Automatically deal with cookies pop-ups using Consent-O-Matic extension

Consent-O-Matic is an extension for dealing with cookies pop-ups, it will automatically disable all cookies and close the pop-up. In other words, it will only agree to the essential cookies or the cookies that you can’t disable, anything else will disable it.

It has a good feature too where you can click on the extension icon and click on “Let us know!” button in case the extension didn’t detect the popup on some website or there is something buggy when handling it.

You can add rules that tell the extension how to understand each kind of GDPR consent popup.

Rule Generator1644×1170 135 KB

The extension working with both Chrome and Firefox based browsers.

On GitHub: GitHub - cavi-au/Consent-O-Matic: Browser extension that automatically fills out cookie popups based on your preferences
Official Website: https://consentomatic.au.dk/

Hi there , welcome the forum! (Feel free to introduce yourself!)

Since this was posted in the “Suggestions” section of the forum, I’m assuming that this is being suggested as an extension that you’d like us to recommend on the website (you can correct me if not).

We generally try to keep extension recommendation to the absolute minimum, as they generally increase your attack surface, as well as often being ineffective.

The issue that this extension aims to solve, to my understanding, is to make it so you can essentially avoid any dark pattern that a website throws at you when you try to opt-out of cookies and instead automates the process.

While that is a neat concept, I believe that it makes a lot more sense to tackle this problem from a different, more holistic angle.

Instead of opting out of cookies when prompted, you can simply ignore them. This may sound counterintuitive, but let me explain:

Instead of doing all this, you could use a browser that clears cookies every time you close the browser, you can properly compartmentalize your use by using browser profiles (each profile for a different purpose), or in some cases, even a different browser (such as using the Tor Browser for random surfing and another browser for signing into your accounts).

What this does is tackle the issue without relying on the good will of websites that use dark patterns and will consistently try to find loopholes to abuse the system in order to track you. Instead of that, you’re making changes to the way you do things to make that harder, or in some cases even impossible.

I hope that this post sheds some light on a different approach you can take towards Internet tracking. This particular extension is not something that I would like to see added to the site, as I believe there are much better ways to tackle the issue, as described above.

Happy to hear the community’s thoughts on this!

P.S. You can find our pages on Internet browsing here, in case you haven’t checked them out already: Tor, Desktop Browsing, Mobile Browsing

Something relevant, this functionality will launch as a Brave native feature next month:

I really like the comparison of the different approaches in that page by Brave. Specifically this part:

One approach (which Brave uses) is to block cookie banners, and to hide and to modify pages to remove any additional annoyance such systems include (such as overlays, preventing scrolling, etc.). Other Web-privacy tools (such as uBlock Origin) can be configured to use this same approach. This approach provides the strongest privacy guarantees: it doesn’t require trusting that the cookie consent systems will respect your choice, and prevents your browser from needing to communicate with consent-tracking systems at all.

The other approach is to trust and work with cookie banners. Instead of blocking these systems (as Brave does), this alternate approach automates the process of clicking “no” in cookie-banner systems. While this approach may reduce the number of cookies sent and the overall nuisance of banners, it still records your preference with the cookie banner providers. This creates a situation of requiring the browser or extension to repeatedly ask the cookie banner provider to leave you alone. Worse, researchers have found that many cookie-and-consent systems still track people, even when users reject all cookies.

A feature that’s built into the browser, that doesn’t extend trust to an extension, and one that doesn’t rely on the good will of websites that have every incentive to try and bend the rules. You don’t see the annoying pop-ups, and the browser blocks what it needs to. Best of both worlds, in my opinion.

Also worth noting for people using Firefox, you can use uBlock Origin and activate the “EasyList Cookie” filter and it should block cookie banners too.

This is also a thing on Adguard for iOS, although it’s worth noting that for some sites the scroll will be locked, unless you give adguard privileged access to the page. Otherwise adguard can only use the (trustless) content blocking API which can be limited sometimes.

Thank you for your comment.
I do let the cookies banner alone as you said, and when the banner block browsing, I hide it using browser’s inspector. And I clear the cookies when I close the browser (automatically).
I found that extension is interesting on how it handles the pop-ups and I used it for maybe two months or more, and I put it here to know your opinion about it.

So the alternative solution is to enable EasyList in uBlock Origin? I will try it now.

But we should not accept the cookies in the first place, even the if browser will clear it later, right?

I’m going to mark this suggestion as rejected, because Brave is implementing this feature natively soon, and for other browsers even though we don’t necessarily recommend enabling extra uBlock Origin lists, doing so is still safer than installing an additional full extension. Although in that case I would still recommend this approach instead:

Since some here implied something like “just block/delete cookies in your browser and it doesn’t matter what you click on the banner”: Cookie banners are legally also responsible for other forms of tracking, not just cookies. For example server-site, fingerprinting or cookie-like mechanisms.

I would personally prefer to stick to defenses that I can verify, such as ensuring that I’m blocking third-party cookies, that I’m clearing everything when I close the browser, as well as using a browser that has at least some basic fingerprinting protections, such as Brave.

At the end of the day, those opt-out screens are a promise. There may be legal ramifications if those promises are broken, but it wouldn’t be the first time that this has happened.

So what’s the better approach - Consent-O-Matic or enabling the “Cookie Notices” filters in uBlock Origin? I thought that theoretically you should stick to the default filter lists because otherwise you can be fingerprinted more easily?

I think @jonah initially misunderstood how this extension functions (as did I until recently). It is NOT comparable to the approach or goals of the uBO/Brave technique.

I initially dismissed this extension because I mistakenly assumed that it works like other cookie consent popup blocking methods, but it doesn’t. These other extensions and methods (including using uBO, or the Brave feature Jonah referenced) don’t improve your privacy, they just make the web a bit less annoying by hiding these cookie consent popups/banners (but not opting you out of them).

Consent-O-Matic doesn’t just block or hide cookie popups/banners, it automatically opts users out of certain categories of cookie, based on the users preferences, it apparently works with many but not all cookie consent popups. Unlike other cookie-consent extensions, Consent-o-matic is an attempt to substantively improve privacy, at least for EU citizens.
It should be noted that it has been 11 months since the last update.

I have not personally used this extension and I would like to learn more about it, and assess if it does what it says it does without negative unintended outcomes to privacy or security.

Suggested reading before prematurely forming an opinion (like I initially did):

• https://cs.au.dk/news-events/consent-o-matic (the github is linked to in this short article as well)
• https://addons.mozilla.org/en-US/firefox/addon/consent-o-matic/

If you’re just going to isolate and then soon after delete your cookies, is there any real benefit to rejecting the ones websites offer to let you reject?

The whole notion of relying on the website we visit to enact our choices about cookies seems backwards to me. Our web browser lets us delete and block cookies. Why do we need to ask the site we’re visiting to do it for us?

I have used Consent-O-Matic for a few weeks now on Firefox Desktop + Android. It’s quite nice. For about 90% of cookie dialogues it solves them automatically - there’s a tiny picture-in-picture that pops up where you can see how Consent-O-Matic is automatically solving (rejecting if possible) the cookie options.

Apparently the cookie dialogue logic is updated through a separate list, kind of like how adblockers can have daily updating adblocking lists without having to update the extension itself (at least before Manifest v3…).

I got really tired of deleting cookies at exit. It logs you out everywhere, which can be quite inconvenient (and I also don’t want to keep track of a list of “don’t delete cookies” exceptions in the browser settings). Also, you get the cookie dialogues every time again.

The only thing Consent-O-Matic can’t solve is those (news) websites that force cookies by only offering a choice between reading for free with tracking, or paying for a subscription without tracking cookies. (Often the latter has a deliberately high price and still track you because they didn’t think anyone would actually choose that option and didn’t want to implement different cookie behaviour.)

In my eyes it definitely does (Depending on how you use your device). It’s extremely common for people to have a browser open almost the entire time they are actively using their device, or to not close their browser whatsoever until they reboot. Clearing cookies and other site data is useful, but it is far from a full solution for this common usage pattern. And this is without even considering active logins, or considering that many people who clear their cookies on exit make exceptions for many sites.

But the more important factor is that it is not an either or choice. I have done all of the above strategies you mentioned for many years. There is no reason not to use both of these layers in combination, because neither the technical nor legal strategies are anywhere near perfect. A layered approach is desirable in my eyes, if it doesn’t cause conflicts.

So I do like the approach this extension takes, at least in concept, it seeks to address things that are not perfectly addressed by technical solutions.

Brave Forgetful Browsing addresses what you’re talking about. It clears site data after the last tab of that site is closed and a few seconds pass, not the whole browser.

And here’s their post on why cookie banners can be actively harmful when you interact with them: Blocking annoying and privacy-harming cookie consent banners | Brave

Forgetful browsing helps but is still an imperfect solution on its own (and it comes with a substantial usability tradeoff, one that I am okay with, but most people are not. And is insufficient on its own with respect to first party tracking. Taking advantage of legal frameworks like GDPR, can at best substantively imrpove your privacy, providing an additional layer of protection in addition to the technical solutons.

Your “best case” benefit would only be useful for people who don’t follow good practices like obscuring identifiers and sanitising. If you do there is little-to-no benefit of using the options because the tracking cookies are blocked anyway, or not very useful at identifying you. Alll you are doing is interacting with their systems to set options which probably makes things worse for fingerprinting and such. It’s also not really a reliable layer because you are relying on the websites to be in good faith. And last but not least, it’s really annoying for no benefit.

It would be useful for them especially. But it would also be useful for others. I already go beyond the recommendations given here on PG. And I see usefulness even in my own context, particularly with respect to 1st party cookies.

It seems quite naive to think that ‘blocking tracking cookies’ eliminates all forms of unwanted cookie based tracking. And “obscuring identifiers” is not possible or desirable in all circumstances.

I also don’t see the point of arbitrarily gatekeeping, and approaching with the mindset that anyone not doing as much as you or I are doing, is undeserving of a privacy tool that might help them just because they aren’t willing to make all of the same tradeoffs as you or I might. These approaches are not in conflict, and it doesn’t need to be an either or choice as you seem intent on making it.

It’s also not really a reliable layer because you are relying on the websites to be in good faith

No you aren’t, you are relying on the websites self-interest to avoid penalties/fines. Websites didn’t start giving people options about cookies because of good faith. Websites started giving people options when laws were passed forcing them to do so. This extension only exists because those laws were passed.

it’s really annoying for no benefit

What is “it” and what makes it “really annoying?”

I might be mistaken but I believe brave also opts you out actively. Besides that it should not matter. Sites cannot legally track you in the EU at least if you do not opt in. So skipping the cookie banner or hiding it shouldn’t result in any different behavior really.

Besides, many of these cookie banner systems are third party trackers themselves. By blocking those from being loaded you favour privacy more than to allow them to load and tell your choice.