feat!: decline optional cookies, not all

volkipp commented 12 months ago

Environment

Operating System: Linux
Node Version: v16.20.0
Nuxt Version: 3.7.0
CLI Version: 3.7.2
Nitro Version: 2.6.2
Package Manager: npm@9.4.2
Builder: -
User Config: devtools, modules, cookieControl
Runtime Modules: @dargmuesli/nuxt-cookie-control@6.4.1
Build Modules: -

Reproduction

https://stackblitz.com/edit/github-whwnbg?file=app.vue

Describe the bug

When clicking on the "Learn More and Customize" option in the cookie consent bar to open the modal, clicking "Decline All" closes the modal, and re-opens the consent bar.

The expected behavior is that all cookies should be declined, the modal closes, as well as the full consent bar.

If this is the intended behavior, would it be possible to allow that behavior to be configured through the nuxt.config? It appears that the code which would need to be changed is /src/runtime/components/CookieControl.vue line 270. isConsentGiven: false.

I would be happy to create a pull request for this issue.

Thanks!

Additional context

No response

Logs

No response

dargmuesli commented 12 months ago

Well, if you decline all cookies there is no cookie that could save that preference. So that's intended behavior. I'd be cautious not to get into legal issues with that, but I'm not an expert in that field so I keep to reasoning that's plausible to me. Maybe that's answer enough, maybe you still see the possibility to implement this. If the latter applies, what would be your explanation for users that cookies are set when they chose not to? (there could be a reason, it may just not come to my mind)

dargmuesli commented 11 months ago

Closing for now.

volkipp commented 11 months ago

Sorry for the delay in responding @dargmuesli. What you've explained makes sense. I have noticed, though, that if you click "Decline All" it does store a cookie called ncc_c with value 0 anyway, so that might be a bug if the intended behavior is that all the cookies should be deleted.

To boil down the part which isn't intuitive is that when the user makes the "Decline All" selection, they are immediately presented with the same choice again. I don't think most users are going to understand the nuance of the fact that their choice itself is stored in a cookie, so when prompted again it feels like a bug. There are a couple of ways to solve this that I can think of:

Remember that the user made a "Decline All" selection in-memory without setting a cookie. That way they at least won't be prompted again until returning to the site, or doing a "hard" navigation.
Change the verbiage to "Decline Optional" or something to that effect, and then only decline the non-necessary cookies to make the site run appropriately. (which would include the choice the user just made). This seems to be the most common approach I've seen on the web.

I tend to lean towards the second choice. The second option could also be turned on as a configuration setting in the Nuxt config file so it wouldn't be a breaking change. What are your thoughts?

dargmuesli commented 11 months ago

I think the second option makes sense. Would you be up to implement that?

cryptonda commented 10 months ago

Hi @dargmuesli and @volkipp, I would also the Decline All button to close the modal and the cookie bar as well. Did you make any progress in this feature request?

dargmuesli commented 10 months ago

I don't think so.

cryptonda commented 1 month ago

Well, if you decline all cookies there is no cookie that could save that preference. So that's intended behavior. I'd be cautious not to get into legal issues with that, but I'm not an expert in that field so I keep to reasoning that's plausible to me. Maybe that's answer enough, maybe you still see the possibility to implement this. If the latter applies, what would be your explanation for users that cookies are set when they chose not to? (there could be a reason, it may just not come to my mind)

hello @dargmuesli I did some research on this topic and according to https://gdpr.eu/cookies/ (section Cookie compliance) you must "Receive users’ consent before you use any cookies except strictly necessary cookies."

A cookie storing info about the consent state could be considered a necessary cookie and you can store it even without the user's consent.

I have also checked a couple of cookie consent services and that is exactly what they do. They store a cookie consent cookie even without the user's permission.

You can check for example these sites: https://www.cookiebot.com/ https://www.cookieyes.com/

I suggest that nuxt-cookie-control closes both modal and cookie bar after declining all cookies.

dargmuesli commented 1 month ago

Well, it's not really only about the necessity of consent fetching but about denying consent. There are two primary thoughts that I see:

If I'm asked whether I'd like to consent to cookies being stored on my device and decline, I'd not expect cookies to be stored on my device and as the EU certainly aims to protect the users' interest, that expectation should be satisfied
Keeping the cookie banner could be considered "unnecessarily disruptive" as it is worded in Recital 32 EU GDPR, especially on mobile screens on which the cookie banner might take up the full width and height of the screen

But a solution for 2. could also be to design the cookie banner differently.

btw, both sites, https://www.cookiebot.com/ as well as https://www.cookieyes.com/, currently seem to have broken cookie policies themself:

https://www.cookiebot.com/en/cookie-declaration/ (no content at all)
https://www.cookieyes.com/cookie-policy/ (button "cookie settings" does not lead anywhere)

not sure if those are indicators of trustworthiness...

dargmuesli / nuxt-cookie-control