Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners

12/16/2019
by   Cristiana Santos, et al.
0

In this work, we analyze the legal requirements on how cookie banners are supposed to be implemented to be fully compliant with the e-Privacy Directive and the General Data Protection Regulation. Our contribution resides in the definition of seventeen operational and fine-grained requirements on cookie banner design that are legally compliant, and moreover, we define whether and when the verification of compliance of each requirement is technically feasible. The definition of requirements emerges from a joint interdisciplinary analysis composed of lawyers and computer scientists in the domain of web tracking technologies. As such, while some requirements are provided by explicitly codified legal sources, others result from the domain-expertise of computer scientists. In our work, we match each requirement against existing cookie banners design of websites. For each requirement, we exemplify with compliant and non-compliant cookie banners. As an outcome of a technical assessment, we verify per requirement if technical (with computer science tools) or manual (with any human operator) verification is needed to assess compliance of consent and we also show which requirements are impossible to verify with certainty in the current architecture of the Web. For example, we explain how the requirement for revocable consent could be implemented in practice: when consent is revoked, the publisher should delete the consent cookie and communicate the withdrawal to all third parties who have previously received consent. With this approach we aim to support practically-minded parties (compliance officers, regulators, researchers, and computer scientists) to assess compliance and detect violations in cookie banner design and implementation, specially under the current revision of the European Union e-Privacy framework.

READ FULL TEXT

page 14

page 19

page 21

page 25

page 29

page 36

page 40

page 41

research
08/18/2022

Understanding the Implementation of Technical Measures in the Process of Data Privacy Compliance: A Qualitative Study

Modern privacy regulations, such as the General Data Protection Regulati...
research
11/22/2019

Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework

As a result of the GDPR and the ePrivacy Directive, European users encou...
research
12/15/2022

The Data Protection Officer, an ubiquitous role nobody really knows

Among all cybersecurity and privacy workers, the Data Protection Officer...
research
02/27/2023

Priorities for more effective tech regulation

Ample research has demonstrated that compliance with data protection pri...
research
04/14/2021

Consent Management Platforms under the GDPR: processors and/or controllers?

Consent Management Providers (CMPs) provide consent pop-ups that are emb...
research
07/14/2018

Eavesdropping Whilst You're Shopping: Balancing Personalisation and Privacy in Connected Retail Spaces

Physical retailers, who once led the way in tracking with loyalty cards ...
research
05/13/2022

The Case for a Legal Compliance API for the Enforcement of the EU's Digital Services Act on Social Media Platforms

In the course of under a year, the European Commission has launched some...

Please sign up or login with your details

Forgot password? Click here to reset