Automating Cookie Consent and GDPR Violation Detection presented at USENIX Security 2022

by Dino Bollinger, Karel Kubicek, Carlos Basin,

Tags: Web Security V: Tracking


Summary : The European Union's General Data Protection Regulation (GDPR) requires websites to inform users about personal data collection and request consent for cookies. Yet the majority of websites do not give users any choices, and others attempt to deceive them into accepting all cookies. We document the severity of this situation through an analysis of potential GDPR violations in cookie banners in almost 30k websites. We identify six novel violation types, such as incorrect category assignments and misleading expiration times, and we find at least one potential violation in a surprising 94.7% of the analyzed websites.