YouTube storing cookies before you even give them permission to do so
I am not an expert in all things cookies and session data and all that stuff. But I have recently stumbled upon something that seems quite off... If I visit YouTube I get greeted with the choice to log in or not. If I click "no thanks", I am prompted with a choice of either accepting Google using cookies or leave the website. In theory, my logic says that if I now leave the website, the next time I visit it, I should be greeted again with the same prompt since I have not accepted any cookie being stored. That does not happen. If I then take a look at the Session cookies that were stored, I see a Youtube cookie with the following information stored: CONSENT:"YES+CH.en+V9+BX". I am not sure if this is the consent to them storing cookies or what, but only if I delete this cookies, I get prompted again to log in or accept the terms. Seems kind of weird that they store cookies before you accept them storing cookies...
Did I find something here or is it just how it works?
Thanks!
12 comments
[ 0.24 ms ] story [ 24.2 ms ] threadThis cookie not not strictly necessary
You can tell it has you figured out when your Youtube recommendations on one box account begin to reflect the watch history on another account.
The cookie:
So on the one hand there's the GDPR which deals with personal data (PII). As what they're storing there does not seem to be PII and is not used for tracking you, it does not care.
On the other hand there's the EU cookie directive. It is responsible for all the "this website uses cookies" banners from before the GDOR Consent popups. I'm not sure if it forbids storing any cookies wihtout consent but that's a direction you might want to look at in more detail. https://www.privacypolicies.com/blog/eu-cookie-law/
Can't say much about the consent form itself as I think the google consent form is especially weird as it's not possible to deny them tracking and still use their site. I suspect there will be fines for that some time down the road, but there a probably a lot of smarter people than me looking at this so what do I know...
The directive itself speaks of cookies "intended for a legitimate purpose" "on condition that users are provided with clear and precise information". Read the rest of paragraph 25 to see how users "should have the opportunity to refuse".
https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX...
"Legitimate purposes" are then more narrowly defined in the GDPR.
https://gdpr.eu/article-6-how-to-process-personal-data-legal...
I strongly suggest anyone serving European users to just read the GDPR and the ePrivacy directive, directly, rather than rely on third parties to give you an interpretation. These directories can be read "as is", and are really straightforward. Lots of companies of course try to work their way around the really obvious requirements and definitions laid out here.
In summary:
Unless you really need the cookie for the service to function, you cannot have it unless the user opted in. You cannot simply invent a reason why you would "need" the cookie. Anything that you can make work without cookies has to be provided without them, and you cannot "require consent" and somehow tie to it your service offers for anything that could be made optional.