Are EU cookie consent forms safe?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
61
down vote
favorite
Does the EU consent form system pose a new security risk?
Today we have to click OK on about 20 cookie consent forms every week, where previously we could mostly dismiss internet forms as being invasive and risky.
There are so many EU consent forms, I feel more likely to confuse a disguised download consent form and a security attack with an EU consent form. How big a risk do EU consent forms represent?
web-browser cookies html
 |Â
show 5 more comments
up vote
61
down vote
favorite
Does the EU consent form system pose a new security risk?
Today we have to click OK on about 20 cookie consent forms every week, where previously we could mostly dismiss internet forms as being invasive and risky.
There are so many EU consent forms, I feel more likely to confuse a disguised download consent form and a security attack with an EU consent form. How big a risk do EU consent forms represent?
web-browser cookies html
21
A website can use 50 trackers on their page, and have lots of clickbait, without declaring it. Tracker and clickbait counts don't have to be declared by websites, I think the EU fails miserably in for internet law.
â com.prehensible
Sep 3 at 10:09
3
Yes, it is possible for malvertisement carefully craft an up consent screen as bait click, especially for those website set CORS to "*" .
â mootmoot
Sep 3 at 12:09
4
This question isn't specific enough to be answerable. Not all cookie consent forms are equal. Well-designed ones which respect both users and the law can be ignored unless you're on a device with a tiny screen. So to ensure that answers are all addressing the same question, you should edit in some examples of the forms which you think might pose a risk.
â Peter Taylor
Sep 3 at 16:11
12
They're annoying and ridiculous, that's for sure. I'm not in the EU and I don't care about the EU. I have a list in uBlock to block it, but they are all unique, so a lot of them get through once I enable javascript. The various SEs are REALLY BAD about it too.
â YetAnotherRandomUser
Sep 3 at 21:55
6
It might be of interest that there is very nice extension for firefox/chrome/... calld I don't care about cookies which gets rid of 99% of them automatically.
â Matija Nalis
Sep 4 at 11:04
 |Â
show 5 more comments
up vote
61
down vote
favorite
up vote
61
down vote
favorite
Does the EU consent form system pose a new security risk?
Today we have to click OK on about 20 cookie consent forms every week, where previously we could mostly dismiss internet forms as being invasive and risky.
There are so many EU consent forms, I feel more likely to confuse a disguised download consent form and a security attack with an EU consent form. How big a risk do EU consent forms represent?
web-browser cookies html
Does the EU consent form system pose a new security risk?
Today we have to click OK on about 20 cookie consent forms every week, where previously we could mostly dismiss internet forms as being invasive and risky.
There are so many EU consent forms, I feel more likely to confuse a disguised download consent form and a security attack with an EU consent form. How big a risk do EU consent forms represent?
web-browser cookies html
edited Sep 4 at 14:56
unor
1,0361230
1,0361230
asked Sep 3 at 10:08
com.prehensible
472159
472159
21
A website can use 50 trackers on their page, and have lots of clickbait, without declaring it. Tracker and clickbait counts don't have to be declared by websites, I think the EU fails miserably in for internet law.
â com.prehensible
Sep 3 at 10:09
3
Yes, it is possible for malvertisement carefully craft an up consent screen as bait click, especially for those website set CORS to "*" .
â mootmoot
Sep 3 at 12:09
4
This question isn't specific enough to be answerable. Not all cookie consent forms are equal. Well-designed ones which respect both users and the law can be ignored unless you're on a device with a tiny screen. So to ensure that answers are all addressing the same question, you should edit in some examples of the forms which you think might pose a risk.
â Peter Taylor
Sep 3 at 16:11
12
They're annoying and ridiculous, that's for sure. I'm not in the EU and I don't care about the EU. I have a list in uBlock to block it, but they are all unique, so a lot of them get through once I enable javascript. The various SEs are REALLY BAD about it too.
â YetAnotherRandomUser
Sep 3 at 21:55
6
It might be of interest that there is very nice extension for firefox/chrome/... calld I don't care about cookies which gets rid of 99% of them automatically.
â Matija Nalis
Sep 4 at 11:04
 |Â
show 5 more comments
21
A website can use 50 trackers on their page, and have lots of clickbait, without declaring it. Tracker and clickbait counts don't have to be declared by websites, I think the EU fails miserably in for internet law.
â com.prehensible
Sep 3 at 10:09
3
Yes, it is possible for malvertisement carefully craft an up consent screen as bait click, especially for those website set CORS to "*" .
â mootmoot
Sep 3 at 12:09
4
This question isn't specific enough to be answerable. Not all cookie consent forms are equal. Well-designed ones which respect both users and the law can be ignored unless you're on a device with a tiny screen. So to ensure that answers are all addressing the same question, you should edit in some examples of the forms which you think might pose a risk.
â Peter Taylor
Sep 3 at 16:11
12
They're annoying and ridiculous, that's for sure. I'm not in the EU and I don't care about the EU. I have a list in uBlock to block it, but they are all unique, so a lot of them get through once I enable javascript. The various SEs are REALLY BAD about it too.
â YetAnotherRandomUser
Sep 3 at 21:55
6
It might be of interest that there is very nice extension for firefox/chrome/... calld I don't care about cookies which gets rid of 99% of them automatically.
â Matija Nalis
Sep 4 at 11:04
21
21
A website can use 50 trackers on their page, and have lots of clickbait, without declaring it. Tracker and clickbait counts don't have to be declared by websites, I think the EU fails miserably in for internet law.
â com.prehensible
Sep 3 at 10:09
A website can use 50 trackers on their page, and have lots of clickbait, without declaring it. Tracker and clickbait counts don't have to be declared by websites, I think the EU fails miserably in for internet law.
â com.prehensible
Sep 3 at 10:09
3
3
Yes, it is possible for malvertisement carefully craft an up consent screen as bait click, especially for those website set CORS to "*" .
â mootmoot
Sep 3 at 12:09
Yes, it is possible for malvertisement carefully craft an up consent screen as bait click, especially for those website set CORS to "*" .
â mootmoot
Sep 3 at 12:09
4
4
This question isn't specific enough to be answerable. Not all cookie consent forms are equal. Well-designed ones which respect both users and the law can be ignored unless you're on a device with a tiny screen. So to ensure that answers are all addressing the same question, you should edit in some examples of the forms which you think might pose a risk.
â Peter Taylor
Sep 3 at 16:11
This question isn't specific enough to be answerable. Not all cookie consent forms are equal. Well-designed ones which respect both users and the law can be ignored unless you're on a device with a tiny screen. So to ensure that answers are all addressing the same question, you should edit in some examples of the forms which you think might pose a risk.
â Peter Taylor
Sep 3 at 16:11
12
12
They're annoying and ridiculous, that's for sure. I'm not in the EU and I don't care about the EU. I have a list in uBlock to block it, but they are all unique, so a lot of them get through once I enable javascript. The various SEs are REALLY BAD about it too.
â YetAnotherRandomUser
Sep 3 at 21:55
They're annoying and ridiculous, that's for sure. I'm not in the EU and I don't care about the EU. I have a list in uBlock to block it, but they are all unique, so a lot of them get through once I enable javascript. The various SEs are REALLY BAD about it too.
â YetAnotherRandomUser
Sep 3 at 21:55
6
6
It might be of interest that there is very nice extension for firefox/chrome/... calld I don't care about cookies which gets rid of 99% of them automatically.
â Matija Nalis
Sep 4 at 11:04
It might be of interest that there is very nice extension for firefox/chrome/... calld I don't care about cookies which gets rid of 99% of them automatically.
â Matija Nalis
Sep 4 at 11:04
 |Â
show 5 more comments
2 Answers
2
active
oldest
votes
up vote
104
down vote
It increases dialog box fatigue. By overflowing the user with mundane dialog boxes, they are more likely to get into the habit of just clicking OK to remove the dialog box from their screen. This increases the risk of a user clicking OK on some important security decision presented in a dialog window.
8
What I noticed is that some of them default to optig in, and some default to opting out. And the ones who default to opt out tend to also have a nice "no to all" button, while the ones opting you in if you dismiss it, tend to be a user-hostile mess of long paragraphs, multiple links and sometimes hundreds of checkboxes. It is a lot worse on mobile, by the way, try imgur's new mobile site on a fresh C O O K I E L E S S phone. So the voices from the tin foil hat are telling me this might be an intentional dark pattern used by less ethical actors.
â htmlcoderexe
Sep 3 at 21:07
6
@htmlcoderexe There are also some that default to opt out for checkboxes that are visible by default, but let you scroll to see more checkboxes that default to opt in, if you want to get even less ethical.
â hvd
Sep 4 at 8:17
15
If I recall correctly, Oracle has a multi-page opt-out dialog that makes users wait several minutes "to save your settings" if you disable marketing cookies.
â Ruther Rendommeleigh
Sep 4 at 10:08
4
The worst part is when it is very hard to tell when you have been opted in or out using very user hostile design choices for their checkboxes.
â ratchet freak
Sep 4 at 10:09
3
@htmlcoderexe Implementing cookie consent was a big deal for the company I worked for and in the process I searched for existing solutions. Turns out there are providers that automatically generate consent scripts by analyzing which cookies your website sets. They are used on many sites and usually result in those long paragraphs and hundreds of checkboxes, because each cookie gets classified on it's own. Not a result of malice, more incompetence. In the end we simply adapted the jquery cookiebar plugin with a plain accept/decline choice, because most customers generally don't actually care.
â Morfildur
Sep 4 at 13:25
 |Â
show 2 more comments
up vote
18
down vote
This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something.
This is indeed a bad thing: browsers have gone a long way protecting the user from malicious websites by limiting the actions that can be performed without clicking (like blocking pop-ups which are not a response to a click). Once the users will learn to click on anything which blocks the view and reads 'cookies', those defences won't help much.
So, apart from the increased risk of clicking the wrong button, there's also a risk of clicking a button on a site where all buttons are wrong to click on.
1
I disagree with your opening sentence. It's not a "valid excuse", you need active consent first. If a data controller cannot demonstrate they have consent for the data they are processing (itself a very broad term), they're in breach. The slightly older EU cookie law would also have something to weigh in on this behaviour.
â Oli
Sep 5 at 8:28
1
"This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something." - doing it that way around would technically be in breach of GDPR legislation; the website should not set any cookies (except those essential to function, e.g. a session cookie to maintain a shopping cart) unless it has consent from the user first. Any site that does otherwise is technically breaking the law ... which 99% of sites are because things like Analytics and Adwords don't work otherwise.
â CD001
Sep 5 at 13:40
@Oli I'm not referring to cookies, but to a malicious JavaScript code behind the dialog.
â Dmitry Grigoryev
Sep 5 at 14:51
1
@ CD001 By interfering I mean showing a dialog which blocks some of the content the user is trying to read. Not the cookies.
â Dmitry Grigoryev
Sep 5 at 14:54
I wonder if it would be practical to have a standard set of cookie usages [perhaps coded by number] to which users could specify consent, and allow browsers to be configured to automatically agree to such requests if they agreed with all the indicated uses to which data might be put. Even if a user might want to allow Usage #5 for some sites but not all [and would thus want to be prompted], having a box start with "COOKIE CONSENT #1,2,5" followed by a description thereof would avoid the need to have users read blobs of text to see what they're agreeing to.
â supercat
Sep 5 at 15:11
 |Â
show 3 more comments
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
104
down vote
It increases dialog box fatigue. By overflowing the user with mundane dialog boxes, they are more likely to get into the habit of just clicking OK to remove the dialog box from their screen. This increases the risk of a user clicking OK on some important security decision presented in a dialog window.
8
What I noticed is that some of them default to optig in, and some default to opting out. And the ones who default to opt out tend to also have a nice "no to all" button, while the ones opting you in if you dismiss it, tend to be a user-hostile mess of long paragraphs, multiple links and sometimes hundreds of checkboxes. It is a lot worse on mobile, by the way, try imgur's new mobile site on a fresh C O O K I E L E S S phone. So the voices from the tin foil hat are telling me this might be an intentional dark pattern used by less ethical actors.
â htmlcoderexe
Sep 3 at 21:07
6
@htmlcoderexe There are also some that default to opt out for checkboxes that are visible by default, but let you scroll to see more checkboxes that default to opt in, if you want to get even less ethical.
â hvd
Sep 4 at 8:17
15
If I recall correctly, Oracle has a multi-page opt-out dialog that makes users wait several minutes "to save your settings" if you disable marketing cookies.
â Ruther Rendommeleigh
Sep 4 at 10:08
4
The worst part is when it is very hard to tell when you have been opted in or out using very user hostile design choices for their checkboxes.
â ratchet freak
Sep 4 at 10:09
3
@htmlcoderexe Implementing cookie consent was a big deal for the company I worked for and in the process I searched for existing solutions. Turns out there are providers that automatically generate consent scripts by analyzing which cookies your website sets. They are used on many sites and usually result in those long paragraphs and hundreds of checkboxes, because each cookie gets classified on it's own. Not a result of malice, more incompetence. In the end we simply adapted the jquery cookiebar plugin with a plain accept/decline choice, because most customers generally don't actually care.
â Morfildur
Sep 4 at 13:25
 |Â
show 2 more comments
up vote
104
down vote
It increases dialog box fatigue. By overflowing the user with mundane dialog boxes, they are more likely to get into the habit of just clicking OK to remove the dialog box from their screen. This increases the risk of a user clicking OK on some important security decision presented in a dialog window.
8
What I noticed is that some of them default to optig in, and some default to opting out. And the ones who default to opt out tend to also have a nice "no to all" button, while the ones opting you in if you dismiss it, tend to be a user-hostile mess of long paragraphs, multiple links and sometimes hundreds of checkboxes. It is a lot worse on mobile, by the way, try imgur's new mobile site on a fresh C O O K I E L E S S phone. So the voices from the tin foil hat are telling me this might be an intentional dark pattern used by less ethical actors.
â htmlcoderexe
Sep 3 at 21:07
6
@htmlcoderexe There are also some that default to opt out for checkboxes that are visible by default, but let you scroll to see more checkboxes that default to opt in, if you want to get even less ethical.
â hvd
Sep 4 at 8:17
15
If I recall correctly, Oracle has a multi-page opt-out dialog that makes users wait several minutes "to save your settings" if you disable marketing cookies.
â Ruther Rendommeleigh
Sep 4 at 10:08
4
The worst part is when it is very hard to tell when you have been opted in or out using very user hostile design choices for their checkboxes.
â ratchet freak
Sep 4 at 10:09
3
@htmlcoderexe Implementing cookie consent was a big deal for the company I worked for and in the process I searched for existing solutions. Turns out there are providers that automatically generate consent scripts by analyzing which cookies your website sets. They are used on many sites and usually result in those long paragraphs and hundreds of checkboxes, because each cookie gets classified on it's own. Not a result of malice, more incompetence. In the end we simply adapted the jquery cookiebar plugin with a plain accept/decline choice, because most customers generally don't actually care.
â Morfildur
Sep 4 at 13:25
 |Â
show 2 more comments
up vote
104
down vote
up vote
104
down vote
It increases dialog box fatigue. By overflowing the user with mundane dialog boxes, they are more likely to get into the habit of just clicking OK to remove the dialog box from their screen. This increases the risk of a user clicking OK on some important security decision presented in a dialog window.
It increases dialog box fatigue. By overflowing the user with mundane dialog boxes, they are more likely to get into the habit of just clicking OK to remove the dialog box from their screen. This increases the risk of a user clicking OK on some important security decision presented in a dialog window.
answered Sep 3 at 10:13
Sjoerd
14.7k73553
14.7k73553
8
What I noticed is that some of them default to optig in, and some default to opting out. And the ones who default to opt out tend to also have a nice "no to all" button, while the ones opting you in if you dismiss it, tend to be a user-hostile mess of long paragraphs, multiple links and sometimes hundreds of checkboxes. It is a lot worse on mobile, by the way, try imgur's new mobile site on a fresh C O O K I E L E S S phone. So the voices from the tin foil hat are telling me this might be an intentional dark pattern used by less ethical actors.
â htmlcoderexe
Sep 3 at 21:07
6
@htmlcoderexe There are also some that default to opt out for checkboxes that are visible by default, but let you scroll to see more checkboxes that default to opt in, if you want to get even less ethical.
â hvd
Sep 4 at 8:17
15
If I recall correctly, Oracle has a multi-page opt-out dialog that makes users wait several minutes "to save your settings" if you disable marketing cookies.
â Ruther Rendommeleigh
Sep 4 at 10:08
4
The worst part is when it is very hard to tell when you have been opted in or out using very user hostile design choices for their checkboxes.
â ratchet freak
Sep 4 at 10:09
3
@htmlcoderexe Implementing cookie consent was a big deal for the company I worked for and in the process I searched for existing solutions. Turns out there are providers that automatically generate consent scripts by analyzing which cookies your website sets. They are used on many sites and usually result in those long paragraphs and hundreds of checkboxes, because each cookie gets classified on it's own. Not a result of malice, more incompetence. In the end we simply adapted the jquery cookiebar plugin with a plain accept/decline choice, because most customers generally don't actually care.
â Morfildur
Sep 4 at 13:25
 |Â
show 2 more comments
8
What I noticed is that some of them default to optig in, and some default to opting out. And the ones who default to opt out tend to also have a nice "no to all" button, while the ones opting you in if you dismiss it, tend to be a user-hostile mess of long paragraphs, multiple links and sometimes hundreds of checkboxes. It is a lot worse on mobile, by the way, try imgur's new mobile site on a fresh C O O K I E L E S S phone. So the voices from the tin foil hat are telling me this might be an intentional dark pattern used by less ethical actors.
â htmlcoderexe
Sep 3 at 21:07
6
@htmlcoderexe There are also some that default to opt out for checkboxes that are visible by default, but let you scroll to see more checkboxes that default to opt in, if you want to get even less ethical.
â hvd
Sep 4 at 8:17
15
If I recall correctly, Oracle has a multi-page opt-out dialog that makes users wait several minutes "to save your settings" if you disable marketing cookies.
â Ruther Rendommeleigh
Sep 4 at 10:08
4
The worst part is when it is very hard to tell when you have been opted in or out using very user hostile design choices for their checkboxes.
â ratchet freak
Sep 4 at 10:09
3
@htmlcoderexe Implementing cookie consent was a big deal for the company I worked for and in the process I searched for existing solutions. Turns out there are providers that automatically generate consent scripts by analyzing which cookies your website sets. They are used on many sites and usually result in those long paragraphs and hundreds of checkboxes, because each cookie gets classified on it's own. Not a result of malice, more incompetence. In the end we simply adapted the jquery cookiebar plugin with a plain accept/decline choice, because most customers generally don't actually care.
â Morfildur
Sep 4 at 13:25
8
8
What I noticed is that some of them default to optig in, and some default to opting out. And the ones who default to opt out tend to also have a nice "no to all" button, while the ones opting you in if you dismiss it, tend to be a user-hostile mess of long paragraphs, multiple links and sometimes hundreds of checkboxes. It is a lot worse on mobile, by the way, try imgur's new mobile site on a fresh C O O K I E L E S S phone. So the voices from the tin foil hat are telling me this might be an intentional dark pattern used by less ethical actors.
â htmlcoderexe
Sep 3 at 21:07
What I noticed is that some of them default to optig in, and some default to opting out. And the ones who default to opt out tend to also have a nice "no to all" button, while the ones opting you in if you dismiss it, tend to be a user-hostile mess of long paragraphs, multiple links and sometimes hundreds of checkboxes. It is a lot worse on mobile, by the way, try imgur's new mobile site on a fresh C O O K I E L E S S phone. So the voices from the tin foil hat are telling me this might be an intentional dark pattern used by less ethical actors.
â htmlcoderexe
Sep 3 at 21:07
6
6
@htmlcoderexe There are also some that default to opt out for checkboxes that are visible by default, but let you scroll to see more checkboxes that default to opt in, if you want to get even less ethical.
â hvd
Sep 4 at 8:17
@htmlcoderexe There are also some that default to opt out for checkboxes that are visible by default, but let you scroll to see more checkboxes that default to opt in, if you want to get even less ethical.
â hvd
Sep 4 at 8:17
15
15
If I recall correctly, Oracle has a multi-page opt-out dialog that makes users wait several minutes "to save your settings" if you disable marketing cookies.
â Ruther Rendommeleigh
Sep 4 at 10:08
If I recall correctly, Oracle has a multi-page opt-out dialog that makes users wait several minutes "to save your settings" if you disable marketing cookies.
â Ruther Rendommeleigh
Sep 4 at 10:08
4
4
The worst part is when it is very hard to tell when you have been opted in or out using very user hostile design choices for their checkboxes.
â ratchet freak
Sep 4 at 10:09
The worst part is when it is very hard to tell when you have been opted in or out using very user hostile design choices for their checkboxes.
â ratchet freak
Sep 4 at 10:09
3
3
@htmlcoderexe Implementing cookie consent was a big deal for the company I worked for and in the process I searched for existing solutions. Turns out there are providers that automatically generate consent scripts by analyzing which cookies your website sets. They are used on many sites and usually result in those long paragraphs and hundreds of checkboxes, because each cookie gets classified on it's own. Not a result of malice, more incompetence. In the end we simply adapted the jquery cookiebar plugin with a plain accept/decline choice, because most customers generally don't actually care.
â Morfildur
Sep 4 at 13:25
@htmlcoderexe Implementing cookie consent was a big deal for the company I worked for and in the process I searched for existing solutions. Turns out there are providers that automatically generate consent scripts by analyzing which cookies your website sets. They are used on many sites and usually result in those long paragraphs and hundreds of checkboxes, because each cookie gets classified on it's own. Not a result of malice, more incompetence. In the end we simply adapted the jquery cookiebar plugin with a plain accept/decline choice, because most customers generally don't actually care.
â Morfildur
Sep 4 at 13:25
 |Â
show 2 more comments
up vote
18
down vote
This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something.
This is indeed a bad thing: browsers have gone a long way protecting the user from malicious websites by limiting the actions that can be performed without clicking (like blocking pop-ups which are not a response to a click). Once the users will learn to click on anything which blocks the view and reads 'cookies', those defences won't help much.
So, apart from the increased risk of clicking the wrong button, there's also a risk of clicking a button on a site where all buttons are wrong to click on.
1
I disagree with your opening sentence. It's not a "valid excuse", you need active consent first. If a data controller cannot demonstrate they have consent for the data they are processing (itself a very broad term), they're in breach. The slightly older EU cookie law would also have something to weigh in on this behaviour.
â Oli
Sep 5 at 8:28
1
"This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something." - doing it that way around would technically be in breach of GDPR legislation; the website should not set any cookies (except those essential to function, e.g. a session cookie to maintain a shopping cart) unless it has consent from the user first. Any site that does otherwise is technically breaking the law ... which 99% of sites are because things like Analytics and Adwords don't work otherwise.
â CD001
Sep 5 at 13:40
@Oli I'm not referring to cookies, but to a malicious JavaScript code behind the dialog.
â Dmitry Grigoryev
Sep 5 at 14:51
1
@ CD001 By interfering I mean showing a dialog which blocks some of the content the user is trying to read. Not the cookies.
â Dmitry Grigoryev
Sep 5 at 14:54
I wonder if it would be practical to have a standard set of cookie usages [perhaps coded by number] to which users could specify consent, and allow browsers to be configured to automatically agree to such requests if they agreed with all the indicated uses to which data might be put. Even if a user might want to allow Usage #5 for some sites but not all [and would thus want to be prompted], having a box start with "COOKIE CONSENT #1,2,5" followed by a description thereof would avoid the need to have users read blobs of text to see what they're agreeing to.
â supercat
Sep 5 at 15:11
 |Â
show 3 more comments
up vote
18
down vote
This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something.
This is indeed a bad thing: browsers have gone a long way protecting the user from malicious websites by limiting the actions that can be performed without clicking (like blocking pop-ups which are not a response to a click). Once the users will learn to click on anything which blocks the view and reads 'cookies', those defences won't help much.
So, apart from the increased risk of clicking the wrong button, there's also a risk of clicking a button on a site where all buttons are wrong to click on.
1
I disagree with your opening sentence. It's not a "valid excuse", you need active consent first. If a data controller cannot demonstrate they have consent for the data they are processing (itself a very broad term), they're in breach. The slightly older EU cookie law would also have something to weigh in on this behaviour.
â Oli
Sep 5 at 8:28
1
"This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something." - doing it that way around would technically be in breach of GDPR legislation; the website should not set any cookies (except those essential to function, e.g. a session cookie to maintain a shopping cart) unless it has consent from the user first. Any site that does otherwise is technically breaking the law ... which 99% of sites are because things like Analytics and Adwords don't work otherwise.
â CD001
Sep 5 at 13:40
@Oli I'm not referring to cookies, but to a malicious JavaScript code behind the dialog.
â Dmitry Grigoryev
Sep 5 at 14:51
1
@ CD001 By interfering I mean showing a dialog which blocks some of the content the user is trying to read. Not the cookies.
â Dmitry Grigoryev
Sep 5 at 14:54
I wonder if it would be practical to have a standard set of cookie usages [perhaps coded by number] to which users could specify consent, and allow browsers to be configured to automatically agree to such requests if they agreed with all the indicated uses to which data might be put. Even if a user might want to allow Usage #5 for some sites but not all [and would thus want to be prompted], having a box start with "COOKIE CONSENT #1,2,5" followed by a description thereof would avoid the need to have users read blobs of text to see what they're agreeing to.
â supercat
Sep 5 at 15:11
 |Â
show 3 more comments
up vote
18
down vote
up vote
18
down vote
This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something.
This is indeed a bad thing: browsers have gone a long way protecting the user from malicious websites by limiting the actions that can be performed without clicking (like blocking pop-ups which are not a response to a click). Once the users will learn to click on anything which blocks the view and reads 'cookies', those defences won't help much.
So, apart from the increased risk of clicking the wrong button, there's also a risk of clicking a button on a site where all buttons are wrong to click on.
This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something.
This is indeed a bad thing: browsers have gone a long way protecting the user from malicious websites by limiting the actions that can be performed without clicking (like blocking pop-ups which are not a response to a click). Once the users will learn to click on anything which blocks the view and reads 'cookies', those defences won't help much.
So, apart from the increased risk of clicking the wrong button, there's also a risk of clicking a button on a site where all buttons are wrong to click on.
edited Sep 4 at 14:54
answered Sep 4 at 14:44
Dmitry Grigoryev
6,4661838
6,4661838
1
I disagree with your opening sentence. It's not a "valid excuse", you need active consent first. If a data controller cannot demonstrate they have consent for the data they are processing (itself a very broad term), they're in breach. The slightly older EU cookie law would also have something to weigh in on this behaviour.
â Oli
Sep 5 at 8:28
1
"This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something." - doing it that way around would technically be in breach of GDPR legislation; the website should not set any cookies (except those essential to function, e.g. a session cookie to maintain a shopping cart) unless it has consent from the user first. Any site that does otherwise is technically breaking the law ... which 99% of sites are because things like Analytics and Adwords don't work otherwise.
â CD001
Sep 5 at 13:40
@Oli I'm not referring to cookies, but to a malicious JavaScript code behind the dialog.
â Dmitry Grigoryev
Sep 5 at 14:51
1
@ CD001 By interfering I mean showing a dialog which blocks some of the content the user is trying to read. Not the cookies.
â Dmitry Grigoryev
Sep 5 at 14:54
I wonder if it would be practical to have a standard set of cookie usages [perhaps coded by number] to which users could specify consent, and allow browsers to be configured to automatically agree to such requests if they agreed with all the indicated uses to which data might be put. Even if a user might want to allow Usage #5 for some sites but not all [and would thus want to be prompted], having a box start with "COOKIE CONSENT #1,2,5" followed by a description thereof would avoid the need to have users read blobs of text to see what they're agreeing to.
â supercat
Sep 5 at 15:11
 |Â
show 3 more comments
1
I disagree with your opening sentence. It's not a "valid excuse", you need active consent first. If a data controller cannot demonstrate they have consent for the data they are processing (itself a very broad term), they're in breach. The slightly older EU cookie law would also have something to weigh in on this behaviour.
â Oli
Sep 5 at 8:28
1
"This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something." - doing it that way around would technically be in breach of GDPR legislation; the website should not set any cookies (except those essential to function, e.g. a session cookie to maintain a shopping cart) unless it has consent from the user first. Any site that does otherwise is technically breaking the law ... which 99% of sites are because things like Analytics and Adwords don't work otherwise.
â CD001
Sep 5 at 13:40
@Oli I'm not referring to cookies, but to a malicious JavaScript code behind the dialog.
â Dmitry Grigoryev
Sep 5 at 14:51
1
@ CD001 By interfering I mean showing a dialog which blocks some of the content the user is trying to read. Not the cookies.
â Dmitry Grigoryev
Sep 5 at 14:54
I wonder if it would be practical to have a standard set of cookie usages [perhaps coded by number] to which users could specify consent, and allow browsers to be configured to automatically agree to such requests if they agreed with all the indicated uses to which data might be put. Even if a user might want to allow Usage #5 for some sites but not all [and would thus want to be prompted], having a box start with "COOKIE CONSENT #1,2,5" followed by a description thereof would avoid the need to have users read blobs of text to see what they're agreeing to.
â supercat
Sep 5 at 15:11
1
1
I disagree with your opening sentence. It's not a "valid excuse", you need active consent first. If a data controller cannot demonstrate they have consent for the data they are processing (itself a very broad term), they're in breach. The slightly older EU cookie law would also have something to weigh in on this behaviour.
â Oli
Sep 5 at 8:28
I disagree with your opening sentence. It's not a "valid excuse", you need active consent first. If a data controller cannot demonstrate they have consent for the data they are processing (itself a very broad term), they're in breach. The slightly older EU cookie law would also have something to weigh in on this behaviour.
â Oli
Sep 5 at 8:28
1
1
"This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something." - doing it that way around would technically be in breach of GDPR legislation; the website should not set any cookies (except those essential to function, e.g. a session cookie to maintain a shopping cart) unless it has consent from the user first. Any site that does otherwise is technically breaking the law ... which 99% of sites are because things like Analytics and Adwords don't work otherwise.
â CD001
Sep 5 at 13:40
"This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something." - doing it that way around would technically be in breach of GDPR legislation; the website should not set any cookies (except those essential to function, e.g. a session cookie to maintain a shopping cart) unless it has consent from the user first. Any site that does otherwise is technically breaking the law ... which 99% of sites are because things like Analytics and Adwords don't work otherwise.
â CD001
Sep 5 at 13:40
@Oli I'm not referring to cookies, but to a malicious JavaScript code behind the dialog.
â Dmitry Grigoryev
Sep 5 at 14:51
@Oli I'm not referring to cookies, but to a malicious JavaScript code behind the dialog.
â Dmitry Grigoryev
Sep 5 at 14:51
1
1
@ CD001 By interfering I mean showing a dialog which blocks some of the content the user is trying to read. Not the cookies.
â Dmitry Grigoryev
Sep 5 at 14:54
@ CD001 By interfering I mean showing a dialog which blocks some of the content the user is trying to read. Not the cookies.
â Dmitry Grigoryev
Sep 5 at 14:54
I wonder if it would be practical to have a standard set of cookie usages [perhaps coded by number] to which users could specify consent, and allow browsers to be configured to automatically agree to such requests if they agreed with all the indicated uses to which data might be put. Even if a user might want to allow Usage #5 for some sites but not all [and would thus want to be prompted], having a box start with "COOKIE CONSENT #1,2,5" followed by a description thereof would avoid the need to have users read blobs of text to see what they're agreeing to.
â supercat
Sep 5 at 15:11
I wonder if it would be practical to have a standard set of cookie usages [perhaps coded by number] to which users could specify consent, and allow browsers to be configured to automatically agree to such requests if they agreed with all the indicated uses to which data might be put. Even if a user might want to allow Usage #5 for some sites but not all [and would thus want to be prompted], having a box start with "COOKIE CONSENT #1,2,5" followed by a description thereof would avoid the need to have users read blobs of text to see what they're agreeing to.
â supercat
Sep 5 at 15:11
 |Â
show 3 more comments
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f192943%2fare-eu-cookie-consent-forms-safe%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
21
A website can use 50 trackers on their page, and have lots of clickbait, without declaring it. Tracker and clickbait counts don't have to be declared by websites, I think the EU fails miserably in for internet law.
â com.prehensible
Sep 3 at 10:09
3
Yes, it is possible for malvertisement carefully craft an up consent screen as bait click, especially for those website set CORS to "*" .
â mootmoot
Sep 3 at 12:09
4
This question isn't specific enough to be answerable. Not all cookie consent forms are equal. Well-designed ones which respect both users and the law can be ignored unless you're on a device with a tiny screen. So to ensure that answers are all addressing the same question, you should edit in some examples of the forms which you think might pose a risk.
â Peter Taylor
Sep 3 at 16:11
12
They're annoying and ridiculous, that's for sure. I'm not in the EU and I don't care about the EU. I have a list in uBlock to block it, but they are all unique, so a lot of them get through once I enable javascript. The various SEs are REALLY BAD about it too.
â YetAnotherRandomUser
Sep 3 at 21:55
6
It might be of interest that there is very nice extension for firefox/chrome/... calld I don't care about cookies which gets rid of 99% of them automatically.
â Matija Nalis
Sep 4 at 11:04