Some examples from mine if anyone is curious. I never use the fb sso or any of that shit, nor did I ever explicitly consent to any of these services sharing anything with fb.
- Spotify
- bookings .com
- ebay (haven’t touched my account there in over a decade but they still had data to send this year)
- windy .com
- duolingo
- tinder
- my bank
- opera
- sonos (I can’t think of any time I’ve ever even interacted with this one)
- samsung wallet (another one I never even set up)
- Uber eats
- calorie counter
- mediacom usa and euro (?)
Also, if you remove access via messenger app, it will show a confirm message without closing the screen. Clicking x goes back and it’s not on the list anymore. Whether they are actually leaving it disconnected or just hiding it, who knows.
Some of these services I didn’t use the same email that I used for fb, too, or any email at all.
I like grid for that because it’s by default per-site permissions and also by default allows the sites own cookies while blocking any cookies for other domains.
It can involve some trial and error to get things working if the site uses a CDN or third party services for functionality, but I’ve found that it hasn’t yet been necessary to enable any 3rd party cookies to get any functionality working (at least none that I wanted to get working, maybe other sites that use Google or fb accounts would automatically log me in if I had those ones enabled, but those are things I specifically want to block).
Usually I’ll just need to enable some scripts and media from CDNs.
Same thing that’s preventing them from ignoring your choices or not offering them in the first place: nothing technical; it’s all up to the legal system.
I’m not sure how sites generally do it, but from my web dev experience in the past, I wouldn’t be surprised if it is actually implemented as one giant cookie. Iirc cookies are attached to domains and one domain can’t access another’s cookies. So if they are sharing the data on their end, I’d guess it is one big cookie. If they have their site set up to make the clients share the data themselves, I’d guess there’s a cookie for each partner’s domain.
It’s even possible that the information is shared without using actual cookies at all, since data can be sent to servers using the http get request. If you see ? in the url, everything after that is a list of arguments and values… Though the entire URL (after the domain, which maps it to that server) is data and doesn’t have to map to a directory structure and file on a server. Maybe this falls under the umbrella of “cookie” despite technically not being a cookie.
Or maybe it’s a loophole where the legislation focused on just cookies and falls back to these methods. Probably not, because if it’s done on the client side, it would be easy to detect by anyone who knows how to look. But who knows what’s going on on the server side of things?
Edit: my knowledge here is dated and outside of my specializations, so consider this more technically informed speculation than necessarily applicable to how things generally work. I say this because I see another comment came in while I was writing this that contradicts mine about a giant cookie being technically possible. My own use of cookies was to store a session id so that php could find the data that was being stored server side that was necessary for site functionality (like storing logged in state, user id, and other internal stuff we don’t want users being able to change by editing a cookie). They worked like maps iirc where you just give them key:value pairs, thus could store an arbitrary amount of data.
Most of them were cases where I wasn’t surprised they had data but a bit surprised they shared it.
I think my phone came with a sonos app installed, though not certain about that. I got rid of it if it was, though I can’t say if the most recent update from them was before or after that.
But a few of them I’m not really sure why they are on there. There was another one that I didn’t list that just had the label “IDK”, not sure if that’s a real name or “I don’t know”. I’m assuming they came from effective fingerprinting/tracking.
I might look into an addon that fakes some of the information the browser sends like OS version and resolution. Maybe that will make fingerprinting harder.