SSL Labs ScoreSecurityHeaders.io ScoreHSTS Preloaded

How does the EU e-Privacy Directive extension compare to its competitors?

To illustrate the difference between the EU e-Privacy Directive extension (2 plugins, 1 module), I've created a table listing the capabilities of each.

Testing methods are as follows:

Allows Cookies:

Load the demo URL in Chrome, view the Application Storage Cookies area in Developer Tools (F12). If any cookies are listed, the extension fails.

Javascript Cookies:

In Chrome, open the Developer Tools (F12) and use the console to execute the following command - document.cookie = "username=John Doe";

If executing the command "document.cookie" produces "username=John Doe", the extension fails.

An example of a passing test -

A passing example

3rd Party Cookies:

In Chrome, open the Developer Tools (F12) and view the Application Storage Cookies area. If any cookies exist from an external domain (not the domain of the website you're viewing), the extension fails. Additionally, if other domains are listed (indicating frames), and those other domains have cookies - the extension fails.

An example of a failing test -

Screenshot_from_20180323_142221.png

Other Storage Methods

EU lawmakers didn't just target cookies. The law covers other storage methods that act like cookies. This includes LocalStorage, Session storage, IndexedDB, WebSQL and even Flash Cookies. Although this article was written for e-Privacy, it's important to note that GDPR expands on e-Privacy.

http://dreamdealer.nl/articles/localstorage_vs_cookies_vs_the_law.html

Testing method:

In the Javascript console, execute the commands "localStorage.setItem('myCat', 'Tom'); sessionStorage.setItem('myCat', 'Tom');"

If disabled, "localStorage.getItem('myCat');" and "sessionStorage.getItem('myCat');" will have no result.

GDPR Compliance

If the extension allows any cookie without consent, it is not GDPR compliant. There are situations where some cookies are allowed without consent, but the vast majority of cookies do not meet the criteria.

Consent Model

There are 5 models of consent. Each exposes a site owner to varying levels of risk (Explicit Consent being the lowest risk, Information Only being the highest risk). Of the 5 models, 1 is compatible with GDPR, and that is Explicit Consent.

CookieLaw.org has an excellent writeup about the 5 models and the risk/benefit of each: https://www.cookielaw.org/media/105101/five-models-for-cookie-law-consent.pdf

Comparison

Using the tests above, the following comparison emerges. As you can see, the results are conclusive. No other cookie extension makes even an attempt to comply with the law - they have all opted to use the easy way out provided by the bureaucrats, Information Only (Often confused with implied consent).

The extensions are listed in order of popularity in the Joomla Extension Directory as of 3/23/2018.

Extension Review Date Demo Link Prevents HTTP Cookies Prevents Javascript Cookies Granular 3rd Party Cookie Control Prevents Local/Session Storage Usage GDPR Compliant Consent Model Free/Paid
EU e-Privacy Directive 2018-03-23 Explicit Consent Free
Folcomedia - Cookies Alert 2018-03-23 Information Only Free
Cookies Policy Notification Bar 2018-03-23 Information Only Paid
Responsive EU Cookie Notify 2018-03-23 Information Only Paid
Easy Cookie Alert 2018-03-23 Information Only Paid
JS Cookie Alert 2018-03-23 Information Only Paid
EU-Cookies 2018-03-23 Information Only Paid
Cookies Pro 2018-03-23 [1] Information Only Free
Cookie Notice 2018-03-23 Information Only Paid
iWt Cookie Alarm 2018-03-23 Information Only Paid
Responsive EU Cookie Alert 2018-03-23 Information Only Paid
Cookie Alert 2018-03-23 Information Only Paid
EU Cookie Directive Lite 2018-03-23 Information Only Free
Cookie Accept[2] 2018-03-23 N/A Information Only Free
EU Cookie Directive Pro 2018-03-23 Information Only Free
CookieHint 2018-03-23 Information Only Free
Simple Content Disclaimer 2018-03-23 Information Only Free
Esoftcookies[3] 2018-03-23 Information Only Free
EU Countries Cookie Alert Pro 2018-03-23 Information Only Paid
sketch.cookies 2018-03-23 Information Only Free
EasyCookieInfo 2018-03-23 [4] Information Only Free
AddCookieLaw[5] 2018-03-23 N/A Information Only Free
PixCookiesRestrict[6] 2018-03-23 Information Only Paid
Gogodigital Cookie Consent[7] 2018-03-23 N/A Information Only Free
yourData[8] 2018-03-23 N/A Information Only Free
DJ-CookieMonster[9] 2018-03-23 N/A Unknown Paid
redCOOKIE[9] 2018-03-23 N/A Unknown Paid
Moonchip Cookie Bar 2018-03-23 Information Only Paid
Cookie Notifications Builder[10] 2018-03-23 Information Only Paid
MK EU Cookie 2018-03-23 Information Only Paid
JK Cookie Alert Message Notice[11] 2018-03-23 Information Only Paid
jDisclaimer 2018-03-23 Information Only Free
A4 Infociacho 2018-03-23 Information Only Free
Wscookies[12] 2018-03-23 Information Only Paid
Dle Dismiss Cookie Bar[13] 2018-03-23 Information Only Paid
Rapi Cookie Alert[14] 2018-03-23 Information Only Free
GDPR[15] 2018-04-15 Information Only Paid
Dismiss Cookie Bar II 2018-04-15 Information Only Paid
Ruxin Cookie Alert 2018-04-22 Information Only Paid
Cookie Notice[16] 2018-04-23 Information Only Paid
Simple Content Disclaimer[16] 2018-04-23 Information Only Free
JK Cookie Alert Message Notice[16] 2018-04-23 Information Only Paid
Wscookies[16] 2018-04-23 Information Only Paid
Shack Toolbox (in cookie policy mode) 2018-05-24 Information Only Paid
eorisis Cookie Bar 2018-05-27 Information Only Paid
Kick GDPR[2] 2018-05-27 N/A Information Only Free
Civic Cookie Control[17] 2018-06-10 [18] Information Only Free
GDPR Compliance 2018-06-10 Information Only Paid
  1. Unable to determine this result from the demo, however - it failed the other tests, so this is likely also a failure
  2. No demo is available. The PHP was reviewed to obtain the results.
  3. Beware of this demo - the page refreshes constantly
  4. Unable to determine this result from the demo, however - it failed the other tests, so this is likely also a failure
  5. The developers website is down, so you can't even get this extension
  6. This extension does weird stuff - it sets cookies and then doesn't quite delete them with JavaScript, which still fails the test (and is against the law prior to acceptance)
  7. No demo is available. The PHP was reviewed to obtain the results.
  8. Developer removed the demo, and the ability to download the module.
  9. No demo available, no source to review
  10. If you decline, you still get cookies
  11. Nothing is displayed in the demo, no source to review
  12. The accept bar auto-hides without selecting anything. If you decline, you still get cookies.
  13. The accept bar auto-hides without selecting anything.
  14. The demo isn't a demo, but the link actually works so I included it. The PHP was reviewed to obtain the results.
  15. This extension claims to detect the visitors location and block cookies - so I tested it from a system I have in London, and the page response included a cookie. Also, GDPR requires users consent before tracking cookies, but this extension only offers two ways to consent and no way to decline or withdraw consent.
  16. This extension hides from competition in another JED category.
  17. The demo isn't even a Joomla site!
  18. Doesn't prevent cookie-loading resources from loading cookies, it deletes them via javascript after they've been set - but only if it's in the current domain. Otherwise, it removes the object that carries the cookie. This is a bad solution, as the resource that carries the cookie has already transmitted tracking data by the time the script has removed it from the page. I would liken this to cleaning up a crime scene. This is not defensible in court.

Some of these demos are just terrible. They expect you to just believe what they tell you and not look behind the curtain. Here's an example:

Screenshot_from_20180328_110421_250x121.png

A tremendous amount of time, effort and scrutiny has gone into the creation of the EU e-Privacy Directive extension for one reason - to protect you from your governments.