<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Fortunately this updated directive does NOT target cookies that are
placed/read in order to provide the basic service requested by a
user.<br>
<br>
But it is causing great concern to people providing services such as
third party advertisement and analytics tracking users (or rather
devices) across the internet.<br>
<br>
One problem is that the directive itself is (mildly stated) very
unclear and the national implementation efforts so far totally
uncoordinated. Thus it is likely that the directive will be
interpreted and legally implemented in about 30 different ways
across Europe. This may imply significant localization efforts for
international content providers and e-commerce sites.<br>
<br>
Another major problem is that a publisher (e.g. newspaper) currently
often does not know or control the individual media agencies or
advertisers who may place cookies on a users computer while the end
user is visiting the publishers site. According to legal people it
is the owner of the visited site who must manage the consent for all
third party cookies. This means that even if the third party service
provider gets a users global accept for tracking the user, such a
consent would not in itself be legally adequate for the publishing
site.<br>
<br>
Also this is not convenient for a user who might have allowed e.g.
an analytics service at 1000 sites before he decides to disallow its
tracking entirely. So maybe this can end up being a good business
case for Oauth / UMA, allowing the user centralized consent
management for the sites they visit as well as for the third party
services relating to these sites. At least I will try to influence
the danish draft decree (core part provided below in english
translation, public hearing ends 1 April) in a way that makes this a
viable option.<br>
<br>
---------------- Core part of the proposed Danish decree of the
Directive ---------------<br>
<b>§ 3</b> Natural or legal persons may not store information or
gain access to information already stored in an end users terminal
equipment, or enable third-parties to store information or gain
access to information if the end user does not give consent after
receiving adequate information about the storage of or access to
data.<br>
<br>
Paragraph. 2. By consent, cf. 1, means any freely given specific and
informed expression of will, by which the end user agrees to the
storage of data or access to already stored information in the end
users terminal equipment.<br>
<br>
Paragraph. 3. Information, cf. 1, is appropriate when it as a
minimum<br>
<br>
1) appears in a clear, concise and understandable language, or
alternatively by means of pictures,<br>
<br>
2) contains information about the purpose of storage of or access to
data in the end users terminal equipment<br>
<br>
3) contains information about how long the information is intended
to be stored in the end users terminal equipment<br>
<br>
4) contains information about the name of any natural or legal
person who stores or acesses the information<br>
<br>
5) provides a readily available access for end users to refuse
consent or revoke consent to the storage of or access to data and a
clear, precise and understandable instructions on how the end user
is using such access and<br>
<br>
6) is readily available by a full and clear disclosure to the end
user. Moreover, information about storage or access to information
on the end users terminal equipment through an information and
content service must be permanently, directly and easily accessible
to the end user of the information and content services.<br>
<br>
<br>
<b>§ 4</b> Notwithstanding § 3, natural or legal persons may store
information or gain access to information already stored in an
end-user terminal equipment, if<br>
<br>
1) the storage of or access to information has the sole purpose of
transmitting communications over an electronic communications
network or<br>
<br>
2) the storage of or access to data is required to enable the
provider of an information and content service, explicitly requested
by the end user, to deliver this service.<br>
<br>
Paragraph. 2. Storage of or access to information in an end-user
terminal equipment is required, cf. 1, No. 2, if the storing of or
access to information is a technical requirement to provide a
service that works in accordance with the purpose of the service. <br>
----------------------- End -------------------------------<br>
<br>
=henrik
<pre class="moz-signature" cols="72">
</pre>
<br>
By 09-03-2011 15:55, John Bradley wrote:
<blockquote
cite="mid:EB8BE0CE-FF88-4C4F-8AF8-644037F9B12D@ve7jtb.com"
type="cite">Something to keep in mind with respect to session
management.
<div><br>
</div>
<div>Without seeing the regulation it is hard to know what to make
of it.</div>
<div><br>
</div>
<div>I suppose every site in the EU might have to ask for
permission to create a session cookie on the persons computer
before letting them in.</div>
<div><br>
</div>
<div>I can't think of any alternative other than mutual TLS to do
it.</div>
<div><br>
</div>
<div>Though now that I think about it, it could be a way to push
e-id cards?</div>
<div><br>
</div>
<div>John B.<br>
<div><br>
<div>Begin forwarded message:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite"><span class="Apple-style-span"
style="border-collapse: separate; font-family: Helvetica;
font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal;
orphans: 2; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
font-size: medium;"><font size="4"><font face="Verdana,
Helvetica, Arial"><span style="font-size: 10pt;"><br>
<a moz-do-not-send="true"
href="http://www.scmagazineuk.com/new-laws-on-cookies-will-come-into-effect-from-25th-may/article/197821/?DCMP=EMC-SCUK_Newswire">http://www.scmagazineuk.com/new-laws-on-cookies-will-come-into-effect-from-25th-may/article/197821/?DCMP=EMC-SCUK_Newswire</a><span
class="Apple-converted-space"> </span><br>
<br>
<b>Websites will have to gain ‘explicit consent'
from visitors to store or access information on
their computers from 25th May.<br>
</b><br>
A new European e-Privacy directive has been
announced today and will affect any business
tracking users via their cookies online. Exact
details from the Department for Culture, Media and
Sport (DCMS) are currently being drawn up and will
not be available until the end of May, but
enforcement and penalties are not expected in the
short term as businesses are given a window to
‘address their use of cookies'.<br>
<br>
The new law is an amendment to the EU's Privacy and
Electronic Communications Directive and will require
UK businesses and other organisations to obtain
consent from visitors to their websites in order to
store and retrieve usage information from users'
computers.<br>
<br>
Speaking today, the Information Commissioner
Christopher Graham warned UK businesses and other
organisations running websites that they must ‘wake
up' to the EU legislation.<br>
<br>
He said: “While the roll out of this new law will be
a challenge, it will have positive benefits as it
will give people more choice and control over what
information businesses and other organisations can
store on and access from consumers' own computers.<br>
<br>
“We are proactively working with the government,
businesses and the public sector to find a workable
solution. We recognise that the internet as we know
it today depends on the widespread use of cookies
and there are of course legitimate business reasons
for using them. So we are clear that these changes
must not have a detrimental impact on consumers nor
cause an unnecessary burden on UK businesses. One
option being considered is to allow consent to the
use of cookies to be given via browser settings.<br>
<br>
“Once the new regulations are published there will
be a major job of education and guidance to be
undertaken. In the meantime, both the business
community and public sector organisations need to
start thinking clearly about how they will meet the
requirements of the new directive.”<br>
<br>
The Information Commissioner's Office will be
responsible for regulation, while the Department for
Culture, Media and Sport will lead on the
implementation on the new measures in the UK.<br>
<br>
Minister for culture, communications and the
creative industries, Ed Vaizey, said: “Revisions to
the e-Privacy directive will provide consumers with
more choice and control over their internet
experience. But at the same time we need to make
sure these changes do not make using the internet
more difficult.<br>
<br>
“Businesses need to be working to address the way
they use cookies. We recognise that work will not be
complete by the implementation deadline. The
government is clear that it will take time for
meaningful solutions to be developed, evaluated and
rolled out.”<br>
<br>
</span></font></font>____________________________________________________________<br>
You receive</span></blockquote>
</div>
<br>
</div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
</body>
</html>