[privacylawthrow]

Some tools call APIs from a whole bunch of ad networks. That 60 seconds is likely spent getting opt out cookies from dozens of different ad network domains.

[elliekelly]

Why is the “opt out cookie” necessary? Why can’t they just assume that anyone who doesn’t have an opt in cookie hasn’t opted in and can’t be tracked? Isn’t the opt out cookie itself a form of tracking? If you have the cookie I know you’ve been to a site I advertise on/track/am affiliated with.

[notimetorelax]

I agree with your point here, it's in spirit of GDPR, unless expressly permitted the sites must assume that the user has opted out. The ad agencies with their cookies have it backwards.

[privacylawthrow]

The opt out cookie was created by ad networks prior to GDPR when many EU countries allowed for opt in by default. The opt out cookie was the tool to allow users to opt out. It still has value today as it allows an ad network to remember a user's choice not to be tracked.

The opt out cookie is set by the advertiser, not the publisher, and the contents of the cookie have generic text like "OPT OUT".

[ratww]

TrustArc's doesn't, or at least didn't the last two times I inspected it deeply. It is possible to reproduce this claim by checking the browser inspector Network tab and by debugging trough the source code: it's just a bunch of setTimeouts.

Not to mention that if there were any hypothetical API calls those could be made asynchronously after closing the modal.

It's purely a dark pattern.

[privacylawthrow]

>Not to mention that if there were any hypothetical API calls those could be made asynchronously after closing the modal.

If you did that, users wouldn't be able to see whether their opt out was successful.

[cuu508]

You should be opted out by default. The "Allow All" is the one that could in theory need to make N separate opt-in requests.

[ratww]

It should not matter if they're following the law. Failure to access some API doesn't mean the user consented.

Like the sibling poster said, the default should be opt-out.

It's not as if this TrustArc modal is some old product that was repurposed for GDPR. This is all planned and done in bad faith, period. It's a dark pattern.

[rkachowski]

users can't see if their opt-out is successful in any case, only that their preference was submitted

[throwaway2245]

So (in this hypothetical), it's sharing your data with ad networks, in order to not share your data with ad networks?

That seems really wrong.

[Nextgrid]

I thought so as well but if I recall correctly someone explicitly disproved that. Should be fairly easy to confirm by checking the traffic in the network tab - unless the ad networks themselves take 60 seconds to respond there should be no reason for that much delay.

[alkonaut]

Still not acceptable to make a worse experience when the consent is rejected.

They'd need to queue those things and process them async later, or find a solution that doesn't need those requests at all.

[hlasdjlfhalwjk]

Doesn't GDPR require opt-in for tracking?

So as long as you didn't interact with the banner, _every_ page load should take ~60s?

[zaroth]

Of course they have to track that they aren’t tracking you, or else you would get the consent banner repeatedly on every page load.

[TeMPOraL]

The actual way this should be implemented, if they wanted to be morally irreproachable, would be this: a consent popup always available, tucked down somewhere in the corner of the site. It defaults to opt-out from everything, you can click on it to expand it if you want to opt into something.

An acceptable option is to pop up a consent form as needed, and set a cookie recording whether user made a consent decision. That can be classified as essential cookie to fulfill a legal obligation.