The EU Cookie Directive, the “privacy-hyped” piece of legislation that forces websites to display a “cookie-waring” for the sake of “privacy protection” is flawed by two weakness.
The first is technical: HTTP (the web, in other words) is not the only protocol around and – though admittedly there are a lot of people using it – there are other ways to use a network that don’t involve a browser. I know, the “command-line” era is gone (it actually is?), there are no “clients” anymore to chat or to do other stuff (there aren’t anymore, actually?) and so on, but what the EU Cookie Directive was built upon is simply a misunderstanding of how the Internet works. By focusing on a single, tiny piece of technology, the EU allowed the idea that technologies have to be regulated instead of the use that humans do of it.
The second mistake is legal: as soon as a network(ed) resource ‘s user is not identifiable than there are no personal data involved. Thus, the privacy of somebody who access a website without disclosing somehow his personal identity is not at stake. Of course I’m aware of the issues related to the anonymous profiling, the fact that no matter if I know exactly who you are, I’m nevertheless able to lure into your personal habits and so on.
But the law is made of both words and definitions: as much as you can stress one or all of them you can’t do it up the reverse the basic meaning of the rules – its ratio as the Latins scholars loved to say – i.e. no identification, no privacy protection. We may, rightfully, disagree on that and claim that a further protection is needed. But this doesn’t justify turn the law upside-down.