The best (worst) thing about this whole law is that these sites used to work fine without cookies, but now no longer do. In effect, while making a sincere (and successful!) attempt making cookie use more transparent, thereby enhancing user privacy, they unintentionally made cookie use more pervasive, thereby hurting user privacy.
In the abstract, I agree. Only somebody who does not understand cookies would say such a thing in this context however (like our Dutch politicians).
You, the website visitor, are running a program called a browser. This browser sends and receives data from servers that host the web sites you visit. Some of that data contains a request to store a piece of information on your computer. Your browser stores that piece information, and later when you visit the site again, it sends the same piece of information back to the site.
Note that cookies are not some evil technology created by website owners to track you. It is YOU who is running the software that stores the cookie. If you don't want cookies, DON'T STORE THEM. This is easily done in any competent browser.
By analogy, if you don't want people to store things in your basement, don't give them the keys to your basement! The current Dutch law is: after you already gave them the access to store cookies on your computer, the law forces that person to ask you again if they are allowed to store cookies. Not only does it not keep any bad people out and thus gives a false sense of security, it's also annoying.
The correct action to take is to educate people on the existence of cookies, and how to disable them completely or disable them for specific ranges of sites. This is less annoying for both the users and the site owners, and more importantly it also works for foreign sites that the Dutch law has no power over, like Google analytics & Facebook like buttons that track you all over the internet (which is a much bigger privacy concern than uitzendinggemist.nl or nos.nl). While they're at it they might as well sponsor efforts to make browsers less identifiable through other means than cookies, and support projects like Tor. Of course that's not going to happen, because the current security theater reminds millions of Dutch citizens every day that they are being protected by their politicians through messages in annoying popups.
Yes, I wanted to keep it simple. The fact is that that proxy (the browser) is the problem, and is also where the solution lies, not in the subset people that Dutch law happens to apply to who make use of that proxy to obtain your keys.
Making them tell you they want the keys and give you a reason isn't all bad.
But yes, the proxy ought to do more to encourage people. One problem is that two of the major browsers (Firefox and Chrome) are funded by a company that makes all its money from tracking and advertising (google), and it's pretty unlikely they would turn off third-party cookies by default, which I think would be a good start.
I wouldn't be against a law that requires browsers to make third party cookies opt-in. Note also that the current law has no effect on Google's tracking whatsoever.
All analogies are flawed and quickly break down. They're only designed as a linguistic aid to help explain a concept by likening the unfamiliar to the familiar. They're not designed to describe the concept itself.
This entire argument boils down to "if you don't want to get raped, don't wear short skirts in public".
People shouldn't have to take protective action in order to not get stalked by advertisers and marketers.
Such activities require opt-in and informed consent, and standard browser functionality doesn't even come close to supporting that.
Oh, I agree that the current law doesn't solve the problem.
But "educating the people" is a completely backward solution. The opaque stalking of people by the likes of Facebook and Google should be outlawed completely, and heavily enforced.
> This entire argument boils down to "if you don't want to get raped, don't wear short skirts in public".
This is a ridiculous comparison. Lets not go that way.
> Such activities require opt-in and informed consent, and standard browser functionality doesn't even come close to supporting that.
Yes, as I said that's where the problem lies, so that's what should be altered. This can either be done by education, or by making the browser more resilient (e.g. let the browser do opt-in for all cookies or at least cookies sent via stuff embedded in other web pages like Google analytics and Facebook like buttons). The current solution of forcing Dutch websites to display popups is a farce as I explained because (A) it doesn't actually protect your privacy in any meaningful way (B) it's annoying. By giving a false sense of privacy it actually makes the problem worse.
Privacy laws should be about protecting privacy in general, not about a specific technology like cookies. There are plenty of genuine applications of cookies (keeping you logged in to HN for example), and there are plenty of ways for Facebook to track you without using cookies that they would happily switch to if this law applied to them (but note that those methods cannot be used to keep you logged in to HN because they are not secure so that might give somebody else access to your account -- but Facebook doesn't care about 100% reliability for tracking purposes, 99% is enough).
First, the law doesn't force websites to display popups, the law forces informed consent.
The pop-ups are hack on top of existing sites which I agree quite clearly doesn't work. Also, there has been a clear failure by those enforcing the law in constructively thinking about the way in which such consent should be given.
Second, the law is very explicitly not about cookies nor any kind of specific form of technology. It's about invasive tracking, and other applications of cookies are in no way affected by the law. If Facebook finds a way to track people without cookies, it will still be covered by the law. The misleading name "cookie-law" is product of the anti-privacy lobby.
The law in it's current form may not have the desired result, but please stop pretending it's law created by ignorant politicians that don't understand cookies, because that is simply untrue, and it poisons any constructive debate just as much as my admittedly over the top comparison.
Shame is that at many sites it ’s not really opt-in. If you disagree, you get a lecture on why the site is obliged to track you and then you can accept anyway or leave. A cookie wall, if you will.
NOS (public news broadcaster) and Uitzending Gemist (public television catch up) are interesting cases because apparently they’re actually required by law to collect user statistics.
Be that as it may, you can still be tracked without cookies (HTTP or similar) just by looking at the browser's fingerprint. This method is less reliable which is why it hasn't been used in preference to cookies.
Requiring explicit permission to store cookies on a user's browser is more likely to encourage privacy-invading companies to use the browser's fingerprint instead. This fingerprint can be loosely tied to a real world identity, and across sites too. The user wouldn't have any knowledge of such happening and they also wouldn't have any degree of control over it. At least presently it's trivial to block the most common form of tracking: HTTP cookies.
The Dutch law applies to any company doing business in the Netherlands. So it applies to Facebook and Google as well as local Dutch sites, because they have offices here and accept money from Dutch users/advertisers.
It's almost just like in the real world...
(Also, there's plenty of jurisprudence for that when for instance it comes to online gambling.)
Why would a Dutch company operating a .com on a US server, or an American company operating a .com (or .nl for that matter) on a Dutch server not be exempt?
I'm not arguing either way, and truthfully I'm not sure how I feel about it, but it gets hard to determine jurisdiction when you're talking about an entity (owner + domain + site files/server) being split across multiple jurisdictions.
Your server don't have to be in the US to operate a .com (or in netherlands to operate a .nl).
Sometimes laws can be written as "a person/company shall not cause personal data to be stored without users consent" (say). So if you, in the Netherlands, programme your server in the US to store personal data without consent, then you might be breaking the law. (Since you have caused a computer to do that.)
