Spain begins disciplinary proceedings against site for violating Cookie Law

Sorry for submitting a Google Translate link. It&#x27;s not doing a perfect job on a legal text but I didn&#x27;t find any source in English. This is a blogpost of the lawyer taking this case, and the client name is unknown yet.<p>Here&#x27;s my summary of some facts (IANAL!):<p>- The cookies being investigated are from Google Analytics, Google Maps, YouTube, Adsense and WordPress.<p>- The website was setting the cookies in the browser <i>and then</i> showing a popup warning the user that the site used cookies and that if they didn&#x27;t want them they could delete them.<p>- The AEPD is a governmental organization which watches over personal data and privacy infringements. If a company infringes your rights as a citizen, you submit a complaint to the AEPD, and they can investigate and fine if necessary.<p>- The AEPD states that the fine is imposed because the website should not set any cookies <i>until the user had accepted the warning</i>.<p>- The Spanish law being used here is RD 12&#x2F;2012, which was created using the 2009&#x2F;136&#x2F;CE EU Directive as its framework.<p>- The fine is still not final. They can still present allegations.

The last place I worked was a Swiss organization that built web sites for the European Commission. Dealing with the EU cookies directive was an amazing waste of brain cells for everyone on the team.<p>For instance, were we allowed to ignore it because we were Swiss (non-EU)? If not, which version of the law were we required to comply with? For instance, the UK implementation of the law says that you can assume &quot;implied&quot; consent if the user ignores your popup altogether. However, the Dutch version of the law is much stricter - the user must click &quot;I accept&quot; before you can save any cookies. And the French version of the law allows for lots of exceptions, e.g. for setting the user&#x27;s preferred language.<p>Plus, we needed a cookie just to store whether or not the user clicked &quot;yes&quot; or &quot;no,&quot; so in effect we were forced to break the law no matter what we did. (The only alternative would be to show the &quot;no&quot; users the popup every time they came back to the site, since we were supposed to forget that they had even clicked &quot;no&quot;...)<p>So all in all, it was a huge mess. In the end we just copy-pasted a JQuery plugin from GitHub and chose the strictest setting. Now our site is uglier, it&#x27;s more confusing to users, and we still have to cross our fingers that we didn&#x27;t miss a corner case in Bulgaria or something.

Has there been any work done at all to standardize this process and allow users to opt-in to cookies at a browser level, so that we can all stop seeing this stupid warning? would that even be allowed under the law?<p>i tried to download a firefox extension called &quot;cookiesOK&quot;, but it doesn&#x27;t seem to work in most cases.

Mentioned in the article: Spanish business using Facebook pages could be non compliant to this law. Same with others using wordpress, blogger, tumblr and so on since tracking cookies are been installed without a previous user acceptance. Also note that the business is liable for this, not the hosting service provider.<p>I wonder how far hosting provider definition goes. If twitter is used in a company marketing strats, is it liable for the cookies installed by twitter? I don&#x27;t see it different from the facebook pages cited example.<p>The only practical option given this is to stop using those providers.

Actually, most warning implementations punish those users that disable cookies in their browsers by forcing them to see the obnoxious warning every time they visit the site.<p>This is arguably worse than the previous situation.

I am surprised - isn&#x27;t this what we want? Instead of secrecy, governments warn <i>everyone</i> they are being tracked online. And we moan about it. It wrecks the UI, it is annoying. Folks - this is the Snowden debate, but without the security services.<p>Yes they should have got into the RFC &#x2F; IEEE debates (which are fast becoming laws of their own), yes they should be doing it better. Yes they should stop monitoring everyone.<p>But they are at least starting the debate. And not on an obscure tech forum, or in dusty volumes of proceedings, but right there, in everyone&#x27;s face.<p>And until we find a way to make privacy and surveillance and technology triggers in every politician&#x27;s Skinner box, then its probably the best start we can get.

Is there an open source JavaScript snippet somewhere that I can put on my page and it shows a pop up prompting users to accept cookies?

Does this impact only sites hosted in EU? Or with a domain from an EU country?

Is this message only required on commercial sites? Or do I need to display the cookie UI whenever I have any kind of html on the web that uses Google analytics (i.e. cookies)?

Yikes. I&#x27;m generally in favor of web privacy, but with unemployment numbers like theirs, that seems like the last thing Spain needs right now.

So if I&#x27;m outside of Spain I don&#x27;t need to care about this?

Don&#x27;t the have anyhing more important to do? like, e.g.(creating the 6M jobs they desesperately need)

My web-sites will say - &quot;This site uses cookies ... If you agree, please leave.&quot;

How does one store that a user opted out of cookies?

This is a shambles.