Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework
This is the first study that analyses what happens behind the scenes of cookie banners when a user gives consent to tracking. We systematically collect consent stored by cookie banners and measure GDPR and ePrivacy Directive suspected violations on hundreds of websites. As a result, we identified suspected violations on 54% of websites we analysed.Read the paper » Discuss on Twitter » Our extension for Chrome »
About us
Authors: Célestin Matte, Nataliia Bielova (PRIVATICS Inria, Université Côte d'Azur, France) and Cristiana Santos (School of Law, University Toulouse 1-Capitole, SIRIUS Chair, France).
The study is part of the ANR PrivaWeb project.
Why do I see cookie banners?
The GDPR and the ePrivacy directive require consent for online tracking. So, when EU users browse the Web, they see cookie banners asking for their choice regarding online tracking. In a cookie banner settings, the user can decide whether or not she gives consent to invisible data collection and tracking. EU websites rely on cookie banner providers to implement consent, but what happens behind the scenes of a cookie banner interface?
The screenshot shows the privacy settings of a cookie banner from a popular website for web developers, w3schools.com.
Who manages the cookie banners?
Websites often rely on third party cookie banner providers to implement consent. Some of such providers, called Consent Management Providers (CMPs), implement the IAB Europe Transparency and Consent Framework (TCF)1.
IAB Europe defines a specification of consent, which all such banners use. When a user expresses her choice, a cookie banner stores it in the browser and makes it available to third-party advertisers present on the page. Advertisers rely on the stored consent to invisibly collect user's data on the website.
What do I consent for in IAB Europe cookie banner?
When you make your choise in a IAB Europe cookie banner, you consent that your data will be invisibly collected and further used with respect to up to five purposes, shown below. Each purpose is copied from the IAB Europe TCF website (v1.1). When you click on a purpose, you can read the full description provided by IAB Europe below.
Alongside with the purposes, the cookie banners will include a list of up to 550 third party advertisers that rely on the allowed purposes to collect your data as you browse the website.
The storage of information, or access to information that is already stored, on your device such as advertising identifiers, device identifiers, cookies, and similar technologies.
The collection and processing of information about your use of this service to subsequently personalise advertising and/or content for you in other contexts, such as on other websites or apps, over time. Typically, the content of the site or app is used to make inferences about your interests, which inform future selection of advertising and/or content.
The collection of information, and combination with previously collected information, to select and deliver advertisements for you, and to measure the delivery and effectiveness of such advertisements. This includes using previously collected information about your interests to select ads, processing data about what advertisements were shown, how often they were shown, when and where they were shown, and whether you took any action related to the advertisement, including for example clicking an ad or making a purchase. This does not include personalisation, which is the collection and processing of information about your use of this service to subsequently personalise advertising and/or content for you in other contexts, such as websites or apps, over time.
The collection of information, and combination with previously collected information, to select and deliver content for you, and to measure the delivery and effectiveness of such content. This includes using previously collected information about your interests to select content, processing data about what content was shown, how often or how long it was shown, when and where it was shown, and whether the you took any action related to the content, including for example clicking on content. This does not include personalisation, which is the collection and processing of information about your use of this service to subsequently personalise content and/or advertising for you in other contexts, such as websites or apps, over time.
The collection of information about your use of the content, and combination with previously collected information, used to measure, understand, and report on your usage of the service. This does not include personalisation, the collection of information about your use of this service to subsequently personalise content and/or advertising for you in other contexts, i.e. on other service, such as websites or apps, over time.
Our tool: Cookie Glasses
For large-scale analysis of websites, we have implemented a crawler, called Cookinspect, based on a Selenium-instrumented Chromium, that detects what consent cookie banners store in the user's browser.
For end users, we have developed the Cookie glasses browser extension that visualises the consent stored in the browser2. The extension interface shows all the puroposes and all the third party advertisers (called "vendors") that are stored in the consent on a website that uses cookie banners from IAB Europe.
The primary goal of Cookie glasses extension is to empower the end users and Data Protection Authorities to investigate websites and detect when the consent stored by the website does not correspond to the choice made by the user.
The extension can be installed on Chrome and manually installed on Firefox3. Source code is available on Github.
Detected GDPR and ePrivacy suspected violations
During our September 2019 measurement of 22,949 websites from the EU domains, as well as
.org and .com,
with Cookinspect we first detected 1,426 websites containing cookie banners that implemented IAB Europe's TCF.
After an automatic analysis of these websites, we proceeded to semi-automatic analysis
of 560 websites from
.uk,
.fr,
.it,
.be,
.ie and
.com domains to detect violations that require
human intervention.
We have detected four types of suspected violations in cookie banners implemented by CMPs in 304 websites. We explain how such behavior might violate GDPR and ePrivacy in Section III of our paper.
| Suspected violation | Description | Number of websites analysed | Number of websites with violation |
|---|---|---|---|
| Consent stored before choice | The cookie banner stores a positive consent before the user has made their choice in the banner. Therefore, when advertisers request for consent, the cookie banner responds with the positive consent even though the user has not clicked on a banner and has not made their choice yet. | 1,426 | 141 (9.9%) |
| No way to opt out | The banner does not offer a way to refuse consent. The most common case is a banner simply informing the users about the site’s use of cookies | 560 | 38 (6.8%) |
| Pre-selected choices | The banner gives user a choice between one or more purposes or vendors, but some of the purposes or advertisers are pre-selected: pre-ticked boxes or sliders set to “accept”. | 508 | 236 (46.5%) |
| Non-respect of choice | The cookie banner stores a positive consent in the browser even though the user has explicitly refused consent. | 508 | 27 (5.3%) |
Consent stored before choice
Websites should wait for user’s decision before storing the user’s choice in the browser. We automatically identified 175 websites out of 1,426 containing cookie banners that store user's positive consent even before the user has made any choice!
The video shows how Cookie glasses detects that a cookie banner provider stores a consent even if the user has not made any choice in the cookie banner on wired.co.uk. As a result, the user's data is allowed to be used by 375 third party advertisers for two purposes: "Information storage and access" and "Measurement".
No way to opt out
Website owners should allow the users to opt out of online tracking, and should provide options to refuse. This is not the case on 38 of the websites we tested: they did not allow the user to make an unambiguous choice when it comes to collection of user's data.
The video demonstrates this on a French website, radiofrance.fr. The cookie banner there doesn't allow users to refuse tracking, but once they click on "J'ai compris" ("I understand"), the user suddenly allows 565 different third-party advertisers to collect and use her data for all five purposes defined in the framework, including advertising, ad delivery and measurement.
Pre-selected choices
According to the EU regulators, and the recent European Court of Justice case (known as the “Planet49 GmbH”) websites violate GDPR when they pre-select options in consent dialogs, such as cookie banners.
Out of 508 manually analysed websites that provided a way to opt out, we detected 236 websites (46.5%), where the banner gives users a choice between one or more purposes or third-party advertisers, but some of the purposes or advertisers are pre-selected and set to “accept”.
One example of such a violation appears on the video entertainment website fandom.com. All the five purposes of data collection are allowed by default, and if the user doesn't pay attention and clicks "Save and close", then 47 different third party advertisers are allowed to use the collected data for any purpose.
Non-respect of choice
Even though many cookie banners provide a meaningful choice to the users, some of them do not respect it. Some banners store a positive consent even if the user has explicitly opted out of all tracking. This practice can be considered deceptive as it results in accepting data collection against users' will.
Out of 508 manually analysed websites that provide a way to opt out, we detected 39 websites where the banner stores a positive consent, even if the user explicitly refuses consent via the cookie banner.
The website flashscore.com provides mechanisms to opt out in its privacy settings page. However, even when the user has explicitly de-selected all the checkboxes in the privacy settings, 544 third-party advertisers can still obtain a positive consent and use the collected data for any of the five purposes defined in the framework.
After all, who is responsible?
Notice that the consent is normally stored in the browser by the cookie banner provider. However, the website owner may alternate the stored consent. Therefore, the responsibility of defining an erroneous consent is joint between the cookie banner provider and the website owner. More results on CMPs and websites where each violation is detected, can be found in our research paper.
Contact
For more informaiton, please contactbanners@inria.fr
-
During our September 2019 measurements, we studied the version 1 of IAB Europe Transparency and Consent Framework (TCF). Version 2 of this framework was published in August 2019, and we have not observed its application in the wild. ↩
-
Notice that Cookie glasses is only a partial implementation of Cookinspect. Cookie glasses only intercepts consent that is passed via a postMessage API. Therefore, Cookie glasses doesn't detect all violations that Cookinspect detects. ↩
- The extension is under submission to Mozilla web extensions store and this page will be updated when it is available. ↩