A recent US research paper entitled “Opted Out, Yet Tracked: Are Regulations Enough to Protect Your Privacy?” highlights how, in many cases, user data is still being collected, processed, and shared, even when users opt out through a Consent Management Platform (CMP).
The Issue
The research was based around developing a framework to measure how well Consent Management Platforms (CMPs) worked in terms of data protection and privacy for website users because websites and regulators don’t currently have an effective mechanism to audit advertisers’ compliance with user consent.
Data protection regulations, such as GDPR and CCPA, require websites and embedded third parties, especially advertisers, to seek user consent before they can collect and process user data. Under these regulations, only when the users opt in, should these entities collect, process, and share user data.
CMPs Audited
Computer scientists Zengrui Liu (Texas A&M University), Umar Iqbal (University of Washington), and Nitesh Saxena (Texas A&M University) published a paper outlining the results of their audit of Consent Management Platforms (CMPs). These are the software tools that helps website owners and operators with the data protection of their users by managing user consent for data collection, tracking, and other online activities that may involve personal data, and to help with compliance with world’s major data privacy laws, e.g. GDPR, UK-GDPR, California’s CCPA/CPRA and more. CMPs are, therefore, a way to solicit and convey user consent to the embedded advertisers, with the expectation that the consent will be respected.
CMPs also allow website visitors to manage their preferences for data collection, storage, and sharing, along with the ability to choose to accept or decline cookies, tracking pixels, and other tracking technologies.
OneTrust and CookieBot Audited
The auditing framework used by the researchers assessed the violations of data protection regulations and evaluated two of the most widely deployed CMPs, i.e. OneTrust and CookieBot, as well as advertiser-offered opt-out controls, i.e. National Advertising Initiative’s opt-out, under GDPR and CCPA, arguably two of the most mature data protection regulations.
The Conclusion – Users Are Still Tracked When They’ve Opted Out
The results of the research (published on the Cornell University website) show that user data is still collected, processed, and shared – even when users opt-out, and that it is, therefore, doubtful if regulations are effective at protecting users’ online privacy. The findings, published in the paper, also appear to suggest that several prominent advertisers (e.g. AppNexus and PubMatic) may even be in potential violation of GDPR and CCPA. The researchers say that the results of their study have “cast a serious doubt on the effectiveness of regulations as a sole means of privacy protection. Specifically, even after users opt-out through CMPs, their data may still be used and shared by advertisers.”
How Can Your Data Still Be Shared Despite Opting Out?
The research paper highlights two main ways in which advertisers might be able to process and share user information despite negative consent. These are:
1. Through the inaccurate deployment of CMPs, e.g. the tracking code may execute first before CMPs even have a chance to block cookies or website developers may inaccurately list non-essential cookies as essential.
2. Advertisers using side-channel information to circumvent enforcement by CMPs. For example, advertisers may change their cookies to avoid detection or rely on browser fingerprinting to track users.
Roles And Responsibilities
In the light of the results, the researchers say that regulators have a responsibility to ensure that online services abide by the laws and should be using automated mechanisms (such as the framework created by the researchers) to deploy infringements of regulations at scale. The researchers say this could be done by periodically using their framework at several vantage points, or as a browser extension.
The researchers also pointed to the fact that website developers have an important role in enforcement of regulations and could deploy CMPs that are better at conveying and enforcing user consent.
What Does This Mean For Your Business?
The research has revealed that some CMPs may not be effective in terms of compliance with data protection laws due to the fact that they can be inaccurately deployed, or advertisers can use side-channel information to get around matters of consent. This means that that although CMPs are being trusted to handle consent and compliance with data protection and privacy laws, some prominent advertisers using them may actually be in potential violation of GDPR and CCPA, plus users’ negative consent is effectively being ignored in some cases, which may also be a violation of their rights under data protection laws. It could be concluded, therefore, that CMPs can be unreliable and regulations as a sole means of privacy protection can’t be relied upon.
Without the research, this would not have been known about because there doesn’t appear to have been a framework that could be used to test the effectiveness of CMPs until the researchers made one, which indicates that the problem may be more widespread than first thought.
Advertisers and businesses may, therefore, be leaving themselves open to potential fines under data protection and privacy laws because they are not respecting user opt-out decisions. Regulators may now need to increase detection and enforcement, and businesses may need to check that their CMPs are working properly and may need to consider additional measures to cover themselves. Also, as suggested by the researchers, “CMPs, advertisers, website developers, and regulators should work together to define protocols for conveying and enforcing consent.”