Do Cookie Banners Respect my Choice? : Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework

As a result of the GDPR and the ePrivacy Directive, European users encounter cookie banners on almost every website. Many of such banners are implemented by Consent Management Providers (CMPs), who respect IAB Europe’s Transparency and Consent Framework (TCF). Via cookie banners, CMPs collect and disseminate user consent to third parties. In this work, we systematically study IAB Europe’s TCF and analyze consent stored behind the user interface of TCF cookie banners. We analyze the GDPR and the ePrivacy Directive to identify potential legal violations in implementations of cookie banners based on the storage of consent and detect such suspected violations by crawling 1 426 websites that contains TCF banners, found among 28 257 crawled European websites. With two automatic and semi-automatic crawl campaigns, we detect suspected violations, and we find that: 141 websites register positive consent even if the user has not made their choice; 236 websites nudge the users towards accepting consent by pre-selecting options; and 27 websites store a positive consent even if the user has explicitly opted out. Performing extensive tests on 560 websites, we find at least one suspected violation in 54% of them. Finally, we provide a browser extension to facilitate manual detection of suspected violations for regular users and Data Protection Authorities.

[1]  Claudio Carpineto,et al.  Automatic Assessment of Website Compliance to the European Cookie Law with CooLCheck , 2016, WPES@CCS.

[2]  Leyla Bilge,et al.  Can I Opt Out Yet?: GDPR and the Global Illusion of Cookie Control , 2019, AsiaCCS.

[3]  Martin Degeling,et al.  (Un)informed Consent: Studying GDPR Consent Notices in the Field , 2019, CCS.

[4]  Timothy Libert,et al.  Exposing the Hidden Web: An Analysis of Third-Party HTTP Requests on 1 Million Websites , 2015, ArXiv.

[5]  Evangelos P. Markatos,et al.  Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid to Ask , 2018, WWW.

[6]  Midas Nouwens,et al.  Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence , 2020, CHI.

[7]  Thorsten Holz,et al.  We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy , 2019, NDSS.

[8]  David Wetherall,et al.  Detecting and Defending Against Third-Party Tracking on the Web , 2012, NSDI.

[9]  Narseo Vallina-Rodriguez,et al.  Tales from the Porn: A Comprehensive Privacy Analysis of the Web Porn Ecosystem , 2019, Internet Measurement Conference.

[10]  Claude Castelluccia,et al.  Selling off User Privacy at Auction , 2014, NDSS.

[11]  Eleni Kosta,et al.  Taming the cookie monster with Dutch law - A tale of regulatory failure , 2015, Comput. Law Secur. Rev..

[12]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.

[13]  Martino Trevisan,et al.  4 Years of EU Cookie Law: Results and Lessons Learned , 2017, Proc. Priv. Enhancing Technol..

[14]  Frank Piessens,et al.  FPDetective: dusting the web for fingerprinters , 2013, CCS.

[15]  Philipp Winter,et al.  The Impact of User Location on Cookie Notices (Inside and Outside of the European Union) , 2019 .

[16]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[17]  Tadayoshi Kohno,et al.  Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016 , 2016, USENIX Security Symposium.

[18]  R. Nielsen,et al.  Changes in Third-Party Content on European News Websites after GDPR , 2018 .

[19]  Wouter Joosen,et al.  Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation , 2018, NDSS.

[20]  Martino Trevisan,et al.  Benchmark and comparison of tracker-blockers: Should you trust them? , 2017, 2017 Network Traffic Measurement and Analysis Conference (TMA).