TY - GEN
T1 - A Study of GDPR Compliance under the Transparency and Consent Framework
AU - Smith, Michael
AU - Torres-Agüero, Antonio
AU - Grossman, Riley
AU - Sen, Pritam
AU - Chen, Yi
AU - Borcea, Cristian
N1 - Publisher Copyright:
© 2024 Owner/Author.
PY - 2024/5/13
Y1 - 2024/5/13
N2 - This paper presents a study of GDPR compliance under the Interactive Advertising Bureau Europe's Transparency and Consent Framework (TCF). This framework provides digital advertising market participants a standard for sharing users' privacy consent choices. TCF is widely used across the Internet, and this paper presents a thorough experimental evaluation of both the compliance of websites with TCF and its impact on user privacy. We reviewed 2,230 websites that use TCF and accepted the automatic decline of user consent by our data collection system. Unlike previous work on GDPR compliance, we found that most websites using TCF properly record the user's consent choice. However, we found that 72.8% of the websites that were TCF compliant claimed legitimate interest as a rationale for overriding the consent choice. While legitimate interest is legal under GDPR, previous studies have shown that most users disagreed with how it is being used to collect data. Additionally, analysis of cookies set to the browsers indicates that TCF may not fully protect user privacy even when websites are compliant. Our research provides regulators and publishers with a data collection and analysis system to monitor compliance, detect non-compliance, and examine questionable practices of circumventing user consent choices using legitimate interest.
AB - This paper presents a study of GDPR compliance under the Interactive Advertising Bureau Europe's Transparency and Consent Framework (TCF). This framework provides digital advertising market participants a standard for sharing users' privacy consent choices. TCF is widely used across the Internet, and this paper presents a thorough experimental evaluation of both the compliance of websites with TCF and its impact on user privacy. We reviewed 2,230 websites that use TCF and accepted the automatic decline of user consent by our data collection system. Unlike previous work on GDPR compliance, we found that most websites using TCF properly record the user's consent choice. However, we found that 72.8% of the websites that were TCF compliant claimed legitimate interest as a rationale for overriding the consent choice. While legitimate interest is legal under GDPR, previous studies have shown that most users disagreed with how it is being used to collect data. Additionally, analysis of cookies set to the browsers indicates that TCF may not fully protect user privacy even when websites are compliant. Our research provides regulators and publishers with a data collection and analysis system to monitor compliance, detect non-compliance, and examine questionable practices of circumventing user consent choices using legitimate interest.
KW - ad tech
KW - consent management platforms
KW - gdpr compliance
KW - privacy regulation
KW - transparency and consent framework
UR - http://www.scopus.com/inward/record.url?scp=85194106324&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85194106324&partnerID=8YFLogxK
U2 - 10.1145/3589334.3645618
DO - 10.1145/3589334.3645618
M3 - Conference contribution
AN - SCOPUS:85194106324
T3 - WWW 2024 - Proceedings of the ACM Web Conference
SP - 1227
EP - 1236
BT - WWW 2024 - Proceedings of the ACM Web Conference
PB - Association for Computing Machinery, Inc
T2 - 33rd ACM Web Conference, WWW 2024
Y2 - 13 May 2024 through 17 May 2024
ER -