Célestin Matte, Cristiana Santos and Nataliia Bielova: “Not every cookie banner respects the user’s choice”

Rédigé par Félicien Vallet

 - 

29 July 2020


Following their visit to our laboratory as well as the recent publication of their latest work, LINC interviewed Célestin Matte, Cristiana Santos and Nataliia Bielova about their analysis of the compliance of consent management platforms implementing the IAB Europe's Transparency and Consent Framework.

LINC: Your latest research paper analyses what happens behind the scenes of consent management platforms (aka CMP or “cookie banners”) when a user gives her consent to the use of cookies and similar technologies. More specifically, it focuses on IAB Europe’s Transparency and Consent Framework (TCF) which is widely used in Europe to collect the user’s choices. Could you explain what this framework is and explain what CMPs are and how they work?

Nataliia Bielova: When accessing websites from Europe, users are often faced with cookie banners. These banners ask for the user’s consent regarding tracking and data collection on the visited website. As a result of the ePrivacy Directive back in 2009, and the GDPR in 2018, website publishers were legally obliged to request consent and give users a meaningful choice allowing them to accept or to refuse tracking before any data collection. A common way to implement consent on websites is via cookie banners.

Recently, IAB Europe, the European branch of the Interactive Advertising Bureau – an advertising business organisation – proposed the Transparency and Consent Framework (TCF). This framework introduces a specification that cookie banner providers, called Consent Management Providers (CMPs), can use in order to obtain and store consent in a pre-defined format and share it with third parties that track the user on the visited website. CMPs are proposing “cookie banner as a service” to website publishers, i.e. scripts that collect, store and share user’s consent. [Editor’s note: on the consent mechanism, see our article « Mécanismes et (r)écueil du consentement »]

Consent collection and distribution between CMPs, publishers, users and the advertisement ecosystem (from [Matte et al., 2020a]).

Consent collection and distribution between CMPs, publishers, users and the advertisement ecosystem (from [Matte et al., 2020a]).

In our work, we found that many websites in the EU use cookie banners provided by CMPs  implementing the TCF. It’s interesting to see that by providing this framework, IAB Europe occupies a central role in defining how consent of the users is going to be collected, stored and distributed among publishers and the advertisement ecosystem. Notably, even global advertising players, such as Google, will join IAB Europe TCF v2.0, a new version that is going to be fully supported starting from August 2020. This demonstrates that the TCF is gradually becoming the standard for consent storage and distribution.

 

You decided to conduct automated investigations. In order to do this, you developed two tools, “Cookie Glasses” and “Cookinspect”. What do they do practically?

Célestin Matte: When you browse the Web, you’re repetitively asked for your consent. Cookie banners are often painful to configure, so you want to be sure that the trouble you’re going through is worth something! Does the website actually respect your choice?

We noticed that the specification of IAB Europe’s TCF is publicly available and decided to build our own tools to investigate in a systematic way what happens behind the scenes of the cookie banner interface. We thought it would be interesting to analyze whether the consent chosen by the user in the banner interface corresponds to the consent stored in the browser by the CMP (this latter consent is then transmitted to the third-party advertisers). To do so, our tool pretends to be an advertiser on each website to interrogate the CMP, in order to check what consent is stored in the browser and whether it is consistent with the user’s choice. Overall, we have developed two tools: Cookinspect and Cookie Glasses.

Cookinspect is a web crawler that does the analysis of stored consent in a systematic way and at a large scale, so it can run automatically on hundreds of websites. The Cookinspect crawler is open source and is available here.

Cookie Glasses is a user-friendly browser extension showing the concrete proof of consent that is stored in the browser when a user interacts with a cookie banner. It is then possible to see: (a) for which purposes the collected data can be used, as well as (b) hundreds of advertisers who are allowed to collect user's data.

Users can then check whether the stored consent is consistent with the choice they made in the cookie banner interface. The “Cookie Glasses” extension is available on Chrome store and on Firefox Add-Ons page (advanced users can find the open source code here).

 

In your work, you describe that some behaviors of cookie banners seem very problematic. Could you present them?

Nataliia Bielova: We have started this project with web measurements, which is a typical computer science research method, to analyze how CMPs behave and what consent they store and distribute to advertisers. While digging into the behaviors of CMPs, and discussing them with our legal scholar colleague Cristiana Santos, we have managed to bridge the behaviors we observed to the legal requirements set up by both the GDPR, the ePrivacy Directive and other interpretative elements (such as the guidance provided by the data protection authorities) to identify potential violations.

Cristiana Santos: In this work, we have found 4 potential violations: consent stored before choice, no way to opt out, pre-selected choices, and non-respect of the user’s choice.
First, we found that, on some websites, the CMP transmits a positive consent to tracking for hundreds of advertisers even before the user gives any consent through the cookie banner! This behavior is a potential violation regarding the “prior consent” requirement demanded by the GDPR. Although this requirement does not seem to be sufficiently explicit in Article 5(3) of ePrivacy Directive, it is further recognized in the guidance from the EDPB, the ICO and the CNIL guidelines

Then, and even more shockingly, we identified websites where cookie banners register a positive consent even though the user explicitly refused! This is in violation with the lawfulness principle established in Articles 5(1)(a) and 6(1) of the GDPR. This means that for the processing to be lawful, it must be based on a legal basis, namely, the consent to the use of cookies, as required by Article 5(3) of the ePrivacy Directive. If there is no consent given, any processing thereto is considered unlawful.

Another problematic practice, highlighted both by the EDPB and also by recent academic research is the impossibility of opting out, which is a potential violation of Article 4(11) of the GDPR and of Recital 66 of the ePrivacy Directive that states that the right to refuse should be as user-friendly as possible.

Additionally, thanks to the CJEU Planet49 case of October 2019, it became clear that pre-selected choices do not constitute a valid consent – we have found multiple websites and CMPs that have pre-selected choices.

Célestin Matte: By automatically analyzing 1,426 EU websites and further manually inspecting 560 of them, we have detected four potential violations of the GDPR and ePrivacy Directive that we have identified. Here is the summary of our findings:

  • 141 websites register positive consent even if the user has not made their choice,
  • 38 websites offer no way to refuse tracking,
  • 236 websites nudge the users towards accepting consent by pre-selecting options,
  • 27 websites store a positive consent even if the user has explicitly opted out.

In total, we have found at least one violation in 304 out of 560 websites, which shows that more than half of fully tested websites are in potential violation with the GDPR and ePrivacy Directive. There are many popular websites that are in potential breach of GDPR, such as msn.com, slate.com, reuters.com, allocine.fr (note that our analysis was done between September and November 2019, and websites could have been updated in the meantime).

 

In your new recent article, you have also detected problems related to the definition of purposes in IAB Europe TCF, what were your main findings there?

Cristiana Santos: We further analyzed the purposes for data processing proposed in IAB Europe’s TCF, versions 1.1 (currently used on most websites) and 2.0 (will be used starting from August 2020). When advertisers register in the TCF, they have to pick which purposes they will rely on in their processing among the proposed ones. We analyzed these purposes with regard to the legal requirements for defining them lawfully, and suggest that several of them might not be specific or explicit enough to be compliant. Arguably, a large portion of them do require consent, even though the TCF allows advertisers to rely on the legitimate interest legal basis. We have also measured the declaration of purposes by all advertisers registered in the TCF versions 1.1. and 2.0 and found that almost two hundreds of them rely on legitimate interest for purposes that should instead rely on consent.

 

Is there a silver lining there? From your point of view, what could be done by professionals to make sure they fully respect their obligations when collecting user’s consent?

Nataliia Bielova: After doing research on the legal requirements for a valid consent, we have identified a number of requirements that originate from a rigorous analysis of the legal sources and a technical analysis of today’s Web browsers and web services (see our draft paper). The problem of compliance is complex because it requires understanding of both legal and technical aspects of consent requests. By talking to DPOs and to legal scholars, we see that many legal professionals lack the technical knowledge and that many computer science colleagues are having a hard time understanding the legal requirements. We believe legal and technical experts must work together to ensure legal compliance.
Additionally, Data Protection Authorities need to provide more technical guidelines and best practices to help the industry respect their legal obligations. We were happy to see the initiative of the CNIL proposing a draft recommendation on cookies and other trackers, which defines some of such practices. We have recently expressed our own opinion on this draft, highlighting the need for a technical standardization of consent, and a standard user interface design for consent dialogs.

Moreover, we believe that identifying best practices to implement the proof of consent is of paramount importance. In our work, we have observed 69 websites that transmit consent to third parties even though the user has not made their choice and the CMP on the website did not record the consent string yet. We also found 26 additional websites that share a positive consent even if the user opted out and the CMP didn’t register any consent yet. These cases demonstrate that a consent string may be shared between parties without any awareness of the user, and without reflecting the user’s choice.

Of course, publishers can find other economic models to avoid relying on massive data collection, which, even with user consent, remains a privacy issue.


To go further:

 


Célestin Matte

 

Célestin Matte is an independent researcher interested in privacy, especially Web and physical tracking. He currently works on consent in Web applications.

Cristiana Santos

 

Cristiana Santos is a postdoc in Law and Technology at Inria Sophia Antipolis (France). Her main interests are data protection, privacy and consumer law. She works on the analysis of legal and technical requirements that inform a given technology. She is currently working on the topics of consent and dark patterns.

Nataliia Bielova

 

Nataliia Bielova is a research scientist at Inria Sophia Antipolis (France). Her main interest is in privacy and transparency technologies for Web applications. She leads interdisciplinary research on measurement of Web tracking and technical enforcement of GDPR and ePrivacy Directive in Web applications. She is also co-chair of the CNIL-Inria Privacy Protection prize.


 Illustration - Gerd Altmann


Article rédigé par Félicien Vallet , Responsable IA de la CNIL