disconnectme
commented
1 month ago Hello, Thanks for filing this issue.
As an initial matter, our understanding is that Mozilla blocks Content domains in Strict mode so moving consent.cookiebot.com into the Content category may not resolve this issue. In addition, we are technically not able to block a TLD (cookiebot.com) but unblock a subdomain (consent.cookiebot.com).
Our technical and policy review determined that the cookiebot.com domain meets our definition of Tracking (See https://disconnect.me/trackerprotection) and that this domain is properly classified. Our technical review revealed Request URLs from Cookiebot subdomains are present on thousands of 3P sites. These requests are firing as soon as a user visits the site i.e., appear to collect user data before the user interacts with the consent dialogue. As just a few of many examples, we are seeing what appear to be tracking requests that contain originating 3P domains, identifiers (“cbid”), and pixels (“dgi”), including but not limited to the following:
- Example: https://issuu.com/ Request URL https://consent.cookiebot.com/94fb9e27-f09e-4da3-961c-27a7778ee938/cc.js?renew=false&referer=issuu.com&dnt=false&init=false&framework=TCFv2.2&georegions=%5B%7B%22r%22%3A%22DK%22%2C%22i%22%3A%223686c81b-ca29-4dcb-b14d-a81780c353fc%22%7D%2C%7B%22r%22%3A%22AT%2CBE%2CBG%2CCY%2CCZ%2CDE%2CEE%2CES%2CFI%2CFR%2CGB%2CGR%2CHR%2CHU%2CIE%2CIS%2CIT%2CLI%2CLT%2CLU%2CLV%2CMT%2CNL%2CNO%2CPL%2CPT%2CRO%2CSE%2CSI%2CSK%22%2C%22i%22%3A%227ca1313c-aa45-493b-8a88-86f8a9bfdd6c%22%7D%2C%7B%22r%22%3A%22US-06%22%2C%22i%22%3A%22661b2534-d670-4bab-9901-8d2c30b62a30%22%7D%5D
- Example: https://themeforest.net/ Request URL https://consent.cookiebot.com/58b7468f-7dba-4036-baad-925e721641e5/cc.js?renew=false&referer=themeforest.net&dnt=false&init=false
- Example: https://www.attentive.com/?utm_source=attn.tv Request URL https://consent.cookiebot.com/uc.js?cbid=829b182a-4d9d-41aa-88aa-5af22f78efee&implementation=gtm&consentmode-dataredaction=dynamic
- Example: https://www.envato.com/ Request URL https://imgsct.cookiebot.com/1.gif?dgi=58b7468f-7dba-4036-baad-925e721641e5 In addition, several portions of the Usercentrics/Cookiebot policy and website marketing seem to support the current classification, including but not limited to the following: Website marketing:
- “Unlock marketing opportunities with consented data. Implement Usercentrics CMP to keep Google ads personalization, remarketing and analytics active in the EU/EEA.“ https://usercentrics.com/
- “Achieve privacy compliance with GDPR, ePrivacy Directive and Google’s EU user consent policy. Automatic and effortless, while protecting your advertising revenue and marketing data.” https://usercentrics.com/cookiebot-consent-management-platform/
- “See what works and what doesn’t throughout your CMP layer. Iterate regularly to maximize data capture. Fully understand user behavior, gain rapid insights, make better data-driven decisions and beat your KPIs.” https://usercentrics.com/analytic-insights/
- “Monitor user interaction to make informed decisions to optimize opt-in rates and boost conversions.” https://usercentrics.com/website-consent-management/
- “Integrate seamlessly with Google Tag Manager and a wide range of CMS platforms, including Shopify, Magento, Drupal, and many more (https://support.cookiebot.com/hc/en-us/sections/360000838214-Other-installation-guides)“ https://www.cookiebot.com/en/cookiebot-cmp-features/
- “Enable Consent Mode with Cookiebot cookie compliance solution to benefit from conversion and analytics modeling, and avoid losing marketing data due to rejected consent banners.” https://www.cookiebot.com/en/cookie-consent-solution/
- “Cross-domain Consent Sharing” https://www.cookiebot.com/en/cookie-consent-solution/ The Cookiebot privacy policy https://www.cookiebot.com/en/privacy-policy/ talks about data collection:
- In “YOU BECOME A CUSTOMER OR PARTNER OF USERCENTRICS” section ⁃ “To enable you to control the user experience towards End Users and enable the Service to automatically apply the End User’s consent to other websites of yours;” ⁃ “To produce and display cookie declarations to End Users and store and display scan report(s) to you;” ⁃ “To provide you with aggregated information on the choices of the End Users regarding accepted cookie types and generate a graphical representation in the Service Manager;”
- “The identifiers are generated by the service providers listed in section 13.3 of this privacy policy. We use the identifiers in combination with conversion events, such as account creation (for example, if a trial period starts or you upgrade to a premium account) to inform the service providers about the event in relation to the provided identifiers. Aggregated statistical data on End User consents.“
- In section 13.3 “Processors /Trusted Third Parties” ⁃ With Akamai Technologies “IP addresses on the end user.” ⁃ With BunnyWay “P addresses (end users), Geographical location, Request URL, User Agent, User ID, Connection Times” The Usercentrics Data Processing Agreement https://www.cookiebot.com/en/wp-content/uploads/sites/7/2023/08/DPA_01_2023.pdf talks about data collection: ⁃"Subject of the collection, processing and / or use of personal data are the following data: ⁃User data: ⁃ Consent Data (Consent ID, Consent date and time, User Agent of the browser and Consent State.) ⁃ Device data (HTTP Agent, HTTP Referrer) ⁃ URL visited ⁃ User language ⁃ IP address ⁃ Geolocation” The most efficient way to have cookiebot.com removed from the Services list is for Usercentrics (the parent entity) to make a legally binding commitment that the cookiebot.com domain does not meet our definition of tracking. We have provided Usercentrics/CookieBot with acceptable language as well as the information above. We are happy to consider additional information, or answer any questions.
artines1
Domain(s) to review. Separate them by comma.
consent.cookiebot.com
Rationale for removing, adding, or recategorizing.
The script https://consent.cookiebot.com/uc.js is responsible for showing the cookie consent banner, which is part of the website content. Blocking it will prevent the site from showing the consent banner, and potentially causes website breakage without user choice.
Where domain(s) observed. Separate them by comma.
https://www.wellnesshotel.com/en
Additional notes
See Bug 1899092 - tracking protection blocks CDM CookieBot in private windows for details.
Only the subdomain
consent.cookiebot.comneeds to be reclassified.Note that CookieBot is a very popular Consent Management Provider, so many websites can be broken in private windows and ETP strict mode in Firefox because Firefox blocks ad trackers in these cases.