Section: New Results

Measuring Legal Compliance of Cookie Banners

Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners

In this work, we analyze the legal requirements on how cookie banners are supposed to be implemented to be fully compliant with the ePrivacy Directive and the GDPR.

Our contribution resides in the definition of 17 operational and fine-grained requirements on cookie banner design that are legally compliant, and moreover, we define whether and when the verification of compliance of each requirement is technically feasible.

The definition of requirements emerges from a joint interdisciplinary analysis composed of lawyers and computer scientists in the domain of web tracking technologies. As such, while some requirements are provided by explicitly codified legal sources, others result from the domain-expertise of computer scientists. In our work, we match each requirement against existing cookie banners design of websites. For each requirement, we exemplify with compliant and non-compliant cookie banners.

As an outcome of a technical assessment, we verify per requirement if technical (with computer science tools) or manual (with any human operator) verification is needed to assess compliance of consent and we also show which requirements are impossible to verify with certainty in the current architecture of the Web. For example, we explain how the GDPR’s requirement for revocable consent could be implemented in practice: when consent is revoked, the publisher should delete the consent cookie and communicate the withdrawal to all third parties who have previously received consent.

With this approach we aim to support practically-minded parties (compliance officers, regulators, privacy NGOs, researchers, and computer scientists) to assess compliance and detect violations in cookie banners’ design and implementation, specially under the current revision of the EU ePrivacy framework.

This working paper is submitted for publication.

Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework

As a result of the GDPR and the ePrivacy Directive, (known as “cookie law”), European users encounter cookie banners on almost every website. Many of such banners are implemented by Consent Management Providers (CMPs), who respect the IAB Europe's Transparency and Consent Framework (TCF). Via cookie banners, CMPs collect and disseminate user consent to third parties. In this work, we systematically study IAB Europe's TCF and analyze consent stored behind the user interface of TCF cookie banners. We analyze the GDPR and the ePrivacy Directive to identify legal violations in implementations of cookie banners based on the storage of consent and detect such violations by crawling 22 949 European websites.

With two automatic and semi-automatic crawl campaigns, we detect violations, and we find that: 175 websites register positive consent even if the user has not made their choice; 236 websites nudge the users towards accepting consent by pre-selecting options; and 39 websites store a positive consent even if the user has explicitly opted out. Performing extensive tests on 560 websites, we find at least one violation in 54% of them.

Finally, we provide a browser extension called "Cookie Glasses" to facilitate manual detection of violations for regular users and Data Protection Authorities.

This working paper is submitted for publication at an international conference.