User Tracking in the Post-cookie Era: How Websites Bypass GDPR Consent to Track Users

During the past few years, mostly as a result of the GDPR and the CCPA, websites have started to present users with cookie consent banners. These banners are web forms where the users can state their preference and declare which cookies they would like to accept, if such option exists. Although requesting consent before storing any identifiable information is a good start towards respecting the user privacy, yet previous research has shown that websites do not always respect user choices. Furthermore, considering the ever decreasing reliance of trackers on cookies and actions browser vendors take by blocking or restricting third-party cookies, we anticipate a world where stateless tracking emerges, either because trackers or websites do not use cookies, or because users simply refuse to accept any. In this paper, we explore whether websites use more persistent and sophisticated forms of tracking in order to track users who said they do not want cookies. Such forms of tracking include first-party ID leaking, ID synchronization, and browser fingerprinting. Our results suggest that websites do use such modern forms of tracking even before users had the opportunity to register their choice with respect to cookies. To add insult to injury, when users choose to raise their voice and reject all cookies, user tracking only intensifies. As a result, users' choices play very little role with respect to tracking: we measured that more than 75 users had the opportunity to make a selection in the cookie consent banner, or when users chose to reject all cookies.


The Hitchhiker's Guide to Facebook Web Tracking with Invisible Pixels and Click IDs

Over the past years, advertisement companies have used a variety of trac...

Characterising Third Party Cookie Usage in the EU after GDPR

The recently introduced General Data Protection Regulation (GDPR) requir...

Beyond Cookie Monster Amnesia: Real World Persistent Online Tracking

Browser fingerprinting is a relatively new method of uniquely identifyin...

On Privacy Risks of Public WiFi Captive Portals

Open access WiFi hotspots are widely deployed in many public places, inc...

Clash of the Trackers: Measuring the Evolution of the Online Tracking Ecosystem

Websites are constantly adapting the methods used, and intensity with wh...

CookieEnforcer: Automated Cookie Notice Analysis and Enforcement

Online websites use cookie notices to elicit consent from the users, as ...

(Un)informed Consent: Studying GDPR Consent Notices in the Field

Since the adoption of the General Data Protection Regulation (GDPR) in M...

Please sign up or login with your details

Forgot password? Click here to reset