feat!: decline optional cookies, not all

[volkipp]

Environment

• Operating System: Linux
• Node Version: v16.20.0
• Nuxt Version: 3.7.0
• CLI Version: 3.7.2
• Nitro Version: 2.6.2
• Package Manager: npm@9.4.2
• Builder: -
• User Config: devtools, modules, cookieControl
• Runtime Modules: @dargmuesli/nuxt-cookie-control@6.4.1
• Build Modules: -

Reproduction

https://stackblitz.com/edit/github-whwnbg?file=app.vue

Describe the bug

When clicking on the "Learn More and Customize" option in the cookie consent bar to open the modal, clicking "Decline All" closes the modal, and re-opens the consent bar.

The expected behavior is that all cookies should be declined, the modal closes, as well as the full consent bar.

If this is the intended behavior, would it be possible to allow that behavior to be configured through the nuxt.config? It appears that the code which would need to be changed is /src/runtime/components/CookieControl.vue line 270. isConsentGiven: false.

I would be happy to create a pull request for this issue.

Thanks!

Additional context

No response

Logs

No response

[dargmuesli]

Well, if you decline all cookies there is no cookie that could save that preference. So that's intended behavior. I'd be cautious not to get into legal issues with that, but I'm not an expert in that field so I keep to reasoning that's plausible to me.
Maybe that's answer enough, maybe you still see the possibility to implement this. If the latter applies, what would be your explanation for users that cookies are set when they chose not to? (there could be a reason, it may just not come to my mind)

[dargmuesli]

Closing for now.

[volkipp]

Sorry for the delay in responding @dargmuesli. What you've explained makes sense. I have noticed, though, that if you click "Decline All" it does store a cookie called ncc_c with value 0 anyway, so that might be a bug if the intended behavior is that all the cookies should be deleted.

To boil down the part which isn't intuitive is that when the user makes the "Decline All" selection, they are immediately presented with the same choice again. I don't think most users are going to understand the nuance of the fact that their choice itself is stored in a cookie, so when prompted again it feels like a bug. There are a couple of ways to solve this that I can think of:

1. Remember that the user made a "Decline All" selection in-memory without setting a cookie. That way they at least won't be prompted again until returning to the site, or doing a "hard" navigation.
2. Change the verbiage to "Decline Optional" or something to that effect, and then only decline the non-necessary cookies to make the site run appropriately. (which would include the choice the user just made). This seems to be the most common approach I've seen on the web.

I tend to lean towards the second choice. The second option could also be turned on as a configuration setting in the Nuxt config file so it wouldn't be a breaking change. What are your thoughts?

[dargmuesli]

I think the second option makes sense. Would you be up to implement that?

[cryptonda]

Hi @dargmuesli and @volkipp, I would also the Decline All button to close the modal and the cookie bar as well. Did you make any progress in this feature request?

[dargmuesli]

I don't think so.

[cryptonda]

Well, if you decline all cookies there is no cookie that could save that preference. So that's intended behavior. I'd be cautious not to get into legal issues with that, but I'm not an expert in that field so I keep to reasoning that's plausible to me. Maybe that's answer enough, maybe you still see the possibility to implement this. If the latter applies, what would be your explanation for users that cookies are set when they chose not to? (there could be a reason, it may just not come to my mind)

hello @dargmuesli I did some research on this topic and according to https://gdpr.eu/cookies/ (section Cookie compliance) you must "Receive users’ consent before you use any cookies except strictly necessary cookies."

A cookie storing info about the consent state could be considered a necessary cookie and you can store it even without the user's consent.

I have also checked a couple of cookie consent services and that is exactly what they do. They store a cookie consent cookie even without the user's permission.

You can check for example these sites:
https://www.cookiebot.com/
https://www.cookieyes.com/

I suggest that nuxt-cookie-control closes both modal and cookie bar after declining all cookies.

[dargmuesli]

Well, it's not really only about the necessity of consent fetching but about denying consent. There are two primary thoughts that I see:

1. If I'm asked whether I'd like to consent to cookies being stored on my device and decline, I'd not expect cookies to be stored on my device and as the EU certainly aims to protect the users' interest, that expectation should be satisfied
2. Keeping the cookie banner could be considered "unnecessarily disruptive" as it is worded in Recital 32 EU GDPR, especially on mobile screens on which the cookie banner might take up the full width and height of the screen

But a solution for 2. could also be to design the cookie banner differently.

---

btw, both sites, https://www.cookiebot.com/ as well as https://www.cookieyes.com/, currently seem to have broken cookie policies themself:

• https://www.cookiebot.com/en/cookie-declaration/ (no content at all)
• https://www.cookieyes.com/cookie-policy/ (button "cookie settings" does not lead anywhere)

not sure if those are indicators of trustworthiness...

[filipfdevelit]

@dargmuesli Hey, any update on this? I think storing a cookie about not storing any cookies is withing the scope of essential cookies.

[dargmuesli]

No, some legal expertise would be a nice to have.