YouTube storing cookies before you even give them permission to do so
Hello everyone,
I am not an expert in all things cookies and session data and all that stuff. But I have recently stumbled upon something that seems quite off... If I visit YouTube I get greeted with the choice to log in or not. If I click "no thanks", I am prompted with a choice of either accepting Google using cookies or leave the website. In theory, my logic says that if I now leave the website, the next time I visit it, I should be greeted again with the same prompt since I have not accepted any cookie being stored. That does not happen. If I then take a look at the Session cookies that were stored, I see a Youtube cookie with the following information stored: CONSENT:"YES+CH.en+V9+BX". I am not sure if this is the consent to them storing cookies or what, but only if I delete this cookies, I get prompted again to log in or accept the terms. Seems kind of weird that they store cookies before you accept them storing cookies...
Did I find something here or is it just how it works?
Thanks! Sounds like that might fall under the Strictly necessary cookies category for which they are not required to obtain consent for. The choice whether to login or not is not “strictly necessary” because you do what all other sites do - serve them the logged out content until they login. This cookie not not strictly necessary Agreed. There is no blanket ban on cookies without permission. A justification is required, and consent is one of the possible justifications, but not the only one. Under the hood (legally) there is no ban on cookies per se. It is rather on tracking of personally identifiable information. It is Ok to place a cookie without explicit permission if it tracks something that can be applied to a wide range of people, like a timezone or language perference, for example. Google/youtube has figured out my work and personal accounts are the same person. I always log in to those accounts from separate work and personal machines but I do forward some mails and calendar events sometimes. You can tell it has you figured out when your Youtube recommendations on one box account begin to reflect the watch history on another account. That cookie doesn’t include any personal identifier so that’s OK. Yea but there is also other cookies stored after that. I guess that one is the one for the consent specifically. When I start clicking around, I see more cookies being stored. Assuming you're living in the EU. The cookie: So on the one hand there's the GDPR which deals with personal data (PII). As what they're storing there does not seem to be PII and is not used for tracking you, it does not care. On the other hand there's the EU cookie directive. It is responsible for all the "this website uses cookies" banners from before the GDOR Consent popups. I'm not sure if it forbids storing any cookies wihtout consent but that's a direction you might want to look at in more detail. https://www.privacypolicies.com/blog/eu-cookie-law/ Can't say much about the consent form itself as I think the google consent form is especially weird as it's not possible to deny them tracking and still use their site. I suspect there will be fines for that some time down the road, but there a probably a lot of smarter people than me looking at this so what do I know... So I tried clicking around a little and found that there are more cookies being stored even though I never agreed. Not sure if they are third party cookies or not, but either I just found a way to not accept their third party cookie thingy and still use the website, or else they just don't care if I agree or not and they just store third party cookies no matter what... The EU cookie directive concerns only third-party cookies. No notice needs to be present for first-party cookies. That's not true. Any cookie that is not strictly necessary needs explicit consent. There is simply no distinction whatsoever made between first-party or third-party cookies in the "cookie directive" (ePrivacy directive), or in the GDPR. The directive itself speaks of cookies "intended for a legitimate purpose" "on condition that users are provided with clear and precise information". Read the rest of paragraph 25 to see how users "should have the opportunity to refuse". https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX... "Legitimate purposes" are then more narrowly defined in the GDPR. https://gdpr.eu/article-6-how-to-process-personal-data-legal... I strongly suggest anyone serving European users to just read the GDPR and the ePrivacy directive, directly, rather than rely on third parties to give you an interpretation. These directories can be read "as is", and are really straightforward. Lots of companies of course try to work their way around the really obvious requirements and definitions laid out here. In summary: Unless you really need the cookie for the service to function, you cannot have it unless the user opted in. You cannot simply invent a reason why you would "need" the cookie. Anything that you can make work without cookies has to be provided without them, and you cannot "require consent" and somehow tie to it your service offers for anything that could be made optional. So summary of the summary: Google is doing something illegal here?