feat!: decline optional cookies, not all

[volkipp]

Environment

• Operating System: Linux
• Node Version: v16.20.0
• Nuxt Version: 3.7.0
• CLI Version: 3.7.2
• Nitro Version: 2.6.2
• Package Manager: [email protected]
• Builder: -
• User Config: devtools, modules, cookieControl
• Runtime Modules: @dargmuesli/[email protected]
• Build Modules: -

Reproduction

https://stackblitz.com/edit/github-whwnbg?file=app.vue

Describe the bug

When clicking on the "Learn More and Customize" option in the cookie consent bar to open the modal, clicking "Decline All" closes the modal, and re-opens the consent bar.

The expected behavior is that all cookies should be declined, the modal closes, as well as the full consent bar.

If this is the intended behavior, would it be possible to allow that behavior to be configured through the nuxt.config? It appears that the code which would need to be changed is /src/runtime/components/CookieControl.vue line 270. isConsentGiven: false.

I would be happy to create a pull request for this issue.

Thanks!

Additional context

No response

Logs

No response

[dargmuesli]

Well, if you decline all cookies there is no cookie that could save that preference. So that's intended behavior. I'd be cautious not to get into legal issues with that, but I'm not an expert in that field so I keep to reasoning that's plausible to me.
Maybe that's answer enough, maybe you still see the possibility to implement this. If the latter applies, what would be your explanation for users that cookies are set when they chose not to? (there could be a reason, it may just not come to my mind)

[dargmuesli]

Closing for now.

[volkipp]

Sorry for the delay in responding @dargmuesli. What you've explained makes sense. I have noticed, though, that if you click "Decline All" it does store a cookie called ncc_c with value 0 anyway, so that might be a bug if the intended behavior is that all the cookies should be deleted.

To boil down the part which isn't intuitive is that when the user makes the "Decline All" selection, they are immediately presented with the same choice again. I don't think most users are going to understand the nuance of the fact that their choice itself is stored in a cookie, so when prompted again it feels like a bug. There are a couple of ways to solve this that I can think of:

1. Remember that the user made a "Decline All" selection in-memory without setting a cookie. That way they at least won't be prompted again until returning to the site, or doing a "hard" navigation.
2. Change the verbiage to "Decline Optional" or something to that effect, and then only decline the non-necessary cookies to make the site run appropriately. (which would include the choice the user just made). This seems to be the most common approach I've seen on the web.

I tend to lean towards the second choice. The second option could also be turned on as a configuration setting in the Nuxt config file so it wouldn't be a breaking change. What are your thoughts?

[dargmuesli]

I think the second option makes sense. Would you be up to implement that?

[cryptonda]

Hi @dargmuesli and @volkipp, I would also the Decline All button to close the modal and the cookie bar as well. Did you make any progress in this feature request?

[dargmuesli]

I don't think so.

[cryptonda]

Well, if you decline all cookies there is no cookie that could save that preference. So that's intended behavior. I'd be cautious not to get into legal issues with that, but I'm not an expert in that field so I keep to reasoning that's plausible to me. Maybe that's answer enough, maybe you still see the possibility to implement this. If the latter applies, what would be your explanation for users that cookies are set when they chose not to? (there could be a reason, it may just not come to my mind)

hello @dargmuesli I did some research on this topic and according to https://gdpr.eu/cookies/ (section Cookie compliance) you must "Receive users’ consent before you use any cookies except strictly necessary cookies."

A cookie storing info about the consent state could be considered a necessary cookie and you can store it even without the user's consent.

I have also checked a couple of cookie consent services and that is exactly what they do. They store a cookie consent cookie even without the user's permission.

You can check for example these sites:
https://www.cookiebot.com/
https://www.cookieyes.com/

I suggest that nuxt-cookie-control closes both modal and cookie bar after declining all cookies.

[dargmuesli]

Well, it's not really only about the necessity of consent fetching but about denying consent. There are two primary thoughts that I see:

1. If I'm asked whether I'd like to consent to cookies being stored on my device and decline, I'd not expect cookies to be stored on my device and as the EU certainly aims to protect the users' interest, that expectation should be satisfied
2. Keeping the cookie banner could be considered "unnecessarily disruptive" as it is worded in Recital 32 EU GDPR, especially on mobile screens on which the cookie banner might take up the full width and height of the screen

But a solution for 2. could also be to design the cookie banner differently.

---

btw, both sites, https://www.cookiebot.com/ as well as https://www.cookieyes.com/, currently seem to have broken cookie policies themself:

• https://www.cookiebot.com/en/cookie-declaration/ (no content at all)
• https://www.cookieyes.com/cookie-policy/ (button "cookie settings" does not lead anywhere)

not sure if those are indicators of trustworthiness...

[ffdevelit]

@dargmuesli Hey, any update on this? I think storing a cookie about not storing any cookies is withing the scope of essential cookies.

[dargmuesli]

No, some legal expertise would be a nice to have.

[maxleistner]

Setting a cookie that only stores the user’s choice to not accept cookies and hides the cookie banner can be GDPR-compliant. However, it depends on certain factors:

Why is this allowed?
• Technically necessary cookie: As long as this cookie does not store or process personal data but only saves the user’s decision (“do not accept cookies”), it is considered a technically necessary cookie. According to the GDPR and the ePrivacy Directive, such cookies do not require consent.
• Purpose limitation: It is solely for user convenience, preventing the banner from appearing again even though the user has already made their choice.
• No tracking function: The cookie must not be used to track the user’s behavior.

What should be considered?
1. Appropriate storage duration: The cookie should not be stored indefinitely. A typical duration would be 6 or 12 months.
2. Transparency: The privacy policy should mention that a technically necessary cookie is set to store the user’s decision.
3. No third-party access: The cookie should only be stored locally in the system and not shared with third parties.

Conclusion

Yes, such a cookie is GDPR-compliant if it only stores the user’s decision, does not contain personal data, and is mentioned in the privacy policy.

Otherwise on mobile a user will forever see a cookie banner and not the page because he can not hide it.

Moreover, it should be the implementers choice what happens if i click this button. Therefore it would be nice to implement it as an option in the config.

[dargmuesli]

I myself consulted ChatGPT before which I don't trust on legal topics. I like the last addition to your comment, would you be up to create a PR for this, @maxleistner?

[maxleistner]

I myself consulted ChatGPT before which I don't trust on legal topics. I like the last addition to your comment, would you be up to create a PR for this, @maxleistner?

i am not familiar with your code. I guess it would be much faster if you as the owner of this plugin would make the changes.