I appreciate your insight about the cookies themselves, but I still think the banner is deceitful. If I see "Required" checked and "Features" unchecked I would expect that the primary button respects that decision. The fact that the primary button ignores the content of the form is very surprising to me.
It is easy to think of better UX patterns:
- Check both by default and have only one submit button. This is intuitive but IIUC disallowed by GDPR because it makes opt-out harder than opt-in.
- Skip the checkboxes and simply provide "Required cookies only" or "All cookies". This way there is only one place to make the choice and they aren't ignoring the checkboxes.
- Just remove the "Accept all" button and make the primary form button "Accept accepted".
To me, the banner was clear. But I agree the implementation could be improved.
- There are 2 "required" features. You don't need to get permission to place cookies that are needed to make your site function. Placing a cookie to track your consent is perfectly fine, no need to make that optional, or even mention it in the cookie banner. Same goes for the session cookie: if you need it just set it. You could question if you actually need it in this case, but as long as it's a true session cookie and not persisted I would consider it not personally identifiable.
- There are 2 optional features: Youtube Videos and Google Maps. Why do I have to fold open "Features" to find out what the features are? Just show me the list already. Hiding the list is a dark pattern employed by advertisers to get you to agree. In this case the features are actually valuable: embedded videos and embedded maps.
- Those 2 optional features are not even used on the linked page! Then why does it show me a consent banner?
For some reason people hear gdpr compliance and just slap on an annoying consent modal popup.
A much better solution is to just put an embed placeholder with the title of the linked content, and warn the user that 3rd party wants your personal data. Put a link to a detailed privacy policy, and a link to enable the embed. At that point record the consent and enable the embed.
The checkboxes allow detailed control for those who want it and provide some easy to understand info for what consent is required. Skipping them in favor of some generic "yes to all" is a dark pattern
It is easy to think of better UX patterns:
- Check both by default and have only one submit button. This is intuitive but IIUC disallowed by GDPR because it makes opt-out harder than opt-in.
- Skip the checkboxes and simply provide "Required cookies only" or "All cookies". This way there is only one place to make the choice and they aren't ignoring the checkboxes.
- Just remove the "Accept all" button and make the primary form button "Accept accepted".