Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
102 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Privacy Policies and Consent Management Platforms: Growth and Users' Interactions over Time (2402.18321v2)

Published 28 Feb 2024 in cs.CY

Abstract: In response to growing concerns about user privacy, legislators have introduced new regulations and laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) that force websites to obtain user consent before activating personal data collection, fundamental to providing targeted advertising. The cornerstone of this consent-seeking process involves the use of Privacy Banners, the technical mechanism to collect users' approval for data collection practices. Consent management platforms (CMPs) have emerged as practical solutions to make it easier for website administrators to properly manage consent, allowing them to outsource the complexities of managing user consent and activating advertising features. This paper presents a detailed and longitudinal analysis of the evolution of CMPs spanning nine years. We take a twofold perspective: Firstly, thanks to the HTTP Archive dataset, we provide insights into the growth, market share, and geographical spread of CMPs. Noteworthy observations include the substantial impact of GDPR on the proliferation of CMPs in Europe. Secondly, we analyse millions of user interactions with a medium-sized CMP present in thousands of websites worldwide. We observe how even small changes in the design of Privacy Banners have a critical impact on the user's giving or denying their consent to data collection. For instance, over 60% of users do not consent when offered a simple "one-click reject-all" option. Conversely, when opting out requires more than one click, about 90% of users prefer to simply give their consent. The main objective is in fact to eliminate the annoying privacy banner rather the make an informed decision. Curiously, we observe iOS users exhibit a higher tendency to accept cookies compared to Android users, possibly indicating greater confidence in the privacy offered by Apple devices.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (50)
  1. 2024. AdGuard. https://adguard.com/, Accessed on February 28, 2024..
  2. 2024. EasyPrivacy. https://easylist.to/easylist/easyprivacy.txt, Accessed on February 28, 2024..
  3. 2024. HTTP Archive. https://httparchive.org/, Accessed on February 28, 2024..
  4. 2024. HTTP Archive open dataset used for CMP analysis. https://smartdata.polito.it/consent-management-platforms-growth-and-users-interactions-over-time/, Accessed on February 28, 2024..
  5. 2024. Wappalyzer. https://www.wappalyzer.com/, Accessed on February 28, 2024.).
  6. 2024. WhoTracks.me. https://whotracks.me/, Accessed on February 28, 2024..
  7. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 674–689.
  8. Susanne Barth and Menno D.T. de Jong. 2017. The privacy paradox – Investigating discrepancies between expressed privacy concerns and actual online behavior – A systematic literature review. Telematics and Informatics 34, 7 (2017), 1038–1058. https://doi.org/10.1016/j.tele.2017.04.013
  9. Are you sure, you want a cookie?–The effects of choice architecture on users’ decisions about sharing private online data. Computers in Human Behavior 120 (2021), 106729.
  10. Brazilian President of the Republic. 2018. Lei Geral de Proteção de Dados Pessoais. http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709compilado.htm, Accessed on February 28, 2024..
  11. California State Legislature. 2018. California Consumer Privacy Act of 2018. https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375, Accessed on February 28, 2024..
  12. Council of European Union. 2009. Directive 2009/136/EC amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws. http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32009L0136, Accessed on February 28, 2024..
  13. Personality and social framing in privacy decision-making: A study on cookie acceptance. Frontiers in psychology 7 (2016), 1341.
  14. Measuring Cookies and Web Privacy in a Post-GDPR World. In Passive and Active Measurement, David Choffnes and Marinho Barcellos (Eds.). Springer International Publishing, Cham, 258–270.
  15. Data Protection Authorities of Germany. 2024. Orientierungshilfe der Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder vom 20. Dezember 2021 . https://www.datenschutzkonferenz-online.de/media/oh/20211220_oh_telemedien.pdf, Accessed on February 28, 2024..
  16. We Value Your Privacy… Now Take Some Cookies. Informatik Spektrum 42, 5 (2019), 345–346.
  17. Deloitte. 2020. Cookie Benchmark Study. https://www2.deloitte.com/content/dam/Deloitte/nl/Documents/risk/deloitte-nl-risk-cookie-benchmark-study.pdf, Accessed on February 28, 2024..
  18. The impact of user location on cookie notices (inside and outside of the European union). In Workshop on Technology and Consumer Protection (ConPro’19).
  19. Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 1388–1401.
  20. Online advertising: Analysis of privacy threats and protection approaches. Computer Communications 100 (2017), 32–51.
  21. European Parliament and Council of European Union. 2016. Directive 95/46/EC. General Data Protection Regulation. http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf, Accessed on February 28, 2024..
  22. Jens Grossklags and Nathan Good. 2007. Empirical studies on software notices to inform policy makers and usability designers. In International Conference on Financial Cryptography and Data Security. Springer, 341–355.
  23. “Okay, whatever”’: An Evaluation of Cookie Consent Interfaces. In Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems. 1–27.
  24. ”It’s a scavenger hunt”: Usability of Websites’ Opt-Out and Data Deletion Choices. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (¡conf-loc¿, ¡city¿Honolulu¡/city¿, ¡state¿HI¡/state¿, ¡country¿USA¡/country¿, ¡/conf-loc¿) (CHI ’20). Association for Computing Machinery, New York, NY, USA, 1–12. https://doi.org/10.1145/3313831.3376511
  25. Philip Hausner and Michael Gertz. 2021. Dark Patterns in the Interaction with Cookie Banners. arXiv preprint arXiv:2103.14956 (2021).
  26. Measuring the Emergence of Consent Management on the Web. In Proceedings of the ACM Internet Measurement Conference (Virtual Event, USA) (IMC ’20). Association for Computing Machinery, New York, NY, USA, 317–332. https://doi.org/10.1145/3419394.3423647
  27. Italian Data Protection Authority. 2024. Chiarimenti in merito all’attuazione della normativa in materia di cookie. https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4006878, Accessed on February 28, 2024..
  28. I Refuse if You Let Me: Studying User Behavior with Privacy Banners at Scale. In 2023 7th Network Traffic Measurement and Analysis Conference (TMA). 1–9. https://doi.org/10.23919/TMA58422.2023.10198936
  29. The Internet with privacy policies: Measuring the Web upon consent. ACM Transactions on the Web (TWEB) 16, 3 (2022), 1–24.
  30. Cookie Banners and Privacy Policies: Measuring the Impact of the GDPR on the Web. ACM Trans. Web 15, 4, Article 20 (jul 2021), 42 pages. https://doi.org/10.1145/3466722
  31. “So I Sold My Soul”: Effects of Dark Patterns in Cookie Notices on End-User Behavior and Perceptions. In Proceedings of 2022 Symposium on Usable Security and Privacy. Internet society.
  32. The Privacy Policy Landscape After the GDPR. Proceedings on Privacy Enhancing Technologies 2020, 1 (2020), 47–64.
  33. Do Cookie Banners Respect my Choice? : Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework. In 2020 IEEE Symposium on Security and Privacy (SP). 791–809. https://doi.org/10.1109/SP40000.2020.00076
  34. Jonathan R Mayer and John C Mitchell. 2012. Third-party web tracking: Policy and technology. In 2012 IEEE symposium on security and privacy. IEEE, 413–427.
  35. The online tracking horde: a view from passive measurements. In International Workshop on Traffic Monitoring and Analysis. Springer, 111–125.
  36. National Assembly of Québec. 2021. An Act to modernize legislative provisions as regards the protection of personal information. https://www.publicationsduquebec.gouv.qc.ca/fileadmin/Fichiers_client/lois_et_reglements/LoisAnnuelles/en/2021/2021C25A.PDF, Accessed on February 28, 2024..
  37. Dark Patterns after the GDPR: Scraping Consent Pop-Ups and Demonstrating Their Influence. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (Honolulu, HI, USA) (CHI ’20). Association for Computing Machinery, New York, NY, USA, 1–13. https://doi.org/10.1145/3313831.3376321
  38. User Tracking in the Post-Cookie Era: How Websites Bypass GDPR Consent to Track Users. Association for Computing Machinery, New York, NY, USA, 2130–2141.
  39. Parliament of Canada. 2000. Personal Information Protection and Electronic Documents Act . https://laws-lois.justice.gc.ca/eng/acts/p-8.6/, Accessed on February 28, 2024..
  40. Parliament of Canada. 2023. An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts. https://www.parl.ca/legisinfo/en/bill/44-1/c-27, Accessed on February 28, 2024..
  41. Annoyed users: Ads and ad-block usage in the wild. In Proceedings of the 2015 Internet Measurement Conference. 93–106.
  42. Van Bavel R and Rodriguez Priego N. 2016. Testing the Effect of the Cookie Banners on Behaviour. LF-NA-28287-EN-N (2016). https://doi.org/10.2791/22197
  43. Unveiling web fingerprinting in the wild via code mining and machine learning. Proceedings on Privacy Enhancing Technologies 2021, 1 (2021), 43–63.
  44. Can I Opt Out Yet? GDPR and the Global Illusion of Cookie Control. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (Auckland, New Zealand) (Asia CCS ’19). Association for Computing Machinery, New York, NY, USA, 340–351. https://doi.org/10.1145/3321705.3329806
  45. What Cookie Consent Notices Do Users Prefer: A Study In The Wild. In Proceedings of the 2022 European Symposium on Usable Security. 28–39.
  46. Online privacy concerns associated with cookies, flash cookies, and web beacons. Journal of internet commerce 10, 1 (2011), 1–16.
  47. Circumvention by Design - Dark Patterns in Cookie Consent for Online News Outlets. In Proceedings of the 11th Nordic Conference on Human-Computer Interaction: Shaping Experiences, Shaping Society (Tallinn, Estonia) (NordiCHI ’20). Association for Computing Machinery, New York, NY, USA, Article 19, 12 pages. https://doi.org/10.1145/3419249.3420132
  48. 4 Years of EU Cookie Law: Results and Lessons Learned. Proc. Priv. Enhancing Technol. 2019, 2 (2019), 126–145.
  49. (Un)Informed Consent: Studying GDPR Consent Notices in the Field. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (London, United Kingdom) (CCS ’19). Association for Computing Machinery, New York, NY, USA, 973–990. https://doi.org/10.1145/3319535.3354212
  50. Why we can’t be bothered to read privacy policies models of privacy economics as a lemons market. In Proceedings of the 5th international conference on Electronic commerce. 403–407.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (5)
  1. Nikhil Jha (10 papers)
  2. Martino Trevisan (18 papers)
  3. Marco Mellia (28 papers)
  4. Daniel Fernandez (17 papers)
  5. Rodrigo Irarrazaval (1 paper)