Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
102 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework (1911.09964v2)

Published 22 Nov 2019 in cs.CR

Abstract: As a result of the GDPR and the ePrivacy Directive, European users encounter cookie banners on almost every website. Many of such banners are implemented by Consent Management Providers (CMPs), who respect the IAB Europe's Transparency and Consent Framework (TCF). Via cookie banners, CMPs collect and disseminate user consent to third parties. In this work, we systematically study IAB Europe's TCF and analyze consent stored behind the user interface of TCF cookie banners. We analyze the GDPR and the ePrivacy Directive to identify legal violations in implementations of cookie banners based on the storage of consent and detect such violations by crawling 22 949 European websites. With two automatic and semi-automatic crawl campaigns, we detect violations, and we find that: 141 websites register positive consent even if the user has not made their choice; 236 websites nudge the users towards accepting consent by pre-selecting options; and 27 websites store a positive consent even if the user has explicitly opted out. Performing extensive tests on 560 websites, we find at least one violation in 54% of them. Finally, we provide a browser extension to facilitate manual detection of violations for regular users and Data Protection Authorities.

View on arXiv
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (3)
  1. CĂ©lestin Matte (2 papers)
  2. Nataliia Bielova (17 papers)
  3. Cristiana Santos (17 papers)
Citations (163)
View on Semantic Scholar

Summary

Analysis of Cookie Banner Legal Compliance under IAB Europe's Transparency and Consent Framework

The paper "Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework" presents a thorough analysis of cookie banners implemented in accordance with IAB Europe's Transparency and Consent Framework (TCF). The paper examines 1,426 websites among 28,257 European domains, aiming to identify potential legal violations related to the storage of user consent.

Key Findings

The paper identifies several critical issues in the implementation of cookie banners:

  1. Consent Inconsistency: A significant number (141 websites) automatically register positive consent without any user interaction, challenging the premise of obtaining explicit user consent. Additionally, 236 websites pre-select consent options, and 27 websites store positive consent even after users explicitly opt out. This indicates a substantial discrepancy between the user interface of consent banners and the backend consent stored, highlighting potential non-compliance with GDPR and the ePrivacy Directive.
  2. Rate of Violations: At least one suspected legal violation was found in 54% of the analyzed sample (304 out of 560 sites), raising questions about the widespread compliance with data protection regulations across European websites.
  3. Shared Consent Mechanism: The paper investigates the shared cookie mechanism proposed by the TCF, which allows consent to be reused across different CMPs and publishers. This poses a risk of exacerbating non-compliance, as invalid consent can be proliferated among multiple sites. Three websites initially set positive consent before any user action in the shared cookie.
  4. Third-Party Tracking Requests: The paper documents a notable increase in third-party tracking requests both after positive consent and, alarmingly, after consent refusal. This suggests that denying consent does not significantly impact tracking practices, potentially nullifying user preferences.

Implications

The analysis sheds light on the substantial challenges faced by the current implementation of cookie banners compliant with the TCF. It emphasizes the shared responsibility between CMPs and publishers for non-compliance issues. The regulatory landscape must consider these findings to improve transparency and user agency over their data. Moreover, the paper speculates on future developments where a more integrated oversight by Data Protection Authorities (DPAs) could ensure adherence to regulations and enhance trust in digital advertising ecosystems.

Potential for Future Research

Future research could explore alternative frameworks for consent management that are less susceptible to manipulation or oversight failure. Additionally, detailed case studies of high-traffic websites with flawed consent mechanisms could offer granular insights into common pitfalls and lead to more robust compliance solutions.

In conclusion, this paper presents empirical evidence that calls for strengthened regulatory frameworks and suggests that current practices may undermine users' ability to control their personal data effectively. The development of enhanced compliance tools and proactive enforcement measures could mitigate these issues, restoring user confidence and aligning practices with legal requirements.