Sorry for submitting a Google Translate link. It's not doing a perfect job on a legal text but I didn't find any source in English. This is a blogpost of the lawyer taking this case, and the client name is unknown yet.
Here's my summary of some facts (IANAL!):
- The cookies being investigated are from Google Analytics, Google Maps, YouTube, Adsense and WordPress.
- The website was setting the cookies in the browser and then showing a popup warning the user that the site used cookies and that if they didn't want them they could delete them.
- The AEPD is a governmental organization which watches over personal data and privacy infringements. If a company infringes your rights as a citizen, you submit a complaint to the AEPD, and they can investigate and fine if necessary.
- The AEPD states that the fine is imposed because the website should not set any cookies until the user had accepted the warning.
- The Spanish law being used here is RD 12/2012, which was created using the 2009/136/CE EU Directive as its framework.
- The fine is still not final. They can still present allegations.
This is one of the most stupid and anti-user laws on the books. Worse, it's probably the only law I've ever seen have an instant and devastating effect on the UX of a swathe of websites.
Hopefully they are going to start suing people regularly (unlike the inaction being taken in the UK) so that business wakes up to this stupid law and finally gets it repealed, the sooner the better.
The best balance would be to present the user with a page that lists all the things the site would like to track and let the user opt out of anything they don't want tracked.
Some people may value a "degraded" experience over being tracked.
I put "degraded" in quotes because it's often a degraded experience for the company's profits not the end-user.
Please, give us some examples of how this is "devastating" for the UX of a swathe of websites.
> The best balance would be to present the user with a page that lists all the things the site would like to track and let the user opt in to any way in which they would like to be tracked.
That's not a balance. That makes the cookies effectively unusable since 99% of people stick with defaults, and even more so in this case because they'll see the boilerplate so often that a spinal reflex will kick in before they even see the box with their conscious brain. This will, in turn force all websites to force users to accept the tracking in order to use the service.
(1) "Deselect all tracking options. I will choose the ones I want"
(2) "Select all tracking optimal user experience, but don't opt me into additional tracking metrics for your use"
(3) "Opt me into all tracking options, both those for an optimal user experience and ones that help you improve the service."
(4) "Give me the most commonly selected options by previously registered users"
(1) is privacy mode. (2) is privacy mode with some concessions for optimal experience. (3) is okay I'll help you guys out. and (4) is I trust the wisdom of the crowds.
Endless popups, pop downs, moving content around.
The absolute worst is pages that create a 'popup' at the top and move the content down just as you're about to click something. So you end up clicking something else.
And for what!? To scare the user about cookies? We had the scare about cookies in the 90s when they were explained as "bits of code that websites can infect your machine with".
Cookies are ONE method websites can use to track you. If you click "don't use cookies", the website will just use another method to track you. It's absolutely trivial to bypass.
And it's trivial for any user to configure their browser to reject cookies for any website they wish to.
So what has been achieved by this idiotic law?
Absolutely nothing.
It's yet another fantastic demonstration why the EU is such a bad idea.
Cookies are just ONE method, that's why the law is not limited to cookies, but instead refers to all client side saving technologies (of which the cookies are the most common).
Your post is yet another fantastic demonstration why criticizing the EU, without knowing what you're talking about, is such a bad idea.
I am by no means expert of particular EU laws, but as far as had been explained to me, the laws adopted in member states do not specifically point out cookies. They are more general. To simplify, they state that users should not be tracked without them consenting. The exact technology used is irrelevant.
Still, I guess I should have been clearer - there are several "non client side" saving technologies which are outside the scope of this law, and make the law completely useless.
Further though, I would criticise the EU whatever the content of this law. We do not need a law to enforce rules about a specific technology of HTTP. What the hell business is it of the EU?
The EU is absolutely obsessed with writing up laws to invade into absolutely every area of our lives.
> The EU is absolutely obsessed with writing up laws to invade into absolutely every area of our lives.
That is a funny way to frame it! Being European I, for one, welcome a government trying to protect me from the massive, for-profit, privacy invasion and user data trafficking that the internet business currently is.
And, as said before, the "cookie law" applies to any form of user tracking and storing or exchanging user-specific data. You can't code around it. Sending visitor data to Google Analytics server-side could technically hide the cookie, but it would legally be exactly the same as using the cookie based client-side javascript.
The internet is blighted by large images, which use up peoples valuable bandwidth. These should be opt in. Before giving the user a large image, a popup should display to ensure the user wants to download a large image.
Can you not see how crazy it is to start down this road?
I find it really annoying as a non-EU citizen using a site in a non-EU country but still having to dismiss these warnings even on mobile devices (where it can be much harder to hit the link/button).
The Internet doesn't care what country I'm from, so why are we designing it that way? The same goes for non-US content restrictions as well.
> The Internet doesn't care what country I'm from, so why are we designing it that way? The same goes for non-US content restrictions as well.
Because the two other options are either to have no laws around the internet, or to designate one organisation (or one country) to define and enforce laws.
No laws whatsoever? So someone can buy childporn.com and charge people for access?
I know issues like child safety are often used for over-reaching legislation that's bad for everybody, but that doesn't mean there aren't also valid reasons for governments to be involved here.
Just because the current implementation is often shitty, it doesn't mean we should go the exact opposite way. The same way that disliking things like anti-terrorism legislation don't make most of us think "we need to get rid of all laws".
Yes. No laws whatsoever online. Let it remain out in the open on the internet. A site like that has content that much be illegally made in real life. Real life is where the police should be enforcing the laws. Letting it exist out in the open would probably make their job of finding the people exploiting kids to create such content that much easier. Those sites aren't the real crime, they are the documentation of the crime. Allowing these the consumption to be out in the open, would probably reduce the stigmatization of such content to fall to the level where those doing the consuming can feel comfortable seeking help and therapy to overcome their vice. Hiding things away and criminalization of consumption just leads people to go longer and longer down their own dark personal rabbit hole without getting help.
If such sites existed, you could probably, at the country level, inject ads for free state-sponsored psychiatric therapy services for users.
AFAICT any thing that is illegal on the internet is usually also illegal in real life. Things that cause no real life damages have no reason to be illegal.
Child porn is already against the law. We don't need legislation that takes existing legislation and adds "..but on the internet" as it's generally ill-thought-out, "feel good" ineffective garbage. As the cookie law shows us.
In some limited cases it's a perfectly valid argument. I'm against most of the current internet legislation, and hate seeing children used as a reason for it, but that doesn't mean there aren't any good laws.
Take my specific example. If someone hosts a childporn.com that is exactly like any legal porn website but with children, should that be legal or illegal?
It should be illegal. And it is illegal. The point is that there doesn't need to be laws specifically designed for "... but on the Internet", because those laws already apply. The person putting content on that site is already breaking the law in his country, and if he's not breaking the law in his country then he's just not breaking the law.
"... but on the Internet" is becoming a digital version of the USA's "interstate commerce" clause [1]. Yes, the Internet crosses national borders, but as we see from Megaupload, it can be used by one nation to enforce their laws in another nation that may not have the same laws. Just because activity X is illegal in the US but legal in Germany does not mean there should be a law banning activity X ... but on the Internet. In areas where this should be enforcable, it's already illegal.
[1] Generally the Interstate Commerce Clause is used to regulate economic activity that affects trade between US states. Trade that stays in one US state is regulated at the state level, not the national level. Sometimes this clause can be used/abused to enforce laws the federal government wants enacted just by the government going out of their way to find a reason that an activity is affecting interstate commerce, see http://en.wikipedia.org/wiki/Wickard_v._Filburn
It's a perfectly valid argument. However it is being abused to the point where it is considered the root for every explanation.
Yes, our children is the very first thing that we should protect but if you want it as a good argument, "think of the children" should start the discussion not end it.
For example, you want to tape everybody and then explain this away with "think of the children: we can catch child molesters this way". This argumentation works only for those who don't know any better. You take them for fools and thus you are not a good partner: you must have some ulterior motives.
Can it really be repealed by the Spanish government if they're required to enact such a law as a result of an EU Directive? They could take the UK's approach of turning a blind eye, but I tend to feel it's wrong for a country to pick and choose which laws to enforce.
The EU is a set of treaties between sovereign states. The Parliament in each state supercedes the EU bodies (commission and parliament namely). So, yes they can repeal the law. It violates the treaty, and they'll be fined, but that's about it.
Afford? Yes. Willing, not really in this case. The fine is high enough to hurt, but low enough to be supportable if a country really wishes to violate the directive. Think of a ballpark in the order of 20 million euros per year (fines are paid until the directive gets transposed into national law).
Well this is the EU and countrys ignore or adjust EU directives to suit all the time - Spains implementation of TUPE is a total FY to the eu has no relation to the Spirit of the Directive.
Italy also does this a lot remember the you tube fiasco where they ignored EU law.
The local government site of my spanish country, uses even javascript to record your mouse clicks in US (and cookies without advise, of course), pixel based tracking in case you block javascript, and more on the same line...
And it has been said in their "opengob" sessions two years ago... and you know what? the local gov does not have any proceeding about their faults.
The same than we have known grabbers (with proceedings that always finish the same), as politics and monarchy, which in turn, control the lawyers and the public security we pay (in the figurative sense of the word).
It's not nice to be Spanish these days. A Spanish (writing from other country).
This is interesting. Is it clear in the law that no cookies shall be set until the user has accepted the warning, or is that an open interpretation in this particular case?
My initial reaction is that this seems fair. The fine is substantial, but not deadly to an enterprise, so it would serve as a warning without being catastrophic for them.
I'm not a EU citizen - but presumably the EU's rather strict laws re: cookies derives from privacy and a desire not to be tracked at all. A user who has accepted Google cookies from other sites need not submit to the same tracking cookie on your site - but even if you delete the cookie aftewards, presumably Google Analytics has already captured the visit.
And there is, as far as I know, no way to remove that event from Google Analytics.
> Is it clear in the law that no cookies shall be set until the user has accepted the warning, or is that an open interpretation in this particular case?
This is a very liberal translation of the relevant part of the law[0]:
"Those who provide services will be allowed to use storage devices in remote computers, provided that the owners have given their consentment AFTER [my emphasis] they have been informed clearly and completely about the utilization of the private data".
But they may only use the storage once consent has been given, which can only happen after a warning has been issued.
The two clauses seem to indicate that consent must be before storage, and warning before consent, hence there must be a warning /before/ the storage on the remote machine.
In either case, storing the cookie before consent, in the Google context, seems to run directly counter to the intent and spirit of the law.
I'm not big on technicalities. Normally I would put this in the "not a big deal" bucket, but in this case the specific cookies do not belong to the website itself. This means that you cannot retroactively "untrack" a user once they refuse your warning.
If this was just the website's own cookie, and if the cookie could be deleted and all tracking data would vanish from the site's own backend, then I'd be inclined to give it a pass.
Please also note that according to the post if the sites are hosted in third party platforms like Facebook, Tumblr, that install tracking cookies the owner of the site can still be sued, even if it's without his control.
In practical terms this means that any individual or business hosting having a Facebook profile page or blog on Tumblr could be sued.
This is just Spanish law at it's best (I'm Spanish, too)
If you bought on an online store, an it used an insecure third-party payment provider which leaked your CC number all over the web, would you say the same?
The last place I worked was a Swiss organization that built web sites for the European Commission. Dealing with the EU cookies directive was an amazing waste of brain cells for everyone on the team.
For instance, were we allowed to ignore it because we were Swiss (non-EU)? If not, which version of the law were we required to comply with? For instance, the UK implementation of the law says that you can assume "implied" consent if the user ignores your popup altogether. However, the Dutch version of the law is much stricter - the user must click "I accept" before you can save any cookies. And the French version of the law allows for lots of exceptions, e.g. for setting the user's preferred language.
Plus, we needed a cookie just to store whether or not the user clicked "yes" or "no," so in effect we were forced to break the law no matter what we did. (The only alternative would be to show the "no" users the popup every time they came back to the site, since we were supposed to forget that they had even clicked "no"...)
So all in all, it was a huge mess. In the end we just copy-pasted a JQuery plugin from GitHub and chose the strictest setting. Now our site is uglier, it's more confusing to users, and we still have to cross our fingers that we didn't miss a corner case in Bulgaria or something.
> Plus, we needed a cookie just to store whether or not the user clicked "yes" or "no," so in effect we were forced to break the law no matter what we did.
this means you didnt' waste too much brain cells after all.
if user clicks no, you either show it everytime, or set a session cookie, which is not supposed to be saved on disk per the specs. if the browser decide to save it on disk, it's their problem.
But if you set a no cookie. then it's the typical governemnt contractor. Going the extra mile to bill for the law, but completely ignoring the law purpose and benefits.
Has there been any work done at all to standardize this process and allow users to opt-in to cookies at a browser level, so that we can all stop seeing this stupid warning? would that even be allowed under the law?
i tried to download a firefox extension called "cookiesOK", but it doesn't seem to work in most cases.
The problem is that every site owner displays a slightly different popup. A few of my friends were trying to build a chrome extension[1], but they soon figured out they are going to need custom Javascript for every site in Slovenia (and others of course, but they were focusing on Slovenia) and they abandoned the project.
Personally I believe EU should target browsers not site owners for this. At least by doing so we would get a standardized UI and the ability to opt-in or out.
One would assume that the act of visiting a web site, from a personally identifiable IP address, using a web browser that accepts cookies is an act of consent to receive those cookies. The behavior is both expected, avoidable, and blockable.
This approach -- either by law, or by some "do not track" flag broadcast to web sites is the equivalent of walking through a busy city with hundred dollar bills hanging out of your pocket, with a sign hanging around your neck requesting that no one takes your money -- all when a simple wallet in your pocket would be adequate.
There are serious privacy issues when it comes to the internet and tracking. The "solutions" we've seen targeting cookies in both the US & EU would be laughable if they did not threaten to add considerable legal obligations over even the most casual of web site owners.
Expected? By whom? Technologists like us, yes, but not many of the general public. Walking around with $100s is a false analogy; accepting tracking cookies is completely invisible to the user. Furthermore, even if one does walk with $100s, theft is still illegal.
Mentioned in the article: Spanish business using Facebook pages could be non compliant to this law. Same with others using wordpress, blogger, tumblr and so on since tracking cookies are been installed without a previous user acceptance. Also note that the business is liable for this, not the hosting service provider.
I wonder how far hosting provider definition goes. If twitter is used in a company marketing strats, is it liable for the cookies installed by twitter? I don't see it different from the facebook pages cited example.
The only practical option given this is to stop using those providers.
Actually, most warning implementations punish those users that disable cookies in their browsers by forcing them to see the obnoxious warning every time they visit the site.
This is arguably worse than the previous situation.
... This isn't some "punishment" this is how the internet works. If you opt out of being tracked and cookies... how would that be remembered? That is really a sign it's working. This is part of why this is such an amazingly defective law
Some pages (eg. all that use the consent.truste.com script) use localStorage to store the decision.
That way the decision remains client-side and can still be persistent by hiding the question via javascript.
This law applies to any kind of "data" stored on the client, so using localStorage to store the user's answer would be breaking the law.
http://www.cookiepedia.co.uk/eu-cookie-law
I don't remember the specifics.
They could add a checkbox "store this decision locally", which would allow storing this single information - and localStorage is the best place to put it (unlike cookies).
I am surprised - isn't this what we want? Instead of secrecy, governments warn everyone they are being tracked online. And we moan about it. It wrecks the UI, it is annoying. Folks - this is the Snowden debate, but without the security services.
Yes they should have got into the RFC / IEEE debates (which are fast becoming laws of their own), yes they should be doing it better. Yes they should stop monitoring everyone.
But they are at least starting the debate. And not on an obscure tech forum, or in dusty volumes of proceedings, but right there, in everyone's face.
And until we find a way to make privacy and surveillance and technology triggers in every politician's Skinner box, then its probably the best start we can get.
Not even close. These solutions we have seen, both legal and from the browser level, are the equivalent of walking around nude in a busy city with a sign hanging around your neck saying "Please no photos." (I gave a slightly different analogy in another comment.)
A browser "do not track" request presents absolutely no true privacy, nor does fining forcing all web sites to implement custom pop ups which block site usage if the visitor doesn't agree.
These solutions are stupid, the things they claim to accomplish are already possible by the user's own choice, if someone could be bothered to tell them how to do it.
If these political entities really cared about privacy here are some of the things they would be doing:
a) blocking foreign intelligence agencies from openly monitoring all internet traffic in their country (and I don't just mean the NSA)
b) pass laws radically reducing or eliminating ISP logs rather than increasingly them
c) investigate private companies engaged in mass-surveillance that also use cookie-less tracking techniques. (Facebook mass facial recognition, several nameless companies claiming to prevent ecommerce fraud, etc)
e) spend money educating the public about simple, free, existing techniques to ensure their personal privacy
What you are witnessing in regards to cookies is a hoax, meant only to distract from the real issues.
> if someone could be bothered to tell them how to do it.
Its been clear and simple how to turn off cookies. But the silver haired old grandmother simply does not read those sort of instructions. That kind of knowledge comes from osmosis, from the surrounding culture.
We want to avoid 150 years of pollution before the digital equivalent of the EPA or the Clean Air Act. We want to get the surrounding culture focused on what is tracked and trackable. Snowden has massively moved this on, but putting a web page in front of everyone is also moving it on.
There are no reasonable regulatory fixes to NSA/GCHQ/Russia/China, that are not supported and demanded by a sizeable majority of people.
Not sure how to get there, but claiming this is a hoax is a little unfair
It's not the Snowden debate, not by a long distance. Some cookies (like ad trackers) can be annoying/slightly disturbing, but even before the cookie law they were pretty obviously there and in most cases pretty easily opted out of already if you knew what you were doing.
I don't remember seeing the "opt out of NSA surveillance" option anywhere in my browser or email client.
I agree that the one good thing this law has done is start a debate.
On the downside it is negatively affecting how you interact with websites. Often before I can even determine if I am on the right website I get a pop up message before I can continue.
Recently I was on a shopping site and I clicked no to the cookies thinking it would only stop tracking cookies. Was surprised when my cart wouldn't save. It is silly that this breaks the site's basic functionality.
If anything browser vendors should be doing more. I do not think this can be done via legislation though. I also think prosecuting websites is silly. If these cookies are so toxic the companies running the services should be showing messages.
For example. Analytics. Why is it that I need to "opt in" to this on every site with a pop up? Why can't I just click YES and be done with it when it comes to this service?
You could then have non-tracking cookies essential to the running of the service exempt from this law.
The problem is that there is no debate about how to deal this in pragmatic terms. Instead, they are just issuing fines on businesses that are probably already having a hard time keeping themselves alive.
The whole situation would be completely different it this would have been discussed in practical terms. They could have matured possible technical solutions for this and also made sure that big third party providers (Facebook, Tumblr, etc.) that host websites for EU businesses comply with this regulation, rather than making the business owner responsible.
If you get a fine of €30K I bet you wouldn't call that a debate, correct?
If your server sends cookies automatically, it would fall foul of this Spanish implementation of the law (supposedly). Implied consent does not cover simply giving the users information, and some of the cookies being argued over are third-party too. There's no third-party snippet you can drop in and "fix" this for Google Analytics (for example).
You actually need to avoid cookies getting stored until users give their consent to do so. Probably something like the rack-policy Ruby gem linked below will help making sure there is no cookies at all.
The actual implementation of the laws depend on the countries, but they are based on the same EU directive.
AFAIK this applies to companies registered in those countries, or with an office there or targeting the market in those countries.
So, to make things more difficult, the German law implementation might be different from the Spanis implementation. If you are targeting both markets, you'd need to pay close attention to both.
Is this message only required on commercial sites? Or do I need to display the cookie UI whenever I have any kind of html on the web that uses Google analytics (i.e. cookies)?
I'm from Spain and I've been running a webdev shop for 6 years now.
Things are getting worse here and the government if anything is actually just making things more difficult for everyone.
I agree with those trying to protect their privacy but for the sake of practicality they should look for a pragmatic approach.
BTW, making individuals and companies responsible for tracking cookies installed by third party platforms like Facebook, Tumblr, etc. because of this law doesn't really help us being more competitive either [sarcasm sign].
It applies to any businesses, professionals with a web page, and anyone who offers a service as long as they a) are located in Spain, b) target their services to the Spanish market or c) if they have a (permanent or regular) workplace or facilities in Spain.
(It's a translation from Spanish legalese, so probably the language is muddled, sorry.)
In practical terms I don't think the Spanish AEPD (institution for data protection) would actually sue any company not registered in Spain. Too complicated.
Here's my summary of some facts (IANAL!):
- The cookies being investigated are from Google Analytics, Google Maps, YouTube, Adsense and WordPress.
- The website was setting the cookies in the browser and then showing a popup warning the user that the site used cookies and that if they didn't want them they could delete them.
- The AEPD is a governmental organization which watches over personal data and privacy infringements. If a company infringes your rights as a citizen, you submit a complaint to the AEPD, and they can investigate and fine if necessary.
- The AEPD states that the fine is imposed because the website should not set any cookies until the user had accepted the warning.
- The Spanish law being used here is RD 12/2012, which was created using the 2009/136/CE EU Directive as its framework.
- The fine is still not final. They can still present allegations.