested in a complaint, we have to assume that it isn't. Bear in mind that it is only to be used in the case of people complaining, rather than doled out by machine.
"We" could force the issue - find a UK-based website with an SMF (or any other) forum that doesn't mention cookies at all, and have a mass complaint by anyone in the EU. We'd soon see how the ICO deal with it. :niark:

TBH, I'm in the "this will all fade away eventually" camp too. They'll U-turn: just very, very slowly so no-one notices.

On a side-note - cookie lifetimes. For logged on folks ("paid up" members), it's easy in most cases because you ask them how long they want to be logged in for; just be explicit that a cookie is used to store that information and I would hope that the ICO view that as a "good faith" attempt at compliance. For "anonymous" guests, I'd like to see any cookies lasting for as short a time as can be managed - to the extent of potentially having cookies expire while anonymous users are still browsing. With more and more people leaving their browser running 24x7, you can't really rely on "End of session" cookies any more (this is a browser issue in my book - but I can't think of an easy fix...). Just my 2p...
« What is this thing you hoomans call "Facebook"? »

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #38, on April 20th, 2012, 01:42 PM »
Quote
I agree entirely with your comments. But many Forum sites hold other personal information that has been voluntarily supplied by its members - such as their location, user names on social network sites and instant messengers, perhaps even their exact geographic location (for Google Map pins).
Therein lies part of the problem: a user name and general location are not yet considered to be personal information. I have no doubt that usernames and email addresses will become personal information in the future, but at this time they are not within the definition given.

Exact location is a bit different, because it could be a matter of public record. For example, if I were to put my location in, it could be claimed that my name and address are matters of public record (voter's roll, domain name WHOIS), so it's not even that simple.
Quote
Well almost: if that member receives a ban, he is no longer able to remove his personal details and whilst the site needs to retain that member's email address, user name and IP Address in order to enforce the ban, it does not - and should not (in my view) - retain any of the additional information that user supplied during his membership. That retention might fall foul of the DPA.
This is partly why I never enforce a ban as a true 'ban' in the SMF sense, I do it by a 100% warning (since that also saves certain performance matters), and I suspect we can build that in to the changes to the ban system, since the ban system as it stands needs to be withdrawn.

It gets more complicated, though... what happens if a ban is enacted accidentally against a user who wishes to update or remove their information? Say there's a ban on host which locks out so many more users? Yes, I'd argue there's a problem there, but I don't see how, viably, it's possible to solve them at this time.
Quote
If my suspicions have any legs, then wouldn't it be wise for the site to automatically remove all additional informations - including all PMs sent/received - when a member is banned?
Even that's complicated. What happens if those PMs formed part of a conversation? How does one justify removing them from someone who has received said messages?

What happens if the ban is later removed? Or was put in place by accident?
Quote
To the best of my knowledge - and according to some basic research carried-out by my lawyer - no UK-based Forum site has been found in violation of the DPA but there remains the risk that should the ICO be asked to investigate a site under the "cookie law", it might also check for other violations.
Agreed, there is no known site that has fallen foul of DPA violations (in no small part because the content held by a forum is on the fringe of what is considered to be personal information), but with the cookie law, the ICO is signalling a clear intent to pursue privacy and related matters.

And that's the thing, ultimately, I have no idea whether the ICO would check for violations or not. But while I as a site owner may take one stance, I have to consider the implications for Wedge as a platform too.

Last night, just out of curiosity, I went looking for it on phpBB, because phpBB has at least one UK developer (and their primarily language is 'British English'), and I will also look at what XenForo is doing, though I haven't yet. What intrigued me is that there's a distinct 'we don't think the ICO will pursue it' attitude, it's almost like SMF's stance - 'we don't think anything will be done so we don't have to worry about it', as such they're not planning on doing anything about it.

Now, I personally do not believe we're going to see a rash of complaints or enforcement actions, but that's my personal opinion, not with my 'platform steward' hat on. And I have to consider it a viable threat until I see some evidence to the contrary with that in mind.

]
Quote
On a side-note - cookie lifetimes. For logged on folks ("paid up" members), it's easy in most cases because you ask them how long they want to be logged in for; just be explicit that a cookie is used to store that information and I would hope that the ICO view that as a "good faith" attempt at compliance. For "anonymous" guests, I'd like to see any cookies lasting for as short a time as can be managed - to the extent of potentially having cookies expire while anonymous users are still browsing.
SMF and Wedge have ambiguous behaviour here.

For guests who do not register and have never registered nor never logged in, they get a session cookie, which is a true session cookie - it expires when they close their browser. This is the infamous PHPSESSID cookie, of course.

Logging in, you do get to specify how long you're logged in for. 'Forever' is not really forever, either, it's actually 3 years. But the problem attached is that the PHPSESSID cookie is also held for the same time, but as far as I'm concerned this is actually a bug, because there is no need to keep the session cookie when a proper cookie is established.
Quote
With more and more people leaving their browser running 24x7, you can't really rely on "End of session" cookies any more (this is a browser issue in my book - but I can't think of an easy fix...)
This is a browser issue and that something I'd have to argue is neither our concern nor our problem. Indicating that a cookie lasts until the browser closes (which in modern parlance is theoretically when the tab is closed, not when the browser itself is closed, as I understand it) is a sign of good faith - it's not our place to police that. We indicate the lifetime of a cookie, if the browser doesn't adhere that isn't actually our fault.

oOo--STAR--oOo

  • @Arantor Our greatest weakness lies in giving up. The most certain way to succeed is always to try just one more time
  • Posts: 43
Re: The Cookie Law (in the UK at least)
« Reply #39, on April 20th, 2012, 10:38 PM »
Hmm this has me wondering ?

I live in the UK but my hosting servers are in the US, do I have to comply with these rules on my website?
If we have visitors from the UK so we have to comply for them visitors?
Also isn't the notice on the registration agreement enough to say what cookies are stored on your computer and what they are used for?
As they are stated when you AGREE to sign up and then proceed to enter your details for registration.
I certainly don't understand this very much.
Will this be applicable to voluntary small websites who can basically be bitten by a cookie law?
I would of never heard about this other than reading this website.
AND I LIVE IN THE UK!!! That's a but stupid init?

I noticed on my ISP website they have information at the bottom of their website, like little icons that you don't even know what they are until you hover or click them which allow you to control the use of cookies they store.


Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #40, on April 20th, 2012, 10:58 PM »
Quote
I live in the UK but my hosting servers are in the US, do I have to comply with these rules on my website?
Yes, because you're the site operator.
Quote
If we have visitors from the UK so we have to comply for them visitors?
Yes, if the site is owned or operated within the EU, since this is an EU directive. If there is no EU-based management, there is no requirement to comply - at the present time, since I don't see how a user from within the EU can make a complaint to their respective data management body, when there's no way that can further on be enforced.
Quote
Also isn't the notice on the registration agreement enough to say what cookies are stored on your computer and what they are used for?
You're not the first person to ask this, and the answer is unequivocally NO.

This is the part that people do not follow. What you state in the registration is, frankly, irrelevant. You are supposed to obtain permission before setting ANY cookies. Even guests. The registration process would cover the more complex cookie, but it is not sufficient to cover for guests for whom a cookie is set straight away anyway.
Quote
Will this be applicable to voluntary small websites who can basically be bitten by a cookie law?
Yes, if you use a cookie. This is one of the points we've debated here: all sites that operate within the UK at least (and in time the EU) should comply, and a user can lodge a complaint with the ICO if they do not comply with the rules. (Or the respective country's equivalent)
Quote
I would of never heard about this other than reading this website.
AND I LIVE IN THE UK!!! That's a but stupid init?
You want to know the real fuck-up? This was introduced almost a year ago back in May 2011, but the ICO made it very clear that they would not enforce for a minimum of one year (and that date is fast approaching, it will be May 26th this year), however during that time we have been waiting for guidance from the ICO on how exactly this should work.
Quote
I noticed on my ISP website they have information at the bottom of their website, like little icons that you don't even know what they are until you hover or click them which allow you to control the use of cookies they store.
That's not really satisfactory. The ICO's own site is so far the only site I have seen that actively follows the guidance.

oOo--STAR--oOo

  • @Arantor Our greatest weakness lies in giving up. The most certain way to succeed is always to try just one more time
  • Posts: 43
Re: The Cookie Law (in the UK at least)
« Reply #41, on April 20th, 2012, 11:21 PM »
Quote from Arantor on April 20th, 2012, 10:58 PM
Quote
I live in the UK but my hosting servers are in the US, do I have to comply with these rules on my website?
Yes, because you're the site operator.
Quote
If we have visitors from the UK so we have to comply for them visitors?
Yes, if the site is owned or operated within the EU, since this is an EU directive. If there is no EU-based management, there is no requirement to comply - at the present time, since I don't see how a user from within the EU can make a complaint to their respective data management body, when there's no way that can further on be enforced.
Quote
Also isn't the notice on the registration agreement enough to say what cookies are stored on your computer and what they are used for?
You're not the first person to ask this, and the answer is unequivocally NO.

This is the part that people do not follow. What you state in the registration is, frankly, irrelevant. You are supposed to obtain permission before setting ANY cookies. Even guests. The registration process would cover the more complex cookie, but it is not sufficient to cover for guests for whom a cookie is set straight away anyway.
Quote
Will this be applicable to voluntary small websites who can basically be bitten by a cookie law?
Yes, if you use a cookie. This is one of the points we've debated here: all sites that operate within the UK at least (and in time the EU) should comply, and a user can lodge a complaint with the ICO if they do not comply with the rules. (Or the respective country's equivalent)
Quote
I would of never heard about this other than reading this website.
AND I LIVE IN THE UK!!! That's a but stupid init?
You want to know the real fuck-up? This was introduced almost a year ago back in May 2011, but the ICO made it very clear that they would not enforce for a minimum of one year (and that date is fast approaching, it will be May 26th this year), however during that time we have been waiting for guidance from the ICO on how exactly this should work.
Quote
I noticed on my ISP website they have information at the bottom of their website, like little icons that you don't even know what they are until you hover or click them which allow you to control the use of cookies they store.
That's not really satisfactory. The ICO's own site is so far the only site I have seen that actively follows the guidance.
I say FUCK ICO..
It sounds ridiculous you know, for the fact I can be persecuted for something I was unaware of.
I still don't understand it and if I get bitten by it.

Sounds to me like the want to abolish cookies.
What else are they going todo. Do we need to start displaying HUGE notices explaining what information is cached on your PC also lol.

I can say that almost every website I know on the internet is not even close to complying with this.
For the fact of, how can you comply with something you don't even know about and don't even understand.

Should set myself up as a user suing all websites that do not comply with something and make a million lol.
I am sure with all these stupid laws its possible lol.




Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #42, on April 20th, 2012, 11:38 PM »
Quote
It sounds ridiculous you know, for the fact I can be persecuted for something I was unaware of.
I still don't understand it and if I get bitten by it.
Ignorance of the law is no excuse, and if you prepare to run a website you should generally go out and make sure you are compliant. I've done a considerable amount of legwork for this reason over the years.
Quote
Sounds to me like the want to abolish cookies.
What else are they going todo. Do we need to start displaying HUGE notices explaining what information is cached on your PC also lol.
No, they want to make sure your privacy isn't screwed over. The real target of this law isn't to penalise site owners, it's to fuck over Google, and in particular the way Google's cookies track your actions, both their analytics and their ad cookies.

Also, read the discussions. They're not asking for huge notices. They're asking for prominent ones discussing cookies - the thing is, most sites don't really need cookies at all.

Consider this fact: SMF and Wedge, currently, use two principle cookies. One is issued to guests, whose sole purpose is to track what a guest is doing, and if you read my letter to the ICO, there are even privacy concerns about that. On the other hand, one cookie is only issued to members when they sign up, which will typically be covered by the agreement, so really all we're fighting about in Wedge's case is a cookie whose sole point is to identify a unique user. It's only really required to validate the uniqueness of the user, it's not really required for any other valid reason.
Quote
I can say that almost every website I know on the internet is not even close to complying with this.
It's not your problem. You only have to worry about the sites you manage. However if you find a site in the UK that issues you with cookies that don't really fall under the current laws, you can actually take them to the ICO. So yes, it is a problem if you run a site, but if you don't, it's no issue.
Quote
For the fact of, how can you comply with something you don't even know about and don't even understand.
Ignorance of the law is your problem, not the law's problem. No court of law will consider that a valid defence. As a site owner you are responsible for investigating the laws in your country/region and making sure that you continue to be informed about those rules.

In this particular case, it's been referenced many times on tech news sites, so I suspect if it were tested in court, it would be even further against you - it isn't as if this is a law that has been pushed through quietly.
Quote
Should set myself up as a user suing all websites that do not comply with something and make a million lol.
I am sure with all these stupid laws its possible lol.
You wouldn't win.

I forget whether this happened in the US or UK, but a few years ago, one or other of those places introduced some legislation to ensure that shops and offices introduced suitable measures for access by disabled people. Thinking about it, it might well have been the UK when the Disability Discrimination Act came in. Anyway, this guy in a wheelchair went around place after place after place, and each place that fell foul, he took them to court. The first couple went to court but after a short amount of time he was declared a vexatious litigant (i.e. someone going to court because they're a pain in the arse, not because they necessarily have a valid complaint) and was forbidden from doing it thereafter.

CJ Jackson

  • I got myself a new iPad, a different world to the iPhone!
  • Posts: 241
Re: The Cookie Law (in the UK at least)
« Reply #43, on April 20th, 2012, 11:52 PM »
I'm replacing my wordpress blog with one of my own, it will only use the cookie that will hold the session id, it will mainly be used for remembering what you typed into the html form, which should fall under the exception right?

This is all regulation over education, ICO is totally fucked up!

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #44, on April 21st, 2012, 12:00 AM »
Yes, where it's used strictly for carrying through in order to make certain things work, it should come under the exemption attached to 'facilitating communication', but be sure to only start the session when you actually need it, rather than straight away.

I don't think the ICO is fucked up, I think it's a worthwhile idea, let down by stupid implementation. A lot of the problem, as even they note, is that the browsers don't have the capabilities to properly cope with differentiating between first and third party cookies and such like.