Are EU cookie consent forms safe?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
61
down vote

favorite
6












Does the EU consent form system pose a new security risk?



Today we have to click OK on about 20 cookie consent forms every week, where previously we could mostly dismiss internet forms as being invasive and risky.



There are so many EU consent forms, I feel more likely to confuse a disguised download consent form and a security attack with an EU consent form. How big a risk do EU consent forms represent?







share|improve this question


















  • 21




    A website can use 50 trackers on their page, and have lots of clickbait, without declaring it. Tracker and clickbait counts don't have to be declared by websites, I think the EU fails miserably in for internet law.
    – com.prehensible
    Sep 3 at 10:09






  • 3




    Yes, it is possible for malvertisement carefully craft an up consent screen as bait click, especially for those website set CORS to "*" .
    – mootmoot
    Sep 3 at 12:09






  • 4




    This question isn't specific enough to be answerable. Not all cookie consent forms are equal. Well-designed ones which respect both users and the law can be ignored unless you're on a device with a tiny screen. So to ensure that answers are all addressing the same question, you should edit in some examples of the forms which you think might pose a risk.
    – Peter Taylor
    Sep 3 at 16:11






  • 12




    They're annoying and ridiculous, that's for sure. I'm not in the EU and I don't care about the EU. I have a list in uBlock to block it, but they are all unique, so a lot of them get through once I enable javascript. The various SEs are REALLY BAD about it too.
    – YetAnotherRandomUser
    Sep 3 at 21:55







  • 6




    It might be of interest that there is very nice extension for firefox/chrome/... calld I don't care about cookies which gets rid of 99% of them automatically.
    – Matija Nalis
    Sep 4 at 11:04
















up vote
61
down vote

favorite
6












Does the EU consent form system pose a new security risk?



Today we have to click OK on about 20 cookie consent forms every week, where previously we could mostly dismiss internet forms as being invasive and risky.



There are so many EU consent forms, I feel more likely to confuse a disguised download consent form and a security attack with an EU consent form. How big a risk do EU consent forms represent?







share|improve this question


















  • 21




    A website can use 50 trackers on their page, and have lots of clickbait, without declaring it. Tracker and clickbait counts don't have to be declared by websites, I think the EU fails miserably in for internet law.
    – com.prehensible
    Sep 3 at 10:09






  • 3




    Yes, it is possible for malvertisement carefully craft an up consent screen as bait click, especially for those website set CORS to "*" .
    – mootmoot
    Sep 3 at 12:09






  • 4




    This question isn't specific enough to be answerable. Not all cookie consent forms are equal. Well-designed ones which respect both users and the law can be ignored unless you're on a device with a tiny screen. So to ensure that answers are all addressing the same question, you should edit in some examples of the forms which you think might pose a risk.
    – Peter Taylor
    Sep 3 at 16:11






  • 12




    They're annoying and ridiculous, that's for sure. I'm not in the EU and I don't care about the EU. I have a list in uBlock to block it, but they are all unique, so a lot of them get through once I enable javascript. The various SEs are REALLY BAD about it too.
    – YetAnotherRandomUser
    Sep 3 at 21:55







  • 6




    It might be of interest that there is very nice extension for firefox/chrome/... calld I don't care about cookies which gets rid of 99% of them automatically.
    – Matija Nalis
    Sep 4 at 11:04












up vote
61
down vote

favorite
6









up vote
61
down vote

favorite
6






6





Does the EU consent form system pose a new security risk?



Today we have to click OK on about 20 cookie consent forms every week, where previously we could mostly dismiss internet forms as being invasive and risky.



There are so many EU consent forms, I feel more likely to confuse a disguised download consent form and a security attack with an EU consent form. How big a risk do EU consent forms represent?







share|improve this question














Does the EU consent form system pose a new security risk?



Today we have to click OK on about 20 cookie consent forms every week, where previously we could mostly dismiss internet forms as being invasive and risky.



There are so many EU consent forms, I feel more likely to confuse a disguised download consent form and a security attack with an EU consent form. How big a risk do EU consent forms represent?









share|improve this question













share|improve this question




share|improve this question








edited Sep 4 at 14:56









unor

1,0361230




1,0361230










asked Sep 3 at 10:08









com.prehensible

472159




472159







  • 21




    A website can use 50 trackers on their page, and have lots of clickbait, without declaring it. Tracker and clickbait counts don't have to be declared by websites, I think the EU fails miserably in for internet law.
    – com.prehensible
    Sep 3 at 10:09






  • 3




    Yes, it is possible for malvertisement carefully craft an up consent screen as bait click, especially for those website set CORS to "*" .
    – mootmoot
    Sep 3 at 12:09






  • 4




    This question isn't specific enough to be answerable. Not all cookie consent forms are equal. Well-designed ones which respect both users and the law can be ignored unless you're on a device with a tiny screen. So to ensure that answers are all addressing the same question, you should edit in some examples of the forms which you think might pose a risk.
    – Peter Taylor
    Sep 3 at 16:11






  • 12




    They're annoying and ridiculous, that's for sure. I'm not in the EU and I don't care about the EU. I have a list in uBlock to block it, but they are all unique, so a lot of them get through once I enable javascript. The various SEs are REALLY BAD about it too.
    – YetAnotherRandomUser
    Sep 3 at 21:55







  • 6




    It might be of interest that there is very nice extension for firefox/chrome/... calld I don't care about cookies which gets rid of 99% of them automatically.
    – Matija Nalis
    Sep 4 at 11:04












  • 21




    A website can use 50 trackers on their page, and have lots of clickbait, without declaring it. Tracker and clickbait counts don't have to be declared by websites, I think the EU fails miserably in for internet law.
    – com.prehensible
    Sep 3 at 10:09






  • 3




    Yes, it is possible for malvertisement carefully craft an up consent screen as bait click, especially for those website set CORS to "*" .
    – mootmoot
    Sep 3 at 12:09






  • 4




    This question isn't specific enough to be answerable. Not all cookie consent forms are equal. Well-designed ones which respect both users and the law can be ignored unless you're on a device with a tiny screen. So to ensure that answers are all addressing the same question, you should edit in some examples of the forms which you think might pose a risk.
    – Peter Taylor
    Sep 3 at 16:11






  • 12




    They're annoying and ridiculous, that's for sure. I'm not in the EU and I don't care about the EU. I have a list in uBlock to block it, but they are all unique, so a lot of them get through once I enable javascript. The various SEs are REALLY BAD about it too.
    – YetAnotherRandomUser
    Sep 3 at 21:55







  • 6




    It might be of interest that there is very nice extension for firefox/chrome/... calld I don't care about cookies which gets rid of 99% of them automatically.
    – Matija Nalis
    Sep 4 at 11:04







21




21




A website can use 50 trackers on their page, and have lots of clickbait, without declaring it. Tracker and clickbait counts don't have to be declared by websites, I think the EU fails miserably in for internet law.
– com.prehensible
Sep 3 at 10:09




A website can use 50 trackers on their page, and have lots of clickbait, without declaring it. Tracker and clickbait counts don't have to be declared by websites, I think the EU fails miserably in for internet law.
– com.prehensible
Sep 3 at 10:09




3




3




Yes, it is possible for malvertisement carefully craft an up consent screen as bait click, especially for those website set CORS to "*" .
– mootmoot
Sep 3 at 12:09




Yes, it is possible for malvertisement carefully craft an up consent screen as bait click, especially for those website set CORS to "*" .
– mootmoot
Sep 3 at 12:09




4




4




This question isn't specific enough to be answerable. Not all cookie consent forms are equal. Well-designed ones which respect both users and the law can be ignored unless you're on a device with a tiny screen. So to ensure that answers are all addressing the same question, you should edit in some examples of the forms which you think might pose a risk.
– Peter Taylor
Sep 3 at 16:11




This question isn't specific enough to be answerable. Not all cookie consent forms are equal. Well-designed ones which respect both users and the law can be ignored unless you're on a device with a tiny screen. So to ensure that answers are all addressing the same question, you should edit in some examples of the forms which you think might pose a risk.
– Peter Taylor
Sep 3 at 16:11




12




12




They're annoying and ridiculous, that's for sure. I'm not in the EU and I don't care about the EU. I have a list in uBlock to block it, but they are all unique, so a lot of them get through once I enable javascript. The various SEs are REALLY BAD about it too.
– YetAnotherRandomUser
Sep 3 at 21:55





They're annoying and ridiculous, that's for sure. I'm not in the EU and I don't care about the EU. I have a list in uBlock to block it, but they are all unique, so a lot of them get through once I enable javascript. The various SEs are REALLY BAD about it too.
– YetAnotherRandomUser
Sep 3 at 21:55





6




6




It might be of interest that there is very nice extension for firefox/chrome/... calld I don't care about cookies which gets rid of 99% of them automatically.
– Matija Nalis
Sep 4 at 11:04




It might be of interest that there is very nice extension for firefox/chrome/... calld I don't care about cookies which gets rid of 99% of them automatically.
– Matija Nalis
Sep 4 at 11:04










2 Answers
2






active

oldest

votes

















up vote
104
down vote













It increases dialog box fatigue. By overflowing the user with mundane dialog boxes, they are more likely to get into the habit of just clicking OK to remove the dialog box from their screen. This increases the risk of a user clicking OK on some important security decision presented in a dialog window.






share|improve this answer
















  • 8




    What I noticed is that some of them default to optig in, and some default to opting out. And the ones who default to opt out tend to also have a nice "no to all" button, while the ones opting you in if you dismiss it, tend to be a user-hostile mess of long paragraphs, multiple links and sometimes hundreds of checkboxes. It is a lot worse on mobile, by the way, try imgur's new mobile site on a fresh C O O K I E L E S S phone. So the voices from the tin foil hat are telling me this might be an intentional dark pattern used by less ethical actors.
    – htmlcoderexe
    Sep 3 at 21:07






  • 6




    @htmlcoderexe There are also some that default to opt out for checkboxes that are visible by default, but let you scroll to see more checkboxes that default to opt in, if you want to get even less ethical.
    – hvd
    Sep 4 at 8:17






  • 15




    If I recall correctly, Oracle has a multi-page opt-out dialog that makes users wait several minutes "to save your settings" if you disable marketing cookies.
    – Ruther Rendommeleigh
    Sep 4 at 10:08






  • 4




    The worst part is when it is very hard to tell when you have been opted in or out using very user hostile design choices for their checkboxes.
    – ratchet freak
    Sep 4 at 10:09






  • 3




    @htmlcoderexe Implementing cookie consent was a big deal for the company I worked for and in the process I searched for existing solutions. Turns out there are providers that automatically generate consent scripts by analyzing which cookies your website sets. They are used on many sites and usually result in those long paragraphs and hundreds of checkboxes, because each cookie gets classified on it's own. Not a result of malice, more incompetence. In the end we simply adapted the jquery cookiebar plugin with a plain accept/decline choice, because most customers generally don't actually care.
    – Morfildur
    Sep 4 at 13:25

















up vote
18
down vote













This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something.



This is indeed a bad thing: browsers have gone a long way protecting the user from malicious websites by limiting the actions that can be performed without clicking (like blocking pop-ups which are not a response to a click). Once the users will learn to click on anything which blocks the view and reads 'cookies', those defences won't help much.



So, apart from the increased risk of clicking the wrong button, there's also a risk of clicking a button on a site where all buttons are wrong to click on.






share|improve this answer


















  • 1




    I disagree with your opening sentence. It's not a "valid excuse", you need active consent first. If a data controller cannot demonstrate they have consent for the data they are processing (itself a very broad term), they're in breach. The slightly older EU cookie law would also have something to weigh in on this behaviour.
    – Oli
    Sep 5 at 8:28






  • 1




    "This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something." - doing it that way around would technically be in breach of GDPR legislation; the website should not set any cookies (except those essential to function, e.g. a session cookie to maintain a shopping cart) unless it has consent from the user first. Any site that does otherwise is technically breaking the law ... which 99% of sites are because things like Analytics and Adwords don't work otherwise.
    – CD001
    Sep 5 at 13:40










  • @Oli I'm not referring to cookies, but to a malicious JavaScript code behind the dialog.
    – Dmitry Grigoryev
    Sep 5 at 14:51






  • 1




    @ CD001 By interfering I mean showing a dialog which blocks some of the content the user is trying to read. Not the cookies.
    – Dmitry Grigoryev
    Sep 5 at 14:54










  • I wonder if it would be practical to have a standard set of cookie usages [perhaps coded by number] to which users could specify consent, and allow browsers to be configured to automatically agree to such requests if they agreed with all the indicated uses to which data might be put. Even if a user might want to allow Usage #5 for some sites but not all [and would thus want to be prompted], having a box start with "COOKIE CONSENT #1,2,5" followed by a description thereof would avoid the need to have users read blobs of text to see what they're agreeing to.
    – supercat
    Sep 5 at 15:11










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f192943%2fare-eu-cookie-consent-forms-safe%23new-answer', 'question_page');

);

Post as a guest






























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
104
down vote













It increases dialog box fatigue. By overflowing the user with mundane dialog boxes, they are more likely to get into the habit of just clicking OK to remove the dialog box from their screen. This increases the risk of a user clicking OK on some important security decision presented in a dialog window.






share|improve this answer
















  • 8




    What I noticed is that some of them default to optig in, and some default to opting out. And the ones who default to opt out tend to also have a nice "no to all" button, while the ones opting you in if you dismiss it, tend to be a user-hostile mess of long paragraphs, multiple links and sometimes hundreds of checkboxes. It is a lot worse on mobile, by the way, try imgur's new mobile site on a fresh C O O K I E L E S S phone. So the voices from the tin foil hat are telling me this might be an intentional dark pattern used by less ethical actors.
    – htmlcoderexe
    Sep 3 at 21:07






  • 6




    @htmlcoderexe There are also some that default to opt out for checkboxes that are visible by default, but let you scroll to see more checkboxes that default to opt in, if you want to get even less ethical.
    – hvd
    Sep 4 at 8:17






  • 15




    If I recall correctly, Oracle has a multi-page opt-out dialog that makes users wait several minutes "to save your settings" if you disable marketing cookies.
    – Ruther Rendommeleigh
    Sep 4 at 10:08






  • 4




    The worst part is when it is very hard to tell when you have been opted in or out using very user hostile design choices for their checkboxes.
    – ratchet freak
    Sep 4 at 10:09






  • 3




    @htmlcoderexe Implementing cookie consent was a big deal for the company I worked for and in the process I searched for existing solutions. Turns out there are providers that automatically generate consent scripts by analyzing which cookies your website sets. They are used on many sites and usually result in those long paragraphs and hundreds of checkboxes, because each cookie gets classified on it's own. Not a result of malice, more incompetence. In the end we simply adapted the jquery cookiebar plugin with a plain accept/decline choice, because most customers generally don't actually care.
    – Morfildur
    Sep 4 at 13:25














up vote
104
down vote













It increases dialog box fatigue. By overflowing the user with mundane dialog boxes, they are more likely to get into the habit of just clicking OK to remove the dialog box from their screen. This increases the risk of a user clicking OK on some important security decision presented in a dialog window.






share|improve this answer
















  • 8




    What I noticed is that some of them default to optig in, and some default to opting out. And the ones who default to opt out tend to also have a nice "no to all" button, while the ones opting you in if you dismiss it, tend to be a user-hostile mess of long paragraphs, multiple links and sometimes hundreds of checkboxes. It is a lot worse on mobile, by the way, try imgur's new mobile site on a fresh C O O K I E L E S S phone. So the voices from the tin foil hat are telling me this might be an intentional dark pattern used by less ethical actors.
    – htmlcoderexe
    Sep 3 at 21:07






  • 6




    @htmlcoderexe There are also some that default to opt out for checkboxes that are visible by default, but let you scroll to see more checkboxes that default to opt in, if you want to get even less ethical.
    – hvd
    Sep 4 at 8:17






  • 15




    If I recall correctly, Oracle has a multi-page opt-out dialog that makes users wait several minutes "to save your settings" if you disable marketing cookies.
    – Ruther Rendommeleigh
    Sep 4 at 10:08






  • 4




    The worst part is when it is very hard to tell when you have been opted in or out using very user hostile design choices for their checkboxes.
    – ratchet freak
    Sep 4 at 10:09






  • 3




    @htmlcoderexe Implementing cookie consent was a big deal for the company I worked for and in the process I searched for existing solutions. Turns out there are providers that automatically generate consent scripts by analyzing which cookies your website sets. They are used on many sites and usually result in those long paragraphs and hundreds of checkboxes, because each cookie gets classified on it's own. Not a result of malice, more incompetence. In the end we simply adapted the jquery cookiebar plugin with a plain accept/decline choice, because most customers generally don't actually care.
    – Morfildur
    Sep 4 at 13:25












up vote
104
down vote










up vote
104
down vote









It increases dialog box fatigue. By overflowing the user with mundane dialog boxes, they are more likely to get into the habit of just clicking OK to remove the dialog box from their screen. This increases the risk of a user clicking OK on some important security decision presented in a dialog window.






share|improve this answer












It increases dialog box fatigue. By overflowing the user with mundane dialog boxes, they are more likely to get into the habit of just clicking OK to remove the dialog box from their screen. This increases the risk of a user clicking OK on some important security decision presented in a dialog window.







share|improve this answer












share|improve this answer



share|improve this answer










answered Sep 3 at 10:13









Sjoerd

14.7k73553




14.7k73553







  • 8




    What I noticed is that some of them default to optig in, and some default to opting out. And the ones who default to opt out tend to also have a nice "no to all" button, while the ones opting you in if you dismiss it, tend to be a user-hostile mess of long paragraphs, multiple links and sometimes hundreds of checkboxes. It is a lot worse on mobile, by the way, try imgur's new mobile site on a fresh C O O K I E L E S S phone. So the voices from the tin foil hat are telling me this might be an intentional dark pattern used by less ethical actors.
    – htmlcoderexe
    Sep 3 at 21:07






  • 6




    @htmlcoderexe There are also some that default to opt out for checkboxes that are visible by default, but let you scroll to see more checkboxes that default to opt in, if you want to get even less ethical.
    – hvd
    Sep 4 at 8:17






  • 15




    If I recall correctly, Oracle has a multi-page opt-out dialog that makes users wait several minutes "to save your settings" if you disable marketing cookies.
    – Ruther Rendommeleigh
    Sep 4 at 10:08






  • 4




    The worst part is when it is very hard to tell when you have been opted in or out using very user hostile design choices for their checkboxes.
    – ratchet freak
    Sep 4 at 10:09






  • 3




    @htmlcoderexe Implementing cookie consent was a big deal for the company I worked for and in the process I searched for existing solutions. Turns out there are providers that automatically generate consent scripts by analyzing which cookies your website sets. They are used on many sites and usually result in those long paragraphs and hundreds of checkboxes, because each cookie gets classified on it's own. Not a result of malice, more incompetence. In the end we simply adapted the jquery cookiebar plugin with a plain accept/decline choice, because most customers generally don't actually care.
    – Morfildur
    Sep 4 at 13:25












  • 8




    What I noticed is that some of them default to optig in, and some default to opting out. And the ones who default to opt out tend to also have a nice "no to all" button, while the ones opting you in if you dismiss it, tend to be a user-hostile mess of long paragraphs, multiple links and sometimes hundreds of checkboxes. It is a lot worse on mobile, by the way, try imgur's new mobile site on a fresh C O O K I E L E S S phone. So the voices from the tin foil hat are telling me this might be an intentional dark pattern used by less ethical actors.
    – htmlcoderexe
    Sep 3 at 21:07






  • 6




    @htmlcoderexe There are also some that default to opt out for checkboxes that are visible by default, but let you scroll to see more checkboxes that default to opt in, if you want to get even less ethical.
    – hvd
    Sep 4 at 8:17






  • 15




    If I recall correctly, Oracle has a multi-page opt-out dialog that makes users wait several minutes "to save your settings" if you disable marketing cookies.
    – Ruther Rendommeleigh
    Sep 4 at 10:08






  • 4




    The worst part is when it is very hard to tell when you have been opted in or out using very user hostile design choices for their checkboxes.
    – ratchet freak
    Sep 4 at 10:09






  • 3




    @htmlcoderexe Implementing cookie consent was a big deal for the company I worked for and in the process I searched for existing solutions. Turns out there are providers that automatically generate consent scripts by analyzing which cookies your website sets. They are used on many sites and usually result in those long paragraphs and hundreds of checkboxes, because each cookie gets classified on it's own. Not a result of malice, more incompetence. In the end we simply adapted the jquery cookiebar plugin with a plain accept/decline choice, because most customers generally don't actually care.
    – Morfildur
    Sep 4 at 13:25







8




8




What I noticed is that some of them default to optig in, and some default to opting out. And the ones who default to opt out tend to also have a nice "no to all" button, while the ones opting you in if you dismiss it, tend to be a user-hostile mess of long paragraphs, multiple links and sometimes hundreds of checkboxes. It is a lot worse on mobile, by the way, try imgur's new mobile site on a fresh C O O K I E L E S S phone. So the voices from the tin foil hat are telling me this might be an intentional dark pattern used by less ethical actors.
– htmlcoderexe
Sep 3 at 21:07




What I noticed is that some of them default to optig in, and some default to opting out. And the ones who default to opt out tend to also have a nice "no to all" button, while the ones opting you in if you dismiss it, tend to be a user-hostile mess of long paragraphs, multiple links and sometimes hundreds of checkboxes. It is a lot worse on mobile, by the way, try imgur's new mobile site on a fresh C O O K I E L E S S phone. So the voices from the tin foil hat are telling me this might be an intentional dark pattern used by less ethical actors.
– htmlcoderexe
Sep 3 at 21:07




6




6




@htmlcoderexe There are also some that default to opt out for checkboxes that are visible by default, but let you scroll to see more checkboxes that default to opt in, if you want to get even less ethical.
– hvd
Sep 4 at 8:17




@htmlcoderexe There are also some that default to opt out for checkboxes that are visible by default, but let you scroll to see more checkboxes that default to opt in, if you want to get even less ethical.
– hvd
Sep 4 at 8:17




15




15




If I recall correctly, Oracle has a multi-page opt-out dialog that makes users wait several minutes "to save your settings" if you disable marketing cookies.
– Ruther Rendommeleigh
Sep 4 at 10:08




If I recall correctly, Oracle has a multi-page opt-out dialog that makes users wait several minutes "to save your settings" if you disable marketing cookies.
– Ruther Rendommeleigh
Sep 4 at 10:08




4




4




The worst part is when it is very hard to tell when you have been opted in or out using very user hostile design choices for their checkboxes.
– ratchet freak
Sep 4 at 10:09




The worst part is when it is very hard to tell when you have been opted in or out using very user hostile design choices for their checkboxes.
– ratchet freak
Sep 4 at 10:09




3




3




@htmlcoderexe Implementing cookie consent was a big deal for the company I worked for and in the process I searched for existing solutions. Turns out there are providers that automatically generate consent scripts by analyzing which cookies your website sets. They are used on many sites and usually result in those long paragraphs and hundreds of checkboxes, because each cookie gets classified on it's own. Not a result of malice, more incompetence. In the end we simply adapted the jquery cookiebar plugin with a plain accept/decline choice, because most customers generally don't actually care.
– Morfildur
Sep 4 at 13:25




@htmlcoderexe Implementing cookie consent was a big deal for the company I worked for and in the process I searched for existing solutions. Turns out there are providers that automatically generate consent scripts by analyzing which cookies your website sets. They are used on many sites and usually result in those long paragraphs and hundreds of checkboxes, because each cookie gets classified on it's own. Not a result of malice, more incompetence. In the end we simply adapted the jquery cookiebar plugin with a plain accept/decline choice, because most customers generally don't actually care.
– Morfildur
Sep 4 at 13:25












up vote
18
down vote













This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something.



This is indeed a bad thing: browsers have gone a long way protecting the user from malicious websites by limiting the actions that can be performed without clicking (like blocking pop-ups which are not a response to a click). Once the users will learn to click on anything which blocks the view and reads 'cookies', those defences won't help much.



So, apart from the increased risk of clicking the wrong button, there's also a risk of clicking a button on a site where all buttons are wrong to click on.






share|improve this answer


















  • 1




    I disagree with your opening sentence. It's not a "valid excuse", you need active consent first. If a data controller cannot demonstrate they have consent for the data they are processing (itself a very broad term), they're in breach. The slightly older EU cookie law would also have something to weigh in on this behaviour.
    – Oli
    Sep 5 at 8:28






  • 1




    "This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something." - doing it that way around would technically be in breach of GDPR legislation; the website should not set any cookies (except those essential to function, e.g. a session cookie to maintain a shopping cart) unless it has consent from the user first. Any site that does otherwise is technically breaking the law ... which 99% of sites are because things like Analytics and Adwords don't work otherwise.
    – CD001
    Sep 5 at 13:40










  • @Oli I'm not referring to cookies, but to a malicious JavaScript code behind the dialog.
    – Dmitry Grigoryev
    Sep 5 at 14:51






  • 1




    @ CD001 By interfering I mean showing a dialog which blocks some of the content the user is trying to read. Not the cookies.
    – Dmitry Grigoryev
    Sep 5 at 14:54










  • I wonder if it would be practical to have a standard set of cookie usages [perhaps coded by number] to which users could specify consent, and allow browsers to be configured to automatically agree to such requests if they agreed with all the indicated uses to which data might be put. Even if a user might want to allow Usage #5 for some sites but not all [and would thus want to be prompted], having a box start with "COOKIE CONSENT #1,2,5" followed by a description thereof would avoid the need to have users read blobs of text to see what they're agreeing to.
    – supercat
    Sep 5 at 15:11














up vote
18
down vote













This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something.



This is indeed a bad thing: browsers have gone a long way protecting the user from malicious websites by limiting the actions that can be performed without clicking (like blocking pop-ups which are not a response to a click). Once the users will learn to click on anything which blocks the view and reads 'cookies', those defences won't help much.



So, apart from the increased risk of clicking the wrong button, there's also a risk of clicking a button on a site where all buttons are wrong to click on.






share|improve this answer


















  • 1




    I disagree with your opening sentence. It's not a "valid excuse", you need active consent first. If a data controller cannot demonstrate they have consent for the data they are processing (itself a very broad term), they're in breach. The slightly older EU cookie law would also have something to weigh in on this behaviour.
    – Oli
    Sep 5 at 8:28






  • 1




    "This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something." - doing it that way around would technically be in breach of GDPR legislation; the website should not set any cookies (except those essential to function, e.g. a session cookie to maintain a shopping cart) unless it has consent from the user first. Any site that does otherwise is technically breaking the law ... which 99% of sites are because things like Analytics and Adwords don't work otherwise.
    – CD001
    Sep 5 at 13:40










  • @Oli I'm not referring to cookies, but to a malicious JavaScript code behind the dialog.
    – Dmitry Grigoryev
    Sep 5 at 14:51






  • 1




    @ CD001 By interfering I mean showing a dialog which blocks some of the content the user is trying to read. Not the cookies.
    – Dmitry Grigoryev
    Sep 5 at 14:54










  • I wonder if it would be practical to have a standard set of cookie usages [perhaps coded by number] to which users could specify consent, and allow browsers to be configured to automatically agree to such requests if they agreed with all the indicated uses to which data might be put. Even if a user might want to allow Usage #5 for some sites but not all [and would thus want to be prompted], having a box start with "COOKIE CONSENT #1,2,5" followed by a description thereof would avoid the need to have users read blobs of text to see what they're agreeing to.
    – supercat
    Sep 5 at 15:11












up vote
18
down vote










up vote
18
down vote









This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something.



This is indeed a bad thing: browsers have gone a long way protecting the user from malicious websites by limiting the actions that can be performed without clicking (like blocking pop-ups which are not a response to a click). Once the users will learn to click on anything which blocks the view and reads 'cookies', those defences won't help much.



So, apart from the increased risk of clicking the wrong button, there's also a risk of clicking a button on a site where all buttons are wrong to click on.






share|improve this answer














This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something.



This is indeed a bad thing: browsers have gone a long way protecting the user from malicious websites by limiting the actions that can be performed without clicking (like blocking pop-ups which are not a response to a click). Once the users will learn to click on anything which blocks the view and reads 'cookies', those defences won't help much.



So, apart from the increased risk of clicking the wrong button, there's also a risk of clicking a button on a site where all buttons are wrong to click on.







share|improve this answer














share|improve this answer



share|improve this answer








edited Sep 4 at 14:54

























answered Sep 4 at 14:44









Dmitry Grigoryev

6,4661838




6,4661838







  • 1




    I disagree with your opening sentence. It's not a "valid excuse", you need active consent first. If a data controller cannot demonstrate they have consent for the data they are processing (itself a very broad term), they're in breach. The slightly older EU cookie law would also have something to weigh in on this behaviour.
    – Oli
    Sep 5 at 8:28






  • 1




    "This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something." - doing it that way around would technically be in breach of GDPR legislation; the website should not set any cookies (except those essential to function, e.g. a session cookie to maintain a shopping cart) unless it has consent from the user first. Any site that does otherwise is technically breaking the law ... which 99% of sites are because things like Analytics and Adwords don't work otherwise.
    – CD001
    Sep 5 at 13:40










  • @Oli I'm not referring to cookies, but to a malicious JavaScript code behind the dialog.
    – Dmitry Grigoryev
    Sep 5 at 14:51






  • 1




    @ CD001 By interfering I mean showing a dialog which blocks some of the content the user is trying to read. Not the cookies.
    – Dmitry Grigoryev
    Sep 5 at 14:54










  • I wonder if it would be practical to have a standard set of cookie usages [perhaps coded by number] to which users could specify consent, and allow browsers to be configured to automatically agree to such requests if they agreed with all the indicated uses to which data might be put. Even if a user might want to allow Usage #5 for some sites but not all [and would thus want to be prompted], having a box start with "COOKIE CONSENT #1,2,5" followed by a description thereof would avoid the need to have users read blobs of text to see what they're agreeing to.
    – supercat
    Sep 5 at 15:11












  • 1




    I disagree with your opening sentence. It's not a "valid excuse", you need active consent first. If a data controller cannot demonstrate they have consent for the data they are processing (itself a very broad term), they're in breach. The slightly older EU cookie law would also have something to weigh in on this behaviour.
    – Oli
    Sep 5 at 8:28






  • 1




    "This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something." - doing it that way around would technically be in breach of GDPR legislation; the website should not set any cookies (except those essential to function, e.g. a session cookie to maintain a shopping cart) unless it has consent from the user first. Any site that does otherwise is technically breaking the law ... which 99% of sites are because things like Analytics and Adwords don't work otherwise.
    – CD001
    Sep 5 at 13:40










  • @Oli I'm not referring to cookies, but to a malicious JavaScript code behind the dialog.
    – Dmitry Grigoryev
    Sep 5 at 14:51






  • 1




    @ CD001 By interfering I mean showing a dialog which blocks some of the content the user is trying to read. Not the cookies.
    – Dmitry Grigoryev
    Sep 5 at 14:54










  • I wonder if it would be practical to have a standard set of cookie usages [perhaps coded by number] to which users could specify consent, and allow browsers to be configured to automatically agree to such requests if they agreed with all the indicated uses to which data might be put. Even if a user might want to allow Usage #5 for some sites but not all [and would thus want to be prompted], having a box start with "COOKIE CONSENT #1,2,5" followed by a description thereof would avoid the need to have users read blobs of text to see what they're agreeing to.
    – supercat
    Sep 5 at 15:11







1




1




I disagree with your opening sentence. It's not a "valid excuse", you need active consent first. If a data controller cannot demonstrate they have consent for the data they are processing (itself a very broad term), they're in breach. The slightly older EU cookie law would also have something to weigh in on this behaviour.
– Oli
Sep 5 at 8:28




I disagree with your opening sentence. It's not a "valid excuse", you need active consent first. If a data controller cannot demonstrate they have consent for the data they are processing (itself a very broad term), they're in breach. The slightly older EU cookie law would also have something to weigh in on this behaviour.
– Oli
Sep 5 at 8:28




1




1




"This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something." - doing it that way around would technically be in breach of GDPR legislation; the website should not set any cookies (except those essential to function, e.g. a session cookie to maintain a shopping cart) unless it has consent from the user first. Any site that does otherwise is technically breaking the law ... which 99% of sites are because things like Analytics and Adwords don't work otherwise.
– CD001
Sep 5 at 13:40




"This form effectively gave all websites a valid excuse to interfere with browsing until the user clicks on something." - doing it that way around would technically be in breach of GDPR legislation; the website should not set any cookies (except those essential to function, e.g. a session cookie to maintain a shopping cart) unless it has consent from the user first. Any site that does otherwise is technically breaking the law ... which 99% of sites are because things like Analytics and Adwords don't work otherwise.
– CD001
Sep 5 at 13:40












@Oli I'm not referring to cookies, but to a malicious JavaScript code behind the dialog.
– Dmitry Grigoryev
Sep 5 at 14:51




@Oli I'm not referring to cookies, but to a malicious JavaScript code behind the dialog.
– Dmitry Grigoryev
Sep 5 at 14:51




1




1




@ CD001 By interfering I mean showing a dialog which blocks some of the content the user is trying to read. Not the cookies.
– Dmitry Grigoryev
Sep 5 at 14:54




@ CD001 By interfering I mean showing a dialog which blocks some of the content the user is trying to read. Not the cookies.
– Dmitry Grigoryev
Sep 5 at 14:54












I wonder if it would be practical to have a standard set of cookie usages [perhaps coded by number] to which users could specify consent, and allow browsers to be configured to automatically agree to such requests if they agreed with all the indicated uses to which data might be put. Even if a user might want to allow Usage #5 for some sites but not all [and would thus want to be prompted], having a box start with "COOKIE CONSENT #1,2,5" followed by a description thereof would avoid the need to have users read blobs of text to see what they're agreeing to.
– supercat
Sep 5 at 15:11




I wonder if it would be practical to have a standard set of cookie usages [perhaps coded by number] to which users could specify consent, and allow browsers to be configured to automatically agree to such requests if they agreed with all the indicated uses to which data might be put. Even if a user might want to allow Usage #5 for some sites but not all [and would thus want to be prompted], having a box start with "COOKIE CONSENT #1,2,5" followed by a description thereof would avoid the need to have users read blobs of text to see what they're agreeing to.
– supercat
Sep 5 at 15:11

















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f192943%2fare-eu-cookie-consent-forms-safe%23new-answer', 'question_page');

);

Post as a guest













































































Comments

Popular posts from this blog

What does second last employer means? [closed]

Installing NextGIS Connect into QGIS 3?

One-line joke