A Study of GDPR Compliance under the Transparency and Consent Framework

Document Type

Conference Proceeding

Publication Date

5-13-2024

Abstract

This paper presents a study of GDPR compliance under the Interactive Advertising Bureau Europe's Transparency and Consent Framework (TCF). This framework provides digital advertising market participants a standard for sharing users' privacy consent choices. TCF is widely used across the Internet, and this paper presents a thorough experimental evaluation of both the compliance of websites with TCF and its impact on user privacy. We reviewed 2,230 websites that use TCF and accepted the automatic decline of user consent by our data collection system. Unlike previous work on GDPR compliance, we found that most websites using TCF properly record the user's consent choice. However, we found that 72.8% of the websites that were TCF compliant claimed legitimate interest as a rationale for overriding the consent choice. While legitimate interest is legal under GDPR, previous studies have shown that most users disagreed with how it is being used to collect data. Additionally, analysis of cookies set to the browsers indicates that TCF may not fully protect user privacy even when websites are compliant. Our research provides regulators and publishers with a data collection and analysis system to monitor compliance, detect non-compliance, and examine questionable practices of circumventing user consent choices using legitimate interest.

Identifier

85194106324 (Scopus)

ISBN

[9798400701719]

Publication Title

WWW 2024 - Proceedings of the ACM Web Conference

External Full Text Location

https://doi.org/10.1145/3589334.3645618

First Page

1227

Last Page

1236

Grant

CNS 2237328

Fund Ref

Leir Foundation

This document is currently not available here.

Share

COinS