Trying to understand Consent Forms, Cookies and Third-Party Vendors

Yo peeps, I’m currently looking into TCF Vendors, Ad partners and their whole corporate greed hellhole of tracking. I am writing a paper on this, and would like for everything to be factually correct. However, I am struggling to understand one particular part of this “transparency framework” and hope someone can help me clarify on cookie-duration.

As seen in the first thumbnail, the cookie duration is listed as 180 days. However, upon selecting > Storage Details, each cookie is displayed in further detail. In this detailed section, there are additional cookies with duration as high as 1825 days, not 180… So which is it? Currently, I’m (obviously) assuming the worst, as in, it being 1825 and not 180 days. There are additional cookies on this list, see spoiler below, that have cookies with the duration of 180 days. Why are the cookies with the highest duration listed on the first page? And if the answer is that “it would look worse”, then they also have cookies with lower amount of days than 180 that could have been used. There are multiple cookies with different durations, do all of them count?

https://slrpnk.net/pictrs/image/1aec83a6-6161-4902-ad7e-5a13b9cdf9e4.webp

If needed here is a spolier that includes all the cookies in detail from the Exactag GmbH vendor.

SPOILERExactag GmbH - Storage details Name: exactag_new_adoptout Type: Cookie Duration: 1825 (days) Domain: Purposes: Store and/or access information on a device Refreshes Cookies: No Name: exactag_new_ccoptout Type: Cookie Duration: 1825 (days) Domain: Purposes: Store and/or access information on a device Refreshes Cookies: No Name: exactag_new_optout Type: Cookie Duration: 1825 (days) Domain: Purposes: Store and/or access information on a device Refreshes Cookies: No Name: exactag_new_cpv Type: Cookie Duration: 1 (days) Domain: Purposes: Store and/or access information on a device Measure advertising performance Measure content performance Refreshes Cookies: No Name: exactag_new_gk Type: Cookie Duration: 60 (days) Domain: Purposes: Store and/or access information on a device Measure advertising performance Measure content performance Refreshes Cookies: No Name: exactag_new_uk Type: Cookie Duration: 180 (days) Domain: Purposes: Store and/or access information on a device Measure advertising performance Measure content performance Refreshes Cookies: Yes Name: exactag_new_user Type: Cookie Duration: 180 (days) Domain: Purposes: Store and/or access information on a device Measure advertising performance Measure content performance Refreshes Cookies: Yes Name: session_session Type: Cookie Duration: Uses session cookies Domain: Purposes: Store and/or access information on a device Measure advertising performance Measure content performance Refreshes Cookies: No

Let me know if any additional information is needed.

cyrus,

there are additional cookies with duration as high as 1825 days, not 180… So which is it?

Whatever the browser reports is what they are actually doing.

In Firefox, enter the developer tools, navigate to the “Storage” tab and open the “Cookies” dropdown. For any given domain you can now look at the “Max Age” or Expiry date.

Sunny,

Neat - thanks :)

Sunny,

Don’t mind me, I’m just a cookie who wants to store your information for 9993 years…

https://slrpnk.net/pictrs/image/3e480aa8-caab-47b3-b0fd-b0a6ea8d7217.webp

damium,

It’s not well explained for sure but judging by the names of the cookies I bet those store the consent (opt in/out) values for the other tracking options. Another way of putting it would be those are functional cookies related to the cookie consent form itself so that you don’t have to re-select consent options every time you visit the site.

Sunny,

Ah indeed possible, I have seen some cookies with names such as “optout”, but this is not always the case. But does that mean people who DO NOT consent still get a cookie, but a different one without tracking and sorts…?

9point6, (edited )

Yep exactly that, it’ll be a cookie (not a tracking cookie, which would require some kind of unique ID) that will be set to ensure the website doesn’t show their consent banner every time—i.e. remembering the results of your refusal of tracking consent.

Sunny,

Well this is good to know, and also means i have to run through my numbers again… Am currently checking all the data 198 different vendors are asking for… its an extremely tedious process :<

telep, (edited )

while I am by no means an expert on this, my gut tells me that this is probably something to do with “nessecary” cookies vs advertising & tracking cookies. its a common loophole for other policies so I wouldnt be surprised if they had some way of circumventing the normal limitations for tracking because of “fraud protection” or the likes.

looking at the cookie descriptors, all of the 1825 day cookies are used to “store &/or access information on device refreshes”. the shorter cookies are the only ones that also mention “measuring advertising & content performance”.

Sunny,

Made the spoiler data/cookies more readable now.

Thanks for your input, but not sure what you meant with your last sentence, could you clarify?

telep,

thank you 🙏

I meant that if you look at the “purpose” section of each cookie the ones that are older than 180 days are the only ones that dont mention advertising. thinking they may be related to the “nessecary” or “required” cookies that some websites have. I would presume they have their own or altered version of the other cookies policies since they have different purposes.

apologies, I worded that poorly before.

Sunny,

Ah I see now. I do think this will vary a lot from vendor to vendor and cookie to cookie though. The one I included was only a random one out of 198 different ones. Other cookies I’ve read through will have ad-measurements and tracking for 3000+ days too :<

telep,

oh I see interesting. seems like blatant malpractice to me. good luck on your paper o7

Sunny,

Additionally, there are vendors that claim they dont use cookies like seen here; https://slrpnk.net/pictrs/image/d48f595a-95aa-415d-b69d-6f0731b0725d.webpHowever again when clicking on >Storage Details, it reveals two different cookies, with a cookie duration of 728 days, with a the purpose “store and/or access information on a device”. HOW IS THIS NOT A COOKIE THEN? https://slrpnk.net/pictrs/image/13f76050-6509-4b8b-813c-56d3fbf2c1f3.webp

Cheradenine,

As a guess I would say that means they don’t set cookies themselves, they do use cookies that are set by different services.

Which would be a nice way for them to not have legal responsibility.

Sunny, (edited )

But if not themselves then who? There are no additional parties/companies/vendors listed within these cookies as far as I can see at least, and im pretty sure they do need to be listed? Also these companies are the tracking companies, so it would be weird if it wasnt them. As far as I understand it atleast.

Cheradenine,

I can’t visit them directly (they are on 5 different DNS block lists). Looking at Internet Archive I would say it’s cookies set by Google, probably through Firebase Analytics, maybe AdMob.

Sunny,

I assume that when you say “them”, you tried to visit the hompage of Pixalate? But it sounds about right actually, the app I am investigating have the following trackers implemented;

  • Adjust
  • AppsFlyer
  • Google AdMob
  • Google CrashLytics
  • Google Firebase Analytics
  • Yoadx
  • All
  • Subscribed
  • Moderated
  • Favorites
  • privacy@lemmy.ml
  • DreamBathrooms
  • everett
  • tacticalgear
  • magazineikmin
  • thenastyranch
  • rosin
  • tester
  • Youngstown
  • khanakhh
  • slotface
  • ngwrru68w68
  • kavyap
  • mdbf
  • InstantRegret
  • JUstTest
  • osvaldo12
  • GTA5RPClips
  • ethstaker
  • normalnudes
  • Durango
  • cisconetworking
  • anitta
  • modclub
  • cubers
  • Leos
  • provamag3
  • megavids
  • lostlight
  • All magazines
    •