Sure, for advertiser thingies. But website features like optionally storing your preferences in localStorage, or assigning device IDs to be able to understand and optimize website performance both require consent pop-ups.
Some preferences are not required for the website to work, but do improve the experience. These are classified as "functional cookies", "preference cookies", or "user interface cookies" in ePrivacy Directive and UK GDPR literature, examples like remembering your selected language, and still require consent. See https://ico.org.uk/for-organisations/direct-marketing-and-pr....
Consent-o-Matic uses this text to describe this category of cookies (for me, it's the first item in extension's config UI):
> Preferences and Functionality: Allow sites to remember choices you make (such as your user name, language or the region you are located in) and provide enhanced, more personal features. For instance, these cookies can be used to remember your login details, changes you have made to text size, fonts and other parts of web pages that you can customize. They may also be used to provide services you have asked for such as watching a video or commenting on a blog. The information in these cookies is not used to track your browsing activity on other websites.
These require consent if, for example, they involve the use of a third-party service. Setting a first-party dark mode cookie does not require opting in even if it's "non-essential". It does however require disclosure.
The jury's also still out to what degree third-party cookies need to be disclosed in detail (e.g. whether you really need to keep track of the dozens of cookies Google Maps or YouTube sets or whether you can just refer to their privacy policy for the details). But embeds for YouTube, Twitter, Facebook or Google Maps, or the use of Google Fonts or the use of third-party CDNs for non-essential functionality definitely do require consent (i.e. opt in).
I’m wondefing if those embeds would work in an `<iframe sandbox="allow-scripts" />`. This prevents them from reading/writing cookies, but everything else should work fine.
I don't see how that fixes anything as your browser is transmitting PII simply by fetching the iframe content. The sandbox only limits what they can do client-side, they still get to see your IP and user agent.
