There is a huge redundancy here: if a user does not want cookies, every modern browser gives the user an ability to simply deny cookies. Just use the browser and solve the problem.

Now, even if you want to allow cookies (and have signaled as much in your browser), a site will have to disrupt your browsing experience to accept a cookie from the website.

Completely redundant and adds yet another layer of bureaucracy on top of website design. Very EU.

And there are plenty of good uses for cookies without having to register: session tracking for shopping carts (so that you can add items without logging in), session tracking for sites that show you a navigation breadcrumb...

I don't think it's reasonable to construe a software default as a conscious choice. Yes, people ought to know enough about technology to know what these defaults are. But the world is large and busy, and people don't have time for every possible choice; that's why we have defaults.

Also don't forget the uses that haven't been thought of yet.

Cookies are by far the most prevalent system for identifying which user made a given web request. This isn't just about advertising. Pretty much every site that supports "logging in" (including HN), and many sites that don't, use cookies to track user sessions.

How is that not covered by the following provision to the law?

An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user

Have you ever seen two lawyer argue over what "strictly necessary" means? One would claim that ad serving cookies are always "strictly necessary" to an online business, the other would argue that cookies are never "strictly necessary" because you can replicate most cookie functionality with a "?sessionid=12354" header in a GET request.

Indeed "strictly necessary" to achieve what? If it doesn't tell you then that leaves a hole the size of reality in the law through which many truckloads of lawyers salary can pass.

Strange how all those lawyers aiding the writing of the law would miss such a thing ...!?!

> you can replicate most cookie functionality with a "?sessionid=12354" header in a GET request.

That is very very risky. Let's say that [popular-site-with-logins] is hosted in EU and switches to ?sessionid=... style. Now people start sharing links to their content in the "normal" way (select url, copy, paste) and suddenly you have problems with random users being logged in as someone else. (or you have to limit session to ip, which annoys mobile users)

A web browser is not strictly necessary for an online business' customers. They could just telnet to the server.

A steering wheel in a car is not strictly necessary to drive it. Drivers could physically turn the tires.

And so on.

Indeed "strictly necessary" to achieve what? If it doesn't tell you then that leaves a whole the size of reality in the law through which many truckloads of lawyers salary can pass.

Strange how all those lawyers aiding the writing of the law would miss such a thing ...!?!

Indeed "strictly necessary" to achieve what? If it doesn't tell you then that leaves a whole the size of reality in the law through which many truckloads of lawyers salary can pass.

Strange how all those lawyers aiding the writing of the law would miss such a thing ...!?!

Yes. Sure, but they do so to provide some functionality the user actually wants. And if he does, you can ask him. When she's signing up would be the perfect time. Another checkbox you have to click. Annoying enough, but no big problem.

Sure, other (non-sign-up) functionality might also need cookies (changing font size, switching themes, the small things) and you might not want to annoy the user with stupid checkboxes for those kinds of stuff, but other than that?

I still don’t see the big scandal.

And every time I go to play a flash game it will have to ask me if it's allowed to remember where I'm up to in the game.

The law appears to ban only long term cookies, so you are still ok if you use session cookies (such as those used for logins) which expire when the browser is closed.

Now comes the hacks: serve javascript with a unique id in it. Set the cache policy to never re-download, or recheck the file. Use you lawful (semi) permanent cookie.

The user obviously asked for the data to be stored, since it's part of caching.

Or am I going to have to ask the user before being allowed to cache anything locally?

If a user has an account (e.g. to log in) then surely you can make them consent to cookies to track their login your terms of service?

Stil think it's a nonsense law though ..

Sites can use cookies to remember if someone left a menu open or closed, and keep the menu that way on new pages.

You can use cookies to act as a "bread crumbs" trail, so people can see what other pages/products they have looked at.

If you make a multi-lingual site, you can use a cookie to remember what was the last language the user chose, and show all future pages in that language, without them having to change it on every page.

It doesn't just break behavioral targeting, it breaks conversion tracking. Most campaigns are run with Cost Per Acquisition (CPA) goals, regardless of how they're priced (CPM vs CPC, etc). Figuring out actual CPA depends on being able to match up conversions with ads being served. In most cases, campaigns are being run across multiple ad networks, so you can't just look at total conversions and divide by all impressions.

The process for doing this relies on being able to set a cookie when the ad is served and read the cookie back on the landing page for the conversion. Taking away the ability to track conversions will set the online advertising industry back significantly, which is why the major opposition to legislation like this comes from advertising companies.