A Study of GDPR Compliance under the Transparency and Consent Framework

Michael Smith, Antonio Torres-Agüero, Riley Grossman, Pritam Sen, Yi Chen, Cristian Borcea

Research output: Chapter in Book/Report/Conference proceedingConference contribution


This paper presents a study of GDPR compliance under the Interactive Advertising Bureau Europe's Transparency and Consent Framework (TCF). This framework provides digital advertising market participants a standard for sharing users' privacy consent choices. TCF is widely used across the Internet, and this paper presents a thorough experimental evaluation of both the compliance of websites with TCF and its impact on user privacy. We reviewed 2,230 websites that use TCF and accepted the automatic decline of user consent by our data collection system. Unlike previous work on GDPR compliance, we found that most websites using TCF properly record the user's consent choice. However, we found that 72.8% of the websites that were TCF compliant claimed legitimate interest as a rationale for overriding the consent choice. While legitimate interest is legal under GDPR, previous studies have shown that most users disagreed with how it is being used to collect data. Additionally, analysis of cookies set to the browsers indicates that TCF may not fully protect user privacy even when websites are compliant. Our research provides regulators and publishers with a data collection and analysis system to monitor compliance, detect non-compliance, and examine questionable practices of circumventing user consent choices using legitimate interest.

Original languageEnglish (US)
Title of host publicationWWW 2024 - Proceedings of the ACM Web Conference
PublisherAssociation for Computing Machinery, Inc
Number of pages10
ISBN (Electronic)9798400701719
StatePublished - May 13 2024
Event33rd ACM Web Conference, WWW 2024 - Singapore, Singapore
Duration: May 13 2024May 17 2024

Publication series

NameWWW 2024 - Proceedings of the ACM Web Conference


Conference33rd ACM Web Conference, WWW 2024

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Software


  • ad tech
  • consent management platforms
  • gdpr compliance
  • privacy regulation
  • transparency and consent framework


Dive into the research topics of 'A Study of GDPR Compliance under the Transparency and Consent Framework'. Together they form a unique fingerprint.

Cite this