Legal frameworks like Europe's General Data Protection Regulation (GDPR) require websites and associated third parties to get consent before collecting and processing personal data. To help website operators comply with that requirement, vendors like Didomi, Quantcast, OneTrust, and Usercentrics offer what's known as a consent management platform (CMP).
These firms provide software that websites use to prompt visitors to accept or reject cookies in order to control how personal information gets handled. They claim their respective CMPs allow companies to comply with privacy laws in the US, EU, UK, Brazil, South Africa, Singapore, and elsewhere.
As Germany-based Usercentrics puts it: "Surveillance on the internet is real and pervasive – using a consent management platform can make your website a safe private space."
Yet computer scientists Zengrui Liu (Texas A&M University), Umar Iqbal (University of Washington), and Nitesh Saxena (Texas A&M University) devised an auditing mechanism to test the effectiveness of CMP-based opt-out controls and found these platforms don't necessarily ensure compliance with GDPR and CCPA requirements.
They describe their findings in a paper [PDF] titled "Opted Out, Yet Tracked: Are Regulations Enough to Protect Your Privacy?"
Spoiler alert: No.
"Our results indicate that in many cases user data is unfortunately still being collected, processed, and shared even when users opt out," the researchers state in their paper. "Our findings suggest that several prominent advertisers might be in potential violation of GDPR and CCPA."
Opt-out under the law thus is not all that different from "Do Not Track" – a web specification that allowed browser users to declare the desire not to be tracked, without any consequences for ignoring that preference.
The researchers devised a way to audit opt-out compliance using OpenWPM, an open source web privacy measurement framework. The process involved visiting the top 50 websites in 16 different interest categories (computers, news, sports and so on) to simulate user interest personas.
They focused on top websites that support both header bidding through prebid.js and opting out using CMPs from Didomi, Quantcast, OneTrust, and Usercentrics (CookieBot) tuned for GDPR and CCPA compliance.
"Our findings in general cast a serious doubt on the effectiveness of regulations as a sole means of privacy protection," the researchers conclude. "Specifically, even after users opt out through CMPs, their data may still be used and shared by advertisers. Unfortunately, in order to fully protect privacy, users still need to rely on privacy-enhancing tools, such as ad/tracker blocking browser extensions and privacy-focused browsers (e.g., Brave Browser)."
Yet this is asking too much of internet users, the researchers argue. Regulators need to step up enforcement and work on detecting law violations at scale.
Date Published: 4 March, 2023