Table of Contents
Fetching ...

Opted Out, Yet Tracked: Are Regulations Enough to Protect Your Privacy?

Zengrui Liu, Umar Iqbal, Nitesh Saxena

TL;DR

The paper tackles whether GDPR/CCPA protections suffice when consent is claimed via CMPs but advertisers still process or sell data. It presents an automated auditing framework using OpenWPM to simulate 16 user personas and opt-out/opt-in flows, measuring advertiser bidding and cookie syncing as proxies for non-compliance. Across four CMPs (Didomi, Quantcast, OneTrust, CookieBot) and advertiser opt-out controls (NAI), the study finds frequent data usage and sharing despite opt-out, with CMPs and opt-out mechanisms showing variable effectiveness by regulation. The work underscores the need for improved enforcement, standardized consent conveyance, and greater transparency, while offering to release code and datasets for broader auditing.

Abstract

Data protection regulations, such as GDPR and CCPA, require websites and embedded third-parties, especially advertisers, to seek user consent before they can collect and process user data. Only when the users opt in, can these entities collect, process, and share user data. Websites typically incorporate Consent Management Platforms (CMPs), such as OneTrust and CookieBot, to solicit and convey user consent to the embedded advertisers, with the expectation that the consent will be respected. However, neither the websites nor the regulators currently have any mechanism to audit advertisers' compliance with the user consent, i.e., to determine if advertisers indeed do not collect, process, and share user data when the user opts out. In this paper, we propose an auditing framework that leverages advertisers' bidding behavior to empirically assess the violations of data protection regulations. Using our framework, we conduct a measurement study to evaluate four of the most widely deployed CMPs, i.e., Didomi, Quantcast, OneTrust, and CookieBot, as well as advertiser-offered opt-out controls, i.e., National Advertising Initiative's opt-out, under GDPR and CCPA. Our results indicate that in many cases user data is unfortunately still being collected, processed, and shared even when users opt-out. We also find that some CMPs are better than the others at conveying user consent and that several ad platforms ignore user consent. Our results also indicate that advertiser-offered opt-out are equally ineffective at protecting user privacy.

Opted Out, Yet Tracked: Are Regulations Enough to Protect Your Privacy?

TL;DR

The paper tackles whether GDPR/CCPA protections suffice when consent is claimed via CMPs but advertisers still process or sell data. It presents an automated auditing framework using OpenWPM to simulate 16 user personas and opt-out/opt-in flows, measuring advertiser bidding and cookie syncing as proxies for non-compliance. Across four CMPs (Didomi, Quantcast, OneTrust, CookieBot) and advertiser opt-out controls (NAI), the study finds frequent data usage and sharing despite opt-out, with CMPs and opt-out mechanisms showing variable effectiveness by regulation. The work underscores the need for improved enforcement, standardized consent conveyance, and greater transparency, while offering to release code and datasets for broader auditing.

Abstract

Data protection regulations, such as GDPR and CCPA, require websites and embedded third-parties, especially advertisers, to seek user consent before they can collect and process user data. Only when the users opt in, can these entities collect, process, and share user data. Websites typically incorporate Consent Management Platforms (CMPs), such as OneTrust and CookieBot, to solicit and convey user consent to the embedded advertisers, with the expectation that the consent will be respected. However, neither the websites nor the regulators currently have any mechanism to audit advertisers' compliance with the user consent, i.e., to determine if advertisers indeed do not collect, process, and share user data when the user opts out. In this paper, we propose an auditing framework that leverages advertisers' bidding behavior to empirically assess the violations of data protection regulations. Using our framework, we conduct a measurement study to evaluate four of the most widely deployed CMPs, i.e., Didomi, Quantcast, OneTrust, and CookieBot, as well as advertiser-offered opt-out controls, i.e., National Advertising Initiative's opt-out, under GDPR and CCPA. Our results indicate that in many cases user data is unfortunately still being collected, processed, and shared even when users opt-out. We also find that some CMPs are better than the others at conveying user consent and that several ad platforms ignore user consent. Our results also indicate that advertiser-offered opt-out are equally ineffective at protecting user privacy.
Paper Structure (45 sections, 3 figures, 26 tables)

This paper contains 45 sections, 3 figures, 26 tables.

Figures (3)

  • Figure 1: OneTrust's consent management dialog for GDPR and CCPA.
  • Figure 2: High level overview of our framework to audit regulatory compliance. (1) We use OpenWPM Englehardt16MillionSiteMeasurementCCS to automatically visit top-50 websites from 16 different interest categories to simulate 16 user interest personas. (2) We filter top websites that support opt-outs through Didomi, Quantcast, OneTrust, and CookieBot under GDPR and CCPA and also support header bidding through prebid.jsprebid. (3) We then visit the filtered websites with user interest personas, opt-out of data processing and selling, and collect bids and network requests from advertisers. (4) We then analyze the collected bids and network requests to infer data processing and selling from advertisers.
  • Figure 3: Quantcast's consent management dialog for GDPR and CCPA.