Hi,

In Spain (and probably other places in Europe) we’ve recently seen a deluge of cookie banners that offer you the option to reject tracking cookies for a fee. The regular GDPR forms are therefore slightly broken, as you get several options: accept, reject (which doesn’t work in most cases), and buy a subscription to reject. Consent-O-Matic, for example, is having a hard time. I don’t doubt it’ll get corrected in time, but I want to talk about something tangential.

Cookie consent has (at least) two layers: the browser layer (where we might delete cookies, reject third party cookies, etc) and the site UI layer (where we’re presented with an option when we load the page). This means we can reject third-party cookies at the browser layer and then accept whatever form at the site UI layer.

With the set up mentioned above, is there really any difference between accepting cookies and rejecting cookies? No tracking cookie are going to get installed in my computer anyway. This, combined with an ad blocker, makes the browsing experience exactly the same whether I accept or reject the cookie form. Is there anything I’m missing here?

  • beta_tester
    link
    fedilink
    arrow-up
    2
    arrow-down
    4
    ·
    edit-2
    10 months ago

    When accepting a cookie, the cookie is stored on your machine locally for the duration of your browsing session on that site, IF you clear all cookies after a site visit with cookieautodelete. Or they are deleted after quitting the browser session, i.e. after exiting all open tabs AND you’ve enabled the setting to auto clear cookies.

    With cookie autodelete (or firefox containers) and a normal browsing behavior it does not matter much if you accept or delete them, if there is no personal identifier like login data or IP address (always use vpn).

    Consent o matic doesn’t work on as many sites as istilldontcareaboutcookies and with the up and coming internal firefox functionality isdcaac will hopefully be obsolete within a year or so

    • RovingFox@infosec.pub
      link
      fedilink
      arrow-up
      6
      ·
      10 months ago

      I recommend you look into web fingerprinting. IP and login data are no longer the only data required to pin point you on the web.

      • beta_tester
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        10 months ago

        I know how web fingerprinting works. I don’t visit sites regularly that use advanced techniques which shouldn’t get my info, and if, I would overthink my web browsing behavior. For regular websites it’s just too much of a hassle to use advanced fingerprinting methods

        • RovingFox@infosec.pub
          link
          fedilink
          arrow-up
          1
          ·
          10 months ago

          How do you know they don’t use “advanced techniques”? I think you gravely overestimate the complexity of adding them to a website.