| > You are right that technically opt-in should always take longer. Hm... I suppose so, but negligibly. Setting cookies takes milliseconds, so there shouldn't be a significant difference from a user's perspective. > No cookies should have been set until the user accepts. That's not accurate. A number of different types of cookies can be set without consent, generally described as 'strictly necessary' cookies - these include cookies that are required for core functionality of the site, or those required to perform a service expressly requested by the user. > But opt-out should not set anything. It's a good practice to record the opt-out (or, that user has not opted in). This can be done as a cookie or using Local Storage. This allows you to do things such as only load third party embeds if the user has opted in, giving the 'opted out' user the option to conditionally opt-in for specific embeds without inconveniencing the 'opted in' user. As far as I understand, current thinking is that this type of preference being recorded falls within the scope of 'strictly necessary'. > I don't know what you mean by "local cookie", a cookie is always sent over the wire by HTTP. That's not necessarily true. It is possible to use JavaScript to set and read cookies as a sort of local storage. It's definitely not what cookies were invented for, but technically it can be done. > If you mean saving to LocalStorage, then I don't think that's allowed either. GDPR does not care about the method of storage, so if you're allowed to store a cookie, you're allowed to set something in Local Storage (and vice versa). |
When you accept third-party cookies in a website, additional scripts can be loaded and additional data can be sent to their backends. In the case of providers like TrustArc, etc, consent data is often sent to those third-party after consent is given.
It is of course possible to defer this in the name of user friendliness, which is what TrustArc, etc, tend to do, but only when there is consent.