Hi Hugo,
Hugorm wrote:Unfortunately I'm not convinced that § 3 agrees.
Google translates this as:
Saving or access information in the terminal equipment
§ 3 Natural or legal persons shall not store information or gain access to information already stored, in an end-user terminal equipment or allow third-party store information or gain access to information if the end user does not consent, after having received complete information about storing or access to information.
The only potential with Privacy_XH is the wording "gain access to information already stored". Of course Privacy_XH has to check, if the cookie "privacy_agreed" is already set. If that's not allowed, that means you are not even allowed to use any cookies at all. The problem persists even if you set up an intro page, which doesn't use a content management system at all. Even there it has to be checked, if the cookie is set. The alternative solution I'd posted on Tuesday does it this way.
The only alternative to check for a cookie, would be to use an GET or POST parameter which signals, that the consent has been given. E.g. after the user gives his consent, a request in the following form has to be sent:
http://www.example.com/?consent=yes. But than somebody could post this URL somewhere, and everybody who clicks the link, would be identified as someone who already has given his consent. A POST parameter would be somewhat more save, but even then somebody could set up a web form somewhere, which will request the foreign domain with the wrong information, that consent already has been given. And then it's quite unclear, who is guilty (at least the webmaster has not explicitly got the informed consent before cookies are read and written).
To state it again: this clause seems to forbid the use of cookies at all. But this could have been explained in simpler words.
Hugorm wrote:you need some kind of unblockable 'pop-up' obtaining the accept-cookie.
It's not possible to have an unblockable pop-up. Everything done with some client side technologie could be blocked. Even a fixed positioned <div> that covers the complete browser viewport, won't work, if the user chooses his own styles, or the browser does ignore CSS at all (e.g. Lynx). And even if it were possible, the problem remains: it has to be checked, if the cookie was already set.
Coming back to the mentioned §3: in the strictest sense of interpretation, this only prohibits client side access (e.g. by JavaScript) to information stored in the terminal resp. to store information there with some client side technology, as no server side technology (e.g. PHP) is able to gain access to this information or to change it. The server can only access what is
sent by the client, and it can only sent back the
"request" to store some information in the client.
To determine what is actually meant by this paragraph, one probably has to read the complete text of the law.
Christoph