Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Measuring Compliance of Consent Revocation on the Web

Gayatri Priyadarsini Kancherla, Nataliia Bielova, Cristiana Santos, Abhishek Bichhawat

TL;DR

This study provides the first large-scale audit of consent revocation on the Web under the GDPR, evaluating the ease of revoking consent, the deletion of AA cookies, storage consistency, and third-party notification. Using semi-automated crawling on the top-200 sites and a broader CMP-focused dataset (281 sites), the authors reveal substantial non-compliance: revocation interfaces are difficult or inconsistent on nearly 20% of sites, many sites fail to delete AA cookies after revocation, and a large share of third parties remain uninformed of revocation. The work also uncovers widespread inconsistencies between storage and APIs (TCStrings and OneTrust encodings) and reports that a majority of revocation signals do not reach all third parties, creating risks of unlawful data processing. The authors offer concrete regulatory and technical recommendations, including standardized revocation interfaces, storage practices, and signaling mechanisms to improve enforcement and user rights realization.

Abstract

The GDPR requires websites to facilitate the right to revoke consent from Web users. While numerous studies measured compliance of consent with the various consent requirements, no prior work has studied consent revocation on the Web. Therefore, it remains unclear how difficult it is to revoke consent on the websites' interfaces, nor whether revoked consent is properly stored and communicated behind the user interface. Our work aims to fill this gap by measuring compliance of consent revocation on the Web on the top-200 websites. We found that 19.87% of websites make it difficult for users to revoke consent throughout different interfaces, 20.5% of websites require more effort than acceptance, and 2.48% do not provide consent revocation at all, thus violating legal requirements for valid consent. 57.5% websites do not delete the cookies after consent revocation enabling continuous illegal processing of users' data. Moreover, we analyzed 281 websites implementing the IAB Europe TCF, and found 22 websites that store a positive consent despite user's revocation. Surprisingly, we found that on 101 websites, third parties that have received consent upon user's acceptance, are not informed of user's revocation, leading to the illegal processing of users' data by such third parties. Our findings emphasise the need for improved legal compliance of consent revocation, and proper, consistent, and uniform implementation of revocation communication and data deletion practices.

Measuring Compliance of Consent Revocation on the Web

TL;DR

This study provides the first large-scale audit of consent revocation on the Web under the GDPR, evaluating the ease of revoking consent, the deletion of AA cookies, storage consistency, and third-party notification. Using semi-automated crawling on the top-200 sites and a broader CMP-focused dataset (281 sites), the authors reveal substantial non-compliance: revocation interfaces are difficult or inconsistent on nearly 20% of sites, many sites fail to delete AA cookies after revocation, and a large share of third parties remain uninformed of revocation. The work also uncovers widespread inconsistencies between storage and APIs (TCStrings and OneTrust encodings) and reports that a majority of revocation signals do not reach all third parties, creating risks of unlawful data processing. The authors offer concrete regulatory and technical recommendations, including standardized revocation interfaces, storage practices, and signaling mechanisms to improve enforcement and user rights realization.

Abstract

The GDPR requires websites to facilitate the right to revoke consent from Web users. While numerous studies measured compliance of consent with the various consent requirements, no prior work has studied consent revocation on the Web. Therefore, it remains unclear how difficult it is to revoke consent on the websites' interfaces, nor whether revoked consent is properly stored and communicated behind the user interface. Our work aims to fill this gap by measuring compliance of consent revocation on the Web on the top-200 websites. We found that 19.87% of websites make it difficult for users to revoke consent throughout different interfaces, 20.5% of websites require more effort than acceptance, and 2.48% do not provide consent revocation at all, thus violating legal requirements for valid consent. 57.5% websites do not delete the cookies after consent revocation enabling continuous illegal processing of users' data. Moreover, we analyzed 281 websites implementing the IAB Europe TCF, and found 22 websites that store a positive consent despite user's revocation. Surprisingly, we found that on 101 websites, third parties that have received consent upon user's acceptance, are not informed of user's revocation, leading to the illegal processing of users' data by such third parties. Our findings emphasise the need for improved legal compliance of consent revocation, and proper, consistent, and uniform implementation of revocation communication and data deletion practices.

Paper Structure

This paper contains 47 sections, 7 figures, 12 tables.

Table of Contents

  1. Introduction
  2. Background and Related Works
  3. Legal Compliance for Revocation
  4. Methodology
  5. Datasets for RQ1 and RQ2
  6. Website selection
  7. Analyzing interfaces for consent revocation (RQ1)
  8. Effect of revocation on AA cookies (RQ2)
  9. Datasets for RQ3 and RQ4
  10. Preliminary study
  11. Website selection
  12. Data collection
  13. Collecting stored consent strings and third-parties that access them
  14. Detecting and extracting TCStrings and specific categories from OneTrust in network logs
  15. OneTrust-specific encoding of consent
  16. ...and 32 more sections

Figures (7)

  • Figure 1: Data collection pipeline: to address RQ1, we collect screenshots and label a website as shown in violet boxes; for RQ2 we collect cookies at each stage and also at Rejection stage in a similar way (not shown in this figure).
  • Figure 2: Data collection pipeline: to address RQ3 (validity and consistency of consent), the collected sets of consent strings are highlighted in orange, while for RQ4 (access and communication of consent to 3rd-parties), the sets of scripts parties involved in the communication of consent are highlighted in violet. The objects in green represent our methods for collecting the data, and the boxes in yellow are further described in Table \ref{['tab:parsing']}.
  • Figure 3: Revocation methods on top 158 websites
  • Figure 4: Change in the number of advertising and analytics (AA) cookies across different options
  • Figure 5: Top 15 third-parties not informed of the revoked consent via HTTP requests and the number of websites including these scripts but not informing them of revocation.
  • ...and 2 more figures