Sweden May Mandate Opt-in For Cookie Transfer

Vitdom writes "The present government in Sweden has published a proposition regarding 'Better rules for electronic communication.' Amongst other proposed amendments, it suggests that websites must inform the user of the 'purpose' regarding each individual cookie transferred to the user's browser upon connection. Secondly, it is suggested that the user must give his consent before the transfer of the cookie in question. The proposition is to be voted by the Swedish parliament on the 18 May this year. If accepted, the law will be in effect in June."

Spyware vs cookies

[Adayse]

I just read the proposal and it's purpose, as far as cookies go, is to make spyware illegal to comply with an EU directive. The discussion centers around how to do this without requiring an opt-in for every cookie because cookies are also used to spy on you.

Third party cookies should be illegal but I very much doubt that this proposal wants to go there.

Re:Spyware vs cookies

[Morth]

Here's the change we are discussing (google translate).

Old text:

Electronic communications may be used to store or access information that is stored in a subscriber or user-dares terminal equipment only if the subscriber or user of the controller is informed about the purpose of treatment and opportunity to prevent such treatment. This does not prevent such storage or access needed to perform or facilitate the transfer of electronic messages via an electronic communications network or which is necessary to provide a service that the subscriber or user has requested.

will be changed to:

Data may be stored in or retrieved from a subscriber or user equipment only if the subscriber or user will have access to information about the purpose of treatment and agree to it. This does not prevent such storage or access needed to transmit an electronic message via an electronic communications network or which is necessary to provide a service the subscriber or user has explicitly requested.

Not sure I've ever seen such an ambiguous law text.

Age of consent

[Alain+Williams]

Next comes the meme:

1. Agreeing to accept a cookie is a legal agreement
2. You can't enter a legal agreement until you are 18
3. Ergo: you can't surf the web until you are 18

Hmmmm ....

Re:EU directive

[jgrahn]

This is of coursed based on an EU directive. Not sure why Sweden was singled out.

Because we plan to kidnap Julian Assange and lose him on a small island in the Baltic sea where the only female inhabitants are sheep?

Seriously, it might be because we have decent media coverage of these things. This is just one in a series of daft technological decisions coming from the EU, and journalists in .se are used to covering them. (And Slashdot readers in .se are used to submitting the results here.)

And for websites that issue up to 20 cookies?

[amn108]

I pity the folks who, upon visiting a major website, have to wade through 10 dialogs where each more or less thoroughly tries to explain them the particular meaning of their "SC=" cookie and why they feel it is paramount for them to send it. It's suicide for both the user and the website.

Re:It goes beyond that.

[Calydor]

And if you say no you won't get a cookie remembering that you've said no, so on the next page you get a pop-up asking if you want the cookie, right up until people give up and just accept the cookie.

Re:It goes beyond that.

[maxwell+demon]

But cookies in general does track users.

AFAIU "tracking cookie" means a cookie set from a third-party site in order to track you across several sites. The cookies Slashdot uses to keep track of you when logged in are not tracking cookies, because they are only set or read if you are going to Slashdot (at least I hope so). The cookies advertisers set are tracking cookies, because you get them and send them back whenever you go to a page where the advertiser advertises. You can get a cookie at Slashdot, and send it back when visiting the New York Times, or vice versa.

A simple (but not completely accurate) rule of thumb is: If the cookie comes from a server other than that found in the URL of the site and contains identifying information, then it's a tracking cookie.

Re:Great move, Sweden.

[indeterminator]

You only need one cookie for all features if your site is competently designed: the one for tracking the user's session. Everything else should be stored on the server side anyway because you should never trust the client

There are perfectly valid reasons (not involving cross-site tracking) to use more than one cookie. If a session identifying cookie is used to identify an user account and grant privileges, it's usually a good idea to make that cookie disappear when the user closes his browser (i.e. a 'session' cookie). However, the user may have additional preferences on the site which are not personally identifiable, but for which it makes sense to store and use the setting even when the user is not logged in, for example, language selection on multilingual sites. Trusting the client is also a non-issue for things that are mapped to a single item from a set of possible choices (as long as the code implementing the parsing is reasonably sane).

(And for the Accept-Language header, try explaining to a client how they can change it. Or how to install a browser where they actually can change it.)

And while we're on the subject, it takes only fractionally longer for most users to make a POST request than to just do an HTTP GET, so unless your site is stupid and slow or your users are then you don't need ANY cookies. A quality CMS will degrade. If yours doesn't then it isn't.

Clicking on a link in a browser will cause a HTTP GET. Maintaining a session with URL parameters makes the URLs much less user friendly, and opens up a possibility for trivial social engineering exploits (e.g. lol paste your url here I'll have a look!).