6 research outputs found
Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners
In this work, we analyze the legal requirements on how cookie banners are
supposed to be implemented to be fully compliant with the e-Privacy Directive
and the General Data Protection Regulation. Our contribution resides in the
definition of seventeen operational and fine-grained requirements on cookie
banner design that are legally compliant, and moreover, we define whether and
when the verification of compliance of each requirement is technically
feasible. The definition of requirements emerges from a joint interdisciplinary
analysis composed of lawyers and computer scientists in the domain of web
tracking technologies. As such, while some requirements are provided by
explicitly codified legal sources, others result from the domain-expertise of
computer scientists. In our work, we match each requirement against existing
cookie banners design of websites. For each requirement, we exemplify with
compliant and non-compliant cookie banners. As an outcome of a technical
assessment, we verify per requirement if technical (with computer science
tools) or manual (with any human operator) verification is needed to assess
compliance of consent and we also show which requirements are impossible to
verify with certainty in the current architecture of the Web. For example, we
explain how the requirement for revocable consent could be implemented in
practice: when consent is revoked, the publisher should delete the consent
cookie and communicate the withdrawal to all third parties who have previously
received consent. With this approach we aim to support practically-minded
parties (compliance officers, regulators, researchers, and computer scientists)
to assess compliance and detect violations in cookie banner design and
implementation, specially under the current revision of the European Union
e-Privacy framework.Comment: 75 page
Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework
International audienc
Are cookie banners indeed compliant with the law?: Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners
International audienceIn this paper, we describe how cookie banners, as a consent mechanism in web applications, should be designed and implemented to be compliant with the ePrivacy Directive and the GDPR, defining 22 legal requirements. While some are provided by legal sources, others result from the domain expertise of computer scientists. We perform a technical assessment of whether technical (with computer science tools), manual (with a human operator) or user studies verification is needed. We show that it is not possible to assess legal compliance for the majority of requirements because of the current architecture of the web. With this approach, we aim to support policy makers assessing compliance in cookie banners, especially under the current revision of the EU ePrivacy framework
Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework
As a result of the GDPR and the ePrivacy Directive, European users encounter
cookie banners on almost every website. Many of such banners are implemented by
Consent Management Providers (CMPs), who respect the IAB Europe's Transparency
and Consent Framework (TCF). Via cookie banners, CMPs collect and disseminate
user consent to third parties. In this work, we systematically study IAB
Europe's TCF and analyze consent stored behind the user interface of TCF cookie
banners. We analyze the GDPR and the ePrivacy Directive to identify legal
violations in implementations of cookie banners based on the storage of consent
and detect such violations by crawling 22 949 European websites. With two
automatic and semi-automatic crawl campaigns, we detect violations, and we find
that: 141 websites register positive consent even if the user has not made
their choice; 236 websites nudge the users towards accepting consent by
pre-selecting options; and 27 websites store a positive consent even if the
user has explicitly opted out. Performing extensive tests on 560 websites, we
find at least one violation in 54% of them. Finally, we provide a browser
extension to facilitate manual detection of violations for regular users and
Data Protection Authorities
4 Years of EU Cookie Law: Results and Lessons Learned
Personalized advertisement has changed the web. It lets websites monetize the content they offer. The downside is the continuous collection of personal information with significant threats to personal privacy. In 2002, the European Union (EU) introduced a first set of regulations on the use of online tracking technologies. It aimed, among other things, to make online tracking mechanisms explicit to increase privacy aware- ness among users.
Amended in 2009, the EU Directive mandates websites to ask for informed consent before using any kind of profiling technology, e.g., cookies. Since 2013, the ePrivacy Directive became mandatory, and each EU Member State transposed it in national legislation. Since then, most of European websites embed a “Cookie Bar”, the most visible effect of the regulation.
In this paper, we run a large-scale measurement campaign to check the current implementation status of the EU cookie directive. For this, we use CookieCheck, a simple tool to automatically verify legislation violations. Results depict a shady picture: 49 % of websites do not respect the Directive and install profiling cookies before any user’s consent is given.
Beside presenting a detailed picture, this paper casts lights on the difficulty of legislator attempts to regulate the troubled marriage between ad-supported web services and their users. In this picture, online privacy seems to be continuously at stake, and it is hard to reach transparency