Disabling cookie banners makes CPRA/GDPR compliant web sites non-compliant

With the recent addition of the new “Block Cookie Banners” feature, Brave pushes otherwise CPRA and GDPR-compliant web sites into a state of non-compliance. This occurs in two ways:

  1. The GDPR requires the user be explicitly asked for their privacy and consent settings at least once every 13 months.
  2. The CPRA requires a “Do Not Sell or Share My Personal Information” link at the bottom of the page that the user can use to “opt-out” from having their data sold or shared.

With the “Block Cookie Banners” feature enabled, neither of the above will work. It not only blocks the banner pop-ups required by the GDPR, but it also blocks the pop-up privacy consent opt-in/-out window used for CPRA and GDPR. This will force companies to explicitly block users running the Brave browser to stay compliant with these laws. I am personally aware that there is a ticket now opened at more than one major web site to do exactly this for this specific reason.

I thought you should be aware.

I don’t understand. GDPR requires consent. If the cookie banner or the “Do Not Sell or Share My Personal Information” link is blocked, then the user explicitly does not give the website consent.

1 Like

@DrEnter Let’s review here:

  1. GDPR you’re mentioning only says websites can’t collect information without a User’s consent. Strictly necessary cookies do not require consent. You can read more about that at https://gdpr.eu/cookies/ But the main thing to realize is that this does mandate websites build it into their site, but it does not require Users to have to let said notice appear or interact with it. Brave’s setting to hide the notice is an automatic refusal of anything asking for permission. In other words, it’s the User refusing to give consent to collect their information. All of which falls under requirements.

  2. The Do Not Sell or Share button works in the similar way above. If you read through the policy, this only goes to sites collecting personal information to where they have to give you the option to opt out at any time you wish. The mandate here is that all sites always give you the option. Btw, Brave doesn’t block this. It is a different feature and located elsewhere compared to cookie consent notices.

  3. These policies only mandate that the sites add it to their content. It does not mandate that Users are required to view or interact with those items. Brave adding a filter that Users can opt into would not be a violation for any site. It also would not mandate companies to block Users who are using such features to protect their privacy. In fact, such thing would be contrary to the purposes.

You’re assuming the user has never been to the site before. That is not a safe assumption. They may have already visited the site and now wish to change their consent choices. They cannot because Brave is preventing the pop-up where they make those changes.

I think you misunderstand what I’m talking about. I’m not talking about the automatic pop-up that you get when first visit a site. I’m talking about the consent pop-up you get when you click on the link to change your consent settings. For CCPA/CPRA, this is the link that is generally labelled “Do Not Sell or Share My Personal Information”. For GDPR, this link is often something like “Cookie Settings” or “Privacy Settings”.

You are also assuming the user has never been to the site before. That is not a safe assumption. They may have already visited the site and now wish to change their consent choices. They cannot because Brave is preventing the consent window from displaying where they can make those consent changes. This includes preventing the user from opting-out of consent they (intentionally or not) opted-into before.

For CCPA/CPRA, the problem is magnified: The default for most sites is “opt-in” and requires the user manually opt-out. While Brave is good about catching many things that might be seen as privacy intrusions, IT DOES NOT CATCH EVERYTHING. For example, an opt-out on a CPRA site might result in certain user behavior not being tracked on the server-side, completely outside the realm of the browser. This privacy “feature” prevents the user from opting-out and protecting themselves.

We are going block Brave because of the problem with GDPR for existing users. Personally, I think the problem with CCPA/CPRA is more serious, as it prevents users from opting-out at all. Either way, the decision isn’t being made by engineering or the ads/business folks, but by the legal team: Any browser that prevents consent from being revoked for new or existing users must be blocked; user’s must be able to opt-out.

  1. The GDPR does not require an individual to consent nor to consent at least once every 13 months. If you could post the source of that information I’d be glad to check it.

For what it’s worth it is the EU ePrivacy Directive that imposes notice and consent obligations on websites, mobile apps etc IF they intend to store information on a device or access information stored on a device where that is NOT necessary to provide a service requested by end-users. So advertising for example.

Blocking Brave because it blocks so called cookie banners would IMO raise issues for those sites.

Brave blocks the tracking associated with notices - tracking that takes place absent a user engaging a so called cookie banner. Blocking those banners strengthens privacy.

If an individual does not wish to block annoying privacy eroding ‘cookie banners’ or ‘consent pop-ups’ then they can change the setting at any time and experience the pain of such banners and pop-ups. They can visit brave://settings/shields/filters and uncheck the setting called EasyList - Cookie. Likewise if someone wants to suppress cookie notices they can check the box.

Please note that there are extensions people can use to block cookie notices. Personally I prefer my privacy built in by design and not by add-on.

  1. The Brave browser sends a Global Privacy Control (GPC) signal by default. The GPC signal notifies sites to not sell or share data. The GPC is recognised as a valid CCPA opt-out mechanism by the Attorney General of California. Please see Section B ‘Right to Opt-Out of Sale or Sharing’ and subsection 8 and 9. https://www.oag.ca.gov/privacy/ccpa

So, two things here. First, you are STILL IGNORING the fact that I AM NOT TALKING ABOUT THE POP-UP BANNERS you get when you first go to a site! I am talking about the fact that Brave’s mechanism to prevent those pop-ups ALSO blocks the window a user gets when they CLICK ON A LINK TO SPECIFICALLY CHANGE THEIR CONSENT.

Second, this:

Brave blocks the tracking associated with notices - tracking that takes place absent a user engaging a so called cookie banner. Blocking those banners strengthens privacy.

… is just ridiculous. This idea that CMPs are themselves violating users’ privacy seems to be taken from the misreading of a single source: https://www-sop.inria.fr/members/Nataliia.Bielova/papers/Matt-etal-20-SP.pdf. While I have some minor issues with this paper regarding methods and specifics of some of the violations they claim, I find it generally well researched and written. The paper is VERY dated, as it was released before most GDPR-compliant sites moved to the IAB TCF v2 standard. That said, the paper is reasonably accurate for many of its criticisms of TCF v1 and the issues many sites were having getting compliant at that time. But most importantly for this conversation, NOWHERE in this paper do the authors claim any certified Consent Management Platforms (CMPs) were purposefully using consent notification pop-ups to violate users’ privacy. What the paper DOES say is that there are a lot of sites doing things that aren’t really compliant, like opt-in before consent or providing no way for the user to change their consent.

It’s great that Brave supports the GPC, I’m all for that. Unfortunately, it’s not typically honored by GDPR sites/CMPs because the GDPR requires explicit consent, making the GPC redundant.

You are concerned that while Brave’s filter list setting suppresses cookie notices it also “blocks the window a user gets when they CLICK ON A LINK TO SPECIFICALLY CHANGE THEIR CONSENT.” Individuals can at any time change the settings that blocks cookie notices and manage any consents they wish to give and any legitimate interests sites may rely on.

I note your comments about the one specific research paper. We have a team of privacy engineers and researchers in Brave who understand in detail the implications of cookie consent or preference management tools. You can find some of their work here https://brave.com/privacy-updates/

If you really do NOT want to suppress cookie notices and to manage consents given to websites you can visit brave://settings/shields and brave://settings/privacy and change applicable settings. We have been asked at various times to block cookie consent dialogues Cookie consent popups - stop the madness

As for GPC, if an individual believes a site is not honouring the GPC setting, then they can file a complaint with the California Attorney General https://oag.ca.gov/contact/consumer-complaint-against-business-or-company

As Brave’s data protection officer, you can always email privacy [at] brave.com if you have concerns about our approach.

1 Like