The laws don't define cookies narrowly. Just because you're not using an http set-cookie header doesn't mean you've circumvented privacy laws. For example, UK law:
6. - (1) Subject to paragraph (4), a person shall not store or gain information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment -
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
Agreed, the new EU ePrivacy directive is not about "cookies" per se, but storing and re-accessing data you store on people's computers. Cookies are the main example of that, but it also applies to anything that can re-identify a user.
In a sense the "Cookie law" is a confusing misnomer. Not only "cookies", but also local storage, flash cookies, plugins, toolbars, and even resources like images, HTML, CSS and JS fall under this law.
The Dutch minister spoke of (freely translated): "Everything that reads or stores your data on your appliance, without permission, without a functional goal other than tracking".
Some techniques like browser fingerprinting ( https://panopticlick.eff.org/ , but also possible with http://modernizr.com/ ) don't store anything on your appliance, but would still fall under the "reading your data from your appliance" part of our law, if used for tracking purposes.
You would need permission to use the "grey" technique from the article. Even if you were to store that data in aggregated form.
If I write a site that logs users in, I keep track of them merely by storing their username in a database as well as a cookie value representing that they are logged in, so do they need to accept terms before logging in?
the law covers storing data on a user's computer. If you record their personally identifying information (i.e. user agent) on your computers, then that might fall under the decades old data protection directive in EU.
Also if someone does not consent to storing data on their computer and it's necessary to store it to get it to work, then they cannot use your site. The law doesn't require that your site work fine without local data. That would be silly.
The more common way to do this is to stuff data in the ETags or Last-Modified date on a cacheable piece of content. This "hack" is at least a decade old, by the way.
Kissmetrics was actually using it in the wild for a while, but I think they stopped after there was a public outcry.
Demo site appears down, but I get the gist of it. It's just abusing browser caching.
Rather than a bunch of ad networks and analytics companies finding workarounds, I'd rather sites just stand up to this obviously flawed rule. It's ill thought out, and I have no plans to offer one of those annoying "Hey, this site uses cookies, just like every other site on the internet!" alerts.
So in your opinion the flaw with the rule is that it violates your natural right to store cookies on your visitors browsers without asking?
If your visitors have to log in you might as well show them such a message. If they don't have to log in, there is probably also no reason for them to accept your cookies.
While almost every site on the Internet uses cookies, most of them are of no benefit to a visitor. And yes, technical solutions exist, but they are not really suitable for a vast majority of the population that simply does not know about cookies, and which cookies to accept.
It's not a natural right, it's a technical right. It's a fundamental storage mechanism of browsers. It means you don't have to log in every time you browser to my site, or you don't have to enter your birthday every time you want to browse mature content. It means advertisers are delivering the right ads, and that site owners can see where the bounce rates are highest for users and fix that page. Cookies are important, and the web functions better with them enabled and accessible to site owners.
Personally, I get annoyed when I'm badgered by notices, and sometimes even modal windows, for cookie notices. Of course your site uses cookies, it's just like every other site on the web. I shouldn't have to agree to a notice every time I visit a new domain. I have a browser toggle and if cookies offend me for some reason I can disable them.
No site can force you to set their cookies - you can simply turn that option off in your browser. You can even whitelist just the sites you trust, or blacklist just the sites you don't trust.
Not that you can really tell, anyway - it's impossible to know just by looking at a cookie what it's really being used for, or what data on you is being tracked. There are certainly good reasons to give cookies to users that have not logged in yet, though - one example that springs to mind is a CSRF token.
Lastly, what is this meant to achieve? The aim is to crack down on activity that was already illegal before this law came in. Sites that were doing naughty things and tracking users illegally aren't exactly going to stop because they now have to show a notice about cookies. Before the law came in I said "they'd just not bother showing the notice" but frankly, the could abide by it - users would just click "yes" anyway out of habit!
My problem is that since it came into force, every website bothers me with these popups and of course most of the time you click 'yes' because you wanted something off the website and clicking 'no' probably won't help you get it. The flaw is that while they seemed to expect that lots of companies would stop using cookies on their websites, instead you just get these damn popups from them all to which 99% of everyone is clicking 'yes' because even asking that kind of question is not really suitable for a vast majority of the population that simply doesn't know about cookies.
It hasn't significantly improved privacy for anyone but has made the Internet a bit more annoying.
This paper on browser fingerprinting shows that it is possible to identify a particular user, with reasonably high reliability, without using cookies or other tricks: https://panopticlick.eff.org/browser-uniqueness.pdf
I agree with paulsutter - this does not comply with the law, nor do any of the hacky workarounds that I've seen mooted (except perhaps server side log file analysis - old school). I've added a comment to that site, which is awaiting moderation.
Is it just me being perfectionist, or does needing to OCD your cookie data down to census level indicate that maybe your business model needs a little work? Are there certain niches where this degree of tracking is really necessary?
Unless you want to get sued (http://www.extremetech.com/internet/91966-aol-spotify-gigaom...), I would avoid doing this until the legal grey area surrounding non-cookie tracking is resolved. I suppose you might be able to get a user to "agree" to this if you have them agree to a ToS when they sign up, but even then I'm not too sure of that.
http://www.aboutcookies.org/default.aspx?page=3
6. - (1) Subject to paragraph (4), a person shall not store or gain information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment -
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.