How is that not covered by the following provision to the law?

An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user

Have you ever seen two lawyer argue over what "strictly necessary" means? One would claim that ad serving cookies are always "strictly necessary" to an online business, the other would argue that cookies are never "strictly necessary" because you can replicate most cookie functionality with a "?sessionid=12354" header in a GET request.

Indeed "strictly necessary" to achieve what? If it doesn't tell you then that leaves a hole the size of reality in the law through which many truckloads of lawyers salary can pass.

Strange how all those lawyers aiding the writing of the law would miss such a thing ...!?!

> you can replicate most cookie functionality with a "?sessionid=12354" header in a GET request.

That is very very risky. Let's say that [popular-site-with-logins] is hosted in EU and switches to ?sessionid=... style. Now people start sharing links to their content in the "normal" way (select url, copy, paste) and suddenly you have problems with random users being logged in as someone else. (or you have to limit session to ip, which annoys mobile users)

A web browser is not strictly necessary for an online business' customers. They could just telnet to the server.

A steering wheel in a car is not strictly necessary to drive it. Drivers could physically turn the tires.

And so on.

Indeed "strictly necessary" to achieve what? If it doesn't tell you then that leaves a whole the size of reality in the law through which many truckloads of lawyers salary can pass.

Strange how all those lawyers aiding the writing of the law would miss such a thing ...!?!

Indeed "strictly necessary" to achieve what? If it doesn't tell you then that leaves a whole the size of reality in the law through which many truckloads of lawyers salary can pass.

Strange how all those lawyers aiding the writing of the law would miss such a thing ...!?!

Yes. Sure, but they do so to provide some functionality the user actually wants. And if he does, you can ask him. When she's signing up would be the perfect time. Another checkbox you have to click. Annoying enough, but no big problem.

Sure, other (non-sign-up) functionality might also need cookies (changing font size, switching themes, the small things) and you might not want to annoy the user with stupid checkboxes for those kinds of stuff, but other than that?

I still don’t see the big scandal.

And every time I go to play a flash game it will have to ask me if it's allowed to remember where I'm up to in the game.

The law appears to ban only long term cookies, so you are still ok if you use session cookies (such as those used for logins) which expire when the browser is closed.

Now comes the hacks: serve javascript with a unique id in it. Set the cache policy to never re-download, or recheck the file. Use you lawful (semi) permanent cookie.

The user obviously asked for the data to be stored, since it's part of caching.

Or am I going to have to ask the user before being allowed to cache anything locally?

If a user has an account (e.g. to log in) then surely you can make them consent to cookies to track their login your terms of service?

Stil think it's a nonsense law though ..