Opted Out, Yet Tracked: Are Regulations Enough to Protect Your Privacy?

02/02/2022
by   Zengrui Liu, et al.
0

Data protection regulations, such as GDPR and CCPA, require websites and embedded third-parties, especially advertisers, to seek user consent before they can collect and process user data. Only when the users opt in, can these entities collect, process, and share user data. Websites typically incorporate Consent Management Platforms (CMPs), such as OneTrust and CookieBot, to solicit and convey user consent to the embedded advertisers, with the expectation that the consent will be respected. However, neither the websites nor the regulators currently have any mechanism to audit advertisers' compliance with the user consent, i.e., to determine if advertisers indeed do not collect, process, and share user data when the user opts out. In this paper, we propose an auditing framework that leverages advertisers' bidding behavior to empirically assess the violations of data protection regulations. Using our framework, we conduct a measurement study to evaluate two of the most widely deployed CMPs, i.e., OneTrust and CookieBot, as well as advertiser-offered opt-out controls, i.e., National Advertising Initiative's opt-out, under GDPR and CCPA – arguably two of the most mature data protection regulations. Our results indicate that user data is unfortunately still being collected, processed, and shared even when users opt-out. Our findings suggest that several prominent advertisers (e.g., AppNexus, PubMatic) might be in potential violation of GDPR and CCPA. Overall, our work casts a doubt if regulations are effective at protecting users' online privacy.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
11/22/2019

Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework

As a result of the GDPR and the ePrivacy Directive, European users encou...
research
04/19/2018

A spark is enough in a straw world: a study of websites password management in the wild

With the entry into force of the General Data Protection Regulation (GDP...
research
03/03/2023

Usability of Privacy Controls in Top Health Websites

With the increasing awareness and concerns around privacy, many service ...
research
01/08/2020

Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence

New consent management platforms (CMPs) have been introduced to the web ...
research
05/03/2019

Characterising Third Party Cookie Usage in the EU after GDPR

The recently introduced General Data Protection Regulation (GDPR) requir...
research
06/13/2023

Is Your Wallet Snitching On You? An Analysis on the Privacy Implications of Web3

With the recent hype around the Metaverse and NFTs, Web3 is getting more...
research
06/21/2022

The Impact of Visibility on the Right to Opt-out of Sale under CCPA

The California Consumer Protection Act (CCPA) gives users the right to o...

Please sign up or login with your details

Forgot password? Click here to reset