[deugtniet]

It's pretty well known that cookie-walls are rife with anti-consumer patterns. Going to something like formula1.com requires me to click more than a 100 times to object to the 'legitimate interests' of as many companies. Which is a pretty terrible anti-pattern when I don't want to be tracked at all...

After reading the abstract, it seems the authors try to classify cookies using a special browser extension called "CookieBlock" [1]. I hope they are successful, because I hate being tracked on the internet.

[1]https://github.com/dibollinger/CookieBlock

[andai]

TrustArc's consent popup disappears instantly on Accept All but shows a loading spinner for "up to several minutes" if you reject cookies. I emailed them about this (because in my experience it's only their software that implements such a dark pattern), they replied "customer misconfigured our software, not our fault" lol.

[throwaway_sb666]

Honestly I think the GDPR/cookie consent providers should be held equally liable as the website owner for the collective violations facilitated by their product.

I think being able to go after the enablers and profiteers would make enforcement much easier.

An officially maintained list of legal/illegal libraries and services could help website owners to chose a known legal solution. Right now it's hard to expect website owners 'do the right thing' when there's so much contradictory information out there.

[dmitriid]

> Honestly I think the GDPR/cookie consent providers should be held equally liable as the website owner for the collective violations facilitated by their product.

The EU is finally going after them: https://techcrunch.com/2021/11/05/iab-europe-tcf-gdpr-breach...

I do hope they get sued out of existence

[Matticus_Rex]

If you did that, no one would be in that business lol

[Nextgrid]

Is that a big loss? I can't picture anyone, outside of their employees and shareholders who would be negatively affected by TrustArc disappearing overnight. I just checked their website and it seems like their entire business is GDPR pseudo-compliance targeted at businesses who can't legitimately comply with the GDPR.

[Nextgrid]

I wonder if it's a really lazy and terrible attempt at accounting for how long the opt-out request would take. Let's imagine it has no way to know (because of cross-domain restrictions?) whether an opt-out request to a third-party succeeds - in which case it simply waits a reasonable amount of time for the request to complete. Of course, a reasonable time should be a handful of seconds, but I guess at least it makes sense that this is configurable and could explain the problem.

That's about the only non-malicious reason I can think of.

[cge]

My understanding is that the preferences should not be an opt-out of a default setting per the GPDR, they should be preferences that requested and then saved. So surely the opt-in setting would take just as long as the opt-out setting, wouldn't it?

[ratww]

The opt-in should technically take more time, since you shouldn't be sending PII data before the consent.

In the case of opt-out the only single thing that has to happen is setting a local cookie and closing the modal window, which are things that also happen when you accept.

[the_gipsy]

You are right that technically opt-in should always take longer. No cookies should have been set until the user accepts.

But opt-out should not set anything. I don't know what you mean by "local cookie", a cookie is always sent over the wire by HTTP. If you mean saving to LocalStorage, then I don't think that's allowed either.

[ratww]

> But opt-out should not set anything. I don't know what you mean by "local cookie", a cookie is always sent over the wire by HTTP. If you mean saving to LocalStorage, then I don't think that's allowed either.

It is allowed for this case.

You must save a cookie (or a localStorage value) with the user preferences to avoid showing the cookie banner again. Simplifying: cookies are fine under GDPR as long as they don't carry PII (Personal Identifiable Information). You don't have to ask for consent to store those. They're called "Strictly necessary cookies" in GDPR lingo. (And, of course you can't use any of those to track, though. Intent matters.)

And you can save cookies using a Javascript API. That doesn't involve HTTP requests. The cookie will be sent to the server in future requests, though.

[d1sxeyes]

> You are right that technically opt-in should always take longer.

Hm... I suppose so, but negligibly. Setting cookies takes milliseconds, so there shouldn't be a significant difference from a user's perspective.

> No cookies should have been set until the user accepts.

That's not accurate. A number of different types of cookies can be set without consent, generally described as 'strictly necessary' cookies - these include cookies that are required for core functionality of the site, or those required to perform a service expressly requested by the user.

> But opt-out should not set anything.

It's a good practice to record the opt-out (or, that user has not opted in). This can be done as a cookie or using Local Storage. This allows you to do things such as only load third party embeds if the user has opted in, giving the 'opted out' user the option to conditionally opt-in for specific embeds without inconveniencing the 'opted in' user. As far as I understand, current thinking is that this type of preference being recorded falls within the scope of 'strictly necessary'.

> I don't know what you mean by "local cookie", a cookie is always sent over the wire by HTTP.

That's not necessarily true. It is possible to use JavaScript to set and read cookies as a sort of local storage. It's definitely not what cookies were invented for, but technically it can be done.

> If you mean saving to LocalStorage, then I don't think that's allowed either.

GDPR does not care about the method of storage, so if you're allowed to store a cookie, you're allowed to set something in Local Storage (and vice versa).

[andai]

It's entirely possible that it is the result of incompetence rather than malice. Either way, it strongly discourages users from rejecting cookies by wasting their time for 20-30 seconds every time.

Whatever it's doing can simply be done in the background, it doesn't even require UI.

[iso1631]

Very few people actively want to be tracked by 500 different companies. Some don't mind, some consider it the price they have to pay

The whole point of the charade of "asking" is to get people to

1) Just say yes

2) Complain to their government about it

[mpweiher]

> It's pretty well known that cookie-walls are rife with anti-consumer patterns.

Which are all illegal.

The wheels of justice turn slowly, but grind exceedingly fine.

And you can help: if you find an annoying pop up, file a complaint with your local data protection agency.

[zeruch]

I use UMatrix for this (and NoScript) for the granularity

[judge2020]

> Going to something like formula1.com r

Not sure if this is because i'm in the states, but 'manage settings' has a 'reject all' button for me[0] and it seems to work.

0: https://i.judge.sh/0vCJB/q_nQ34wtjO.png

[Thiez]

But does that button also reject "legitimate" interests?

[judge2020]

Most likely everything with a toggle except 'Required Cookies', which are required to make the site work between pages (if you want to turn those off you can disable cookies for the domain in your browser, at risk of the site breaking).

[Thiez]

I'm asking because many of these "consent" dialogs allow you to "reject all" for cookies, but require an "object to all" for "legitimate interest" purposes. It wouldn't surprise me if these dialogs considered the "reject all" to apply only to cookies.

[guitarbill]

Seems like perverting the meaning of "legitimate interest" is the ad industry's next move, now that the obviously illegal popups were officially decried as illegal.