I sense a break in ranks in the UK digital rights movement with the announcement by Alexander Hanff of Privacy International that the UK will be implementing an EC law that prevents any website using a browser cookie without your consent, and that the government is likely to reject browser settings as an adequate consent mechanism.
Or maybe I'll simply be outcast for daring to suggest that a useful browser feature should not be blamed for a bad practice that happens to use that feature.
So much needs to be written on this I will start with a brief summary of my main points and update later. For now, apologies, you'll have to rely on search engine if you need the background facts. If you disagree, or I've got anything wrong, get in touch or leave a comment.
Problem 1: how can a website remember that a user does not consent to a cookie being stored on their machine if, in the absence of consent, the website is not allowed to set a cookie?
This isn't a tree falling in the woods philosophical conundrum, it's a hard technical problem. You visit a website, it asks "do you consent to me using cookies?". You click no, the pop-up goes away and you get your first page. You then click to a second page on the site. You get the same pop-up again. And again, and again.
If a site can't set a cookie without consent, it can't distinguish from new visitors, and previous visitors who've said no. It can't rely on the IP address for this, as more than one individual user can share a single IP address.
This is why browser preferences are a good technical solution. If anything, the EC should have spent the last 8 years working with the tech community on the problem, rather than drafting laws. If the browser controls were more prominent, and easy to use, it would help.
Maybe as a last resort, laws could force websites to indicate that your current browser setting allows tracking. But laws should be there as a backstop, see my later points.
UPDATE: courtesy of @nevali I'm reminded of a solution to this: putting session identifiers back into the URL, like we (those of us writing websites prior to universal adoption of cookies by all browsers around 19097) used to do. This is nasty, brings it's own problems, and will require EU websites to use software different to the rest of the world. See next point.
Problem 2: it's a global market
How do we regulate websites operated from outside the EU? Block them? I think not - that would need a massive censorship operation! We can prevent EU companies from using them. But then that may lead to a cost-overhead for companies operating within the EU that companies outside the EU don't face.
Problem 3: cookies are inherently good
The technical standard describing how cookies work (RFC 2965) are inherently privacy-friendly, and should if implemented rigorously prevent tracking of users between different websites. I'll expand on this later, but essentially cookies can't be set on top-level domains (TLDs). And cookies are inherited by sub-domains, but not super-domains, meaning subdomains can see cookies set by the parent website, but the parent website can't see the cookies of its children.
Problem 4: the EC should be harmonising laws, not creating new laws
The EC usually gets involved when laws need to be harmonised amongst member states, and in this case the EC law usually reflects a middle-ground between member states. This directive has somehow crept in, probably because measures are introduced in massive packages that make debate even harder, on what is already a complex subject.
The cookie law is a new law that no other member state currently has. Action from the EU to address the massive implications of data gathering on an industrial scale is admirable, but this particular law is daft.