[Bug]: Setting a category to enabled by default doesn't work in opt-in mode

[MoritzLost]

Expected Behavior

I'm seeing an issue where setting a category to enabled: true does not take effect when mode: 'opt-in' is set.

CookieConsent.run({
    mode: 'opt-in',
    categories: {
        analytics: {
            enabled: true,
        },
    },
}

Setting both enabled: true and readOnly: true sets the toggle in the preferences modal to active and prevents this from being changed:

However, setting only enabled: true has no effect:

In this configuration, I would expect the toggle to be active by default, with the user being able to toggle it off.

Current Behavior

Setting only enabled: true does not activate the toggle in the preferences by default.

Steps to reproduce

Use the config above and open the preferences modal.

Proposed fix or additional info.

No response

Version

3.0.0-rc.15

On which browser do you see the issue?

Firefox

[orestbida]

This needs to be documented!

When mode: 'opt-in', categories may not be enabled without the user's explicit consent. The enabled option only works if mode: 'opt-out'.

[MoritzLost]

When mode: 'opt-in', categories may not be enabled without the user's explicit consent. The enabled option only works if mode: 'opt-out'.

@orestbida This feels very counter-intuitive to me. I think the expected behaviour would be as follows:

• In opt-out mode, everything that's enabled by default will be immediately active until the user opts out.
• In opt-in mode, the enabled setting controls the default values for when the preferences are opened for the first time, then the user can change those defaults.

It could also be argued that enabled should basically take precedence over opt-in mode and should always activate those categories immediately, though I would prefer the behaviour mentioned above.

The only thing that doesn't make sense (to me) is completely ignoring the enabled config in opt-in mode. Is there any reason not to use it in the way described above?

[orestbida]

Pre-ticked boxes are against GDPR; having non-essential categories set as enabled by default (although they aren't really enabled) is misleading for the user. The plugin shall only reflect a valid and clear state.

If you still insist on achieving this behavior, then you will need to use custom code, sorry.

[MoritzLost]

@orestbida You're right, it's against GDPR to have services that require consent pre-selected. However, there's still a use-case for categories that don't require explicit consent, but we still want to allow the user to disable them. Take Matomo; if properly configured to anonymize all data, not set any cookies or do any fingerprinting, it doesn't require consent (we had this confirmed by a data security officer). However, we might still want to allow users to turn it off just for transparency / fairness. In this case, I would like to create a category Essential analytics that is on by default but can be turned off, while other categories like regular Analytics and Advertising would remain opt-in.

To be honest, I don't think this is super necessary, there are definitely workarounds. But the current behaviour really feels like a bug. Having an option that does nothing in combination with one particular other option is always awkward, especially if there is a fairly reasonable assumption of how those options should interact. At least for me, the expected behaviour would have been as described above:

In opt-in mode, the enabled setting controls the default values for when the preferences are opened for the first time, then the user can change those defaults.

Is there any other reason not to support this behaviour, like technical debt or plugin size? Otherwise, this feels like an unnecessary point of confusion for users.

having non-essential categories set as enabled by default (although they aren't really enabled) is misleading for the user. The plugin shall only reflect a valid and clear state.

In this case, my other suggestion could also be reconsidered:

It could also be argued that enabled should basically take precedence over opt-in mode and should always activate those categories immediately, though I would prefer the behaviour mentioned above.

[kpcftsz]

It might be against GDPR, but as far as I'm aware CCPA still allows for this kind of "opt the user in by default" behavior. There are plenty of websites that don't care about GDPR but still need to be CCPA compliant.

[orestbida]

@kpcftsz , in this case you can explicitly set mode: 'opt-out' and then enable any category. The user will have the option to opt-out in any moment.

@MoritzLost , the enabled and mode options were meant to work this way. Perhaps ditching mode and only relying on enabled would have been a better choice; The current behaviour cannot be changed though, as it would be quite a breaking change. Perhaps in a future v4.

[MoritzLost]

@orestbida Fair enough. Removing mode and being able to pre-select specific categories (and services) would be an improvement IMO.