Are cookie banners indeed compliant with the law? Deciphering EU legal
requirements on consent and technical means to verify compliance of cookie
banners
In this work, we analyze the legal requirements on how cookie banners are
supposed to be implemented to be fully compliant with the e-Privacy Directive
and the General Data Protection Regulation. Our contribution resides in the
definition of seventeen operational and fine-grained requirements on cookie
banner design that are legally compliant, and moreover, we define whether and
when the verification of compliance of each requirement is technically
feasible. The definition of requirements emerges from a joint interdisciplinary
analysis composed of lawyers and computer scientists in the domain of web
tracking technologies. As such, while some requirements are provided by
explicitly codified legal sources, others result from the domain-expertise of
computer scientists. In our work, we match each requirement against existing
cookie banners design of websites. For each requirement, we exemplify with
compliant and non-compliant cookie banners. As an outcome of a technical
assessment, we verify per requirement if technical (with computer science
tools) or manual (with any human operator) verification is needed to assess
compliance of consent and we also show which requirements are impossible to
verify with certainty in the current architecture of the Web. For example, we
explain how the requirement for revocable consent could be implemented in
practice: when consent is revoked, the publisher should delete the consent
cookie and communicate the withdrawal to all third parties who have previously
received consent. With this approach we aim to support practically-minded
parties (compliance officers, regulators, researchers, and computer scientists)
to assess compliance and detect violations in cookie banner design and
implementation, specially under the current revision of the European Union
e-Privacy framework.Comment: 75 page