Delay cookie deletion until explicit denial of consent
Lars Friis
I would like to request an option to delay cookie deletion until a user has explicitly denied consent, instead of deleting cookies immediately on script load when no prior consent exists.
The current behavior creates significant issues for both compliance and business performance, and is a major blocker for adopting cookie-script.com.
Why this is important:
1) New installations perge all excisting cookies
When implementing cookie-script.com on a site that previously had no CMP, all existing cookies are deleted on the first visit before the user has a chance to provide consent.
This results in a full reset of tracking and loss of historical data.
2) CMP migrations reset tracking
When migrating from another CMP, existing consent is not preserved, and all cookies are deleted on the first visit.
This again causes a complete reset of tracking.
3) Unintentional deletion of long-lived cookies
When the consent cookie expires (e.g., after 30 days), all other cookies are also deleted even those with longer lifetimes, such as Google Analytics cookies (up to 400 days).
This leads to unnecessary data loss and degraded measurement quality.
4) Premature deletion reduces effectiveness
Deleting cookies on script load may happen before some cookies are even set, reducing the effectiveness of the cleanup.
Delaying deletion increases the likelihood that cookies are properly handled according to the user’s final choice.
Proposed solution
- Only delete cookies after the user has explicitly denied consent
- If valid consent already exists, continue handling cookies as currently implemented
- Do not delete cookies on initial load when no consent decision has yet been made
Photo Viewer
View photos in a modal
Jānis Elmeris
(Not from support) BTW, why would you want to bother a user to reconfirm the consent every month? 400 days is fine for the consent cookie.
Lars Friis
Jānis Elmeris it's best practise to ask for new consent reguarly, since you might have added new cookies or tools after the user consented last time.
A 400 days old consent, will most likely not have given you permission to run the tools you currently have on your site.
Jānis Elmeris
Lars That's a good consideration, I see the reasoning behind it. It may be a good practice from the marketing perspective. In GDPR though, the users are not agreeing to specific cookies, they are agreeing to cookie categories with data usage purposes and storage durations. Listing all the cookies is just an easy way technically to (seemingly) conform to the regulation. From the user's point of view, asking for the permissions too often, actually violates GDPR principles. I cannot easily allow, for example, only analytics cookies without being nagged every month about it. Especially, with the (best?) practice of asking every month only if I have not agreed to something, but not asking anymore if I have agreed to everything.
Lars Friis
Jānis Elmeris the users might have agreed to marketing cookies, but that consent is related to the cookies / tools that were listed on the site, when the users gave their consent.
If you later install new tools, you should ask for a consent that match the current setup on the site.
The reason why I set the limit to 30 days, is that it's the frequency of the cookie scanner, and updates of the cookie list / policy.
Jānis Elmeris
Lars, yes, I understand your reasoning. Especially, if you really have such a dynamic site that introduces substantially new functionality all the time. As a user though, I always curse when a site I'm visiting several times a month, every other time asks me to choose the permissions anew.