research-article

Open access

A Study of GDPR Compliance under the Transparency and Consent Framework

Authors:

Michael Smith,

Antonio Torres-Agüero,

Riley Grossman,

Pritam Sen,

Yi Chen,

Cristian BorceaAuthors Info & Claims

WWW '24: Proceedings of the ACM Web Conference 2024

Pages 1227 - 1236

https://doi.org/10.1145/3589334.3645618

Published: 13 May 2024 Publication History

PDF eReader

Abstract

This paper presents a study of GDPR compliance under the Interactive Advertising Bureau Europe's Transparency and Consent Framework (TCF). This framework provides digital advertising market participants a standard for sharing users' privacy consent choices. TCF is widely used across the Internet, and this paper presents a thorough experimental evaluation of both the compliance of websites with TCF and its impact on user privacy. We reviewed 2,230 websites that use TCF and accepted the automatic decline of user consent by our data collection system. Unlike previous work on GDPR compliance, we found that most websites using TCF properly record the user's consent choice. However, we found that 72.8% of the websites that were TCF compliant claimed legitimate interest as a rationale for overriding the consent choice. While legitimate interest is legal under GDPR, previous studies have shown that most users disagreed with how it is being used to collect data. Additionally, analysis of cookies set to the browsers indicates that TCF may not fully protect user privacy even when websites are compliant. Our research provides regulators and publishers with a data collection and analysis system to monitor compliance, detect non-compliance, and examine questionable practices of circumventing user consent choices using legitimate interest.

Supplemental Material

MP4 File

video presentation

Download
1469.32 MB

MP4 File

Supplemental video

Download
40.97 MB

References

[1]

European Court of Justice [n. d.]. Opinion of Advocate General Szpunar delivered on 21 March 2019. Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband e.V. v Planet49 GmbH. Request for a preliminary ruling from the Bundesgerichtshof. Reference for a preliminary ruling - Directive 95/46/EC - Directive 2002/58/EC - Regulation (EU) 2016/679 - Processing of personal data and protection of privacy in the electronic communications sector - Cookies - Concept of consent of the data subject - Declaration of consent by means of a pre-ticked checkbox. Case C-673/17. European Court of Justice. Retrieved May 29th, 2023 from https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX: 62017CC0673

Abstract

Supplemental Material

References

Cited By

Index Terms

Recommendations

Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence

CSChecker: Revisiting GDPR and CCPA Compliance of Cookie Banners on the Web

GenAI-Powered Analysis of GIS App Privacy Policies for GDPR Compliance

Comments

Information

Published In

Sponsors

Publisher

Publication History

Check for updates

Badges

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Login options

Full Access

Share

Share this Publication link

Share on social media

Affiliations