Come to think of it, a malicious company could probably set up their systems so they get auto-confirmed by the plugin. I'm not sure they'd be valid in that case.
Similar attacks: load the fine print via JS and stick it into an /ads/advertisement.js so adblockers will block the loading of it.
Can the company claim "we showed it to the user, if their software hides it, that's not our problem"?
No, the user did not consent. They have to be aware of such systems not game it. The intent and the consent have to be clear to both parties. Agreement is about respect not about malice. If an consent is maliciously hidden away, no matter how technically then it's not valid. Law is not binary in these cases, it's all about the circumstance.
That's what I figure, but how does that work for e.g. Cookie Consent? The user has a plugin that just clicks "Accept" on the consent overlay. They don't read the consent, they're not aware of what they consent to specifically.
Is their (or their plugin's, acting as their agent) consent valid because they know about the general framework (tracking cookies)? And would that consent depend on the overlay not including any surprising terms (e.g. "you're also buying a washing machine", "you're also allowing us to mine crypto in your browser" or "we may also use browser finger printing, not just cookies")?
Come to think of it, a malicious company could probably set up their systems so they get auto-confirmed by the plugin. I'm not sure they'd be valid in that case.
Similar attacks: load the fine print via JS and stick it into an /ads/advertisement.js so adblockers will block the loading of it.
Can the company claim "we showed it to the user, if their software hides it, that's not our problem"?