Breaking the illusion: Automated Reasoning of GDPR Consent Violations
Ying Li, Wenjun Qiu, Faysal Hossain Shezan, Kunlin Cai, Michelangelo van Dam, Lisa Austin, David Lie, Yuan Tian
TL;DR
This work presents Cosmic, an automated framework for detecting GDPR consent violations in website web forms. It combines privacy-policy retrieval and analysis, goal-driven web navigation, vision-language based form extraction, and a DSL that encodes forms for formal reasoning with GDPR-derived Datalog rules. The system detects violations by applying nine GDPR-consent properties to DSL-derived facts, reporting precise locations and justification. On 5,823 websites and 3,598 forms, Cosmic uncovered 3,384 consent violations (93.1% of forms examined) with high accuracy (TPR $98.6\%$, TNR $99.1\%$) and demonstrates the practicality and scalability of automated, formal consent auditing. The DSL+Datalog approach enables extension to other privacy regulations, providing a pathway toward robust, UI-level compliance verification for web applications.
Abstract
Recent privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have established legal requirements for obtaining user consent regarding the collection, use, and sharing of personal data. These regulations emphasize that consent must be informed, freely given, specific, and unambiguous. However, there are still many violations, which highlight a gap between legal expectations and actual implementation. Consent mechanisms embedded in functional web forms across websites play a critical role in ensuring compliance with data protection regulations such as the GDPR and CCPA, as well as in upholding user autonomy and trust. However, current research has primarily focused on cookie banners and mobile app dialogs. These forms are diverse in structure, vary in legal basis, and are often difficult to locate or evaluate, creating a significant challenge for automated consent compliance auditing. In this work, we present Cosmic, a novel automated framework for detecting consent-related privacy violations in web forms. We evaluate our developed tool for auditing consent compliance in web forms, across 5,823 websites and 3,598 forms. Cosmic detects 3,384 violations on 94.1% of consent forms, covering key GDPR principles such as freely given consent, purpose disclosure, and withdrawal options. It achieves 98.6% and 99.1% TPR for consent and violation detection, respectively, demonstrating high accuracy and real-world applicability.
