Privacy Policies and Consent Management Platforms: Growth and Users' Interactions over Time

TL;DR

This study analyzes how Consent Management Platforms and privacy banners have evolved under GDPR and related regulations, using longitudinal data from the HTTP Archive to track CMP adoption and the illlow.io dataset to examine user interactions. By merging CMP-domain lists and tracker lists, the authors quantify how CMPs proliferated across regions and how banner design influences user consent, including the prevalence of pre-consent tracking. The findings show substantial GDPR-driven growth in CMP adoption—especially in Europe—with notable country-level differences and a persistent gap where trackers are contacted before consent in many cases. The work highlights the impact of banner UX on consent decisions, reveals Android/iOS differences in acceptance rates, and emphasizes the need for improved enforcement, standardization, and more comprehensive web archiving to support true user privacy choices.

Abstract

In response to growing concerns about user privacy, legislators have introduced new regulations and laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) that force websites to obtain user consent before activating personal data collection, fundamental to providing targeted advertising. The cornerstone of this consent-seeking process involves the use of Privacy Banners, the technical mechanism to collect users' approval for data collection practices. Consent management platforms (CMPs) have emerged as practical solutions to make it easier for website administrators to properly manage consent, allowing them to outsource the complexities of managing user consent and activating advertising features. This paper presents a detailed and longitudinal analysis of the evolution of CMPs spanning nine years. We take a twofold perspective: Firstly, thanks to the HTTP Archive dataset, we provide insights into the growth, market share, and geographical spread of CMPs. Noteworthy observations include the substantial impact of GDPR on the proliferation of CMPs in Europe. Secondly, we analyse millions of user interactions with a medium-sized CMP present in thousands of websites worldwide. We observe how even small changes in the design of Privacy Banners have a critical impact on the user's giving or denying their consent to data collection. For instance, over 60% of users do not consent when offered a simple "one-click reject-all" option. Conversely, when opting out requires more than one click, about 90% of users prefer to simply give their consent. The main objective is in fact to eliminate the annoying privacy banner rather the make an informed decision. Curiously, we observe iOS users exhibit a higher tendency to accept cookies compared to Android users, possibly indicating greater confidence in the privacy offered by Apple devices.

Figures (16)

• Figure 1: Data processing and analysis workflow. The top part refers to the CMP adoption study. The bottom parts to the user behaviour study.
• Figure 2: The available banners introduced since July 2023 in the illow.io CMP. Figures showcase the pop-up style banners.
• Figure 3: Fraction of websites with/without a CMP and contacting potential trackers. HTTP-9Years Dataset of 11,819 websites that are present during the whole period in GDPR-regulated countries.
• Figure 4: Fraction of websites with a CMP for 5 European TLDs. HTTP-9Years Dataset of 11,819 websites that are present during the whole period, in GDPR-regulated countries.
• Figure 5: Fraction of websites with a CMP for different continents. HTTP-9Years Dataset of websites that are present during the whole period, in not GDPR-regulated countries.