Navigating Cookie Consent Violations Across the Globe

• URL: http://arxiv.org/abs/2506.08996v2
• Date: Wed, 06 Aug 2025 22:45:37 GMT
• Title: Navigating Cookie Consent Violations Across the Globe
• Authors: Brian Tang, Duc Bui, Kang G. Shin,
• Abstract summary: We propose an end-to-end system, called ConsentChk, that detects and analyzes cookie banner behavior.<n>We investigate eight English-speaking regions across the world, and analyze cookie banner behavior across 1,793 globally-popular websites.<n>Our evaluation reveals that consent management platforms (CMPs) and website developers likely tailor cookie banner configurations based on their (often incorrect) interpretations of regional privacy laws.
• Score: 20.150326701271364
• License: http://creativecommons.org/licenses/by-nc-nd/4.0/
• Abstract: Online services provide users with cookie banners to accept/reject the cookies placed on their web browsers. Despite the increased adoption of cookie banners, little has been done to ensure that cookie consent is compliant with privacy laws around the globe. Prior studies have found that cookies are often placed on browsers even after their explicit rejection by users. These inconsistencies in cookie banner behavior circumvent users' consent preferences and are known as cookie consent violations. To address this important problem, we propose an end-to-end system, called ConsentChk, that detects and analyzes cookie banner behavior. ConsentChk uses a formal model to systematically detect and categorize cookie consent violations. We investigate eight English-speaking regions across the world, and analyze cookie banner behavior across 1,793 globally-popular websites. Cookie behavior, cookie consent violation rates, and cookie banner implementations are found to be highly dependent on region. Our evaluation reveals that consent management platforms (CMPs) and website developers likely tailor cookie banner configurations based on their (often incorrect) interpretations of regional privacy laws. We discuss various root causes behind these cookie consent violations. The resulting implementations produce misleading cookie banners, indicating the prevalence of inconsistently implemented and enforced cookie consent between various regions.

Related papers

• VPI-Bench: Visual Prompt Injection Attacks for Computer-Use Agents [74.6761188527948]
  Computer-Use Agents (CUAs) with full system access pose significant security and privacy risks.<n>We investigate Visual Prompt Injection (VPI) attacks, where malicious instructions are visually embedded within rendered user interfaces.<n>Our empirical study shows that current CUAs and BUAs can be deceived at rates of up to 51% and 100%, respectively, on certain platforms.
  arXiv  Detail & Related papers  (2025-06-03T05:21:50Z)
• Fingerprinting and Tracing Shadows: The Development and Impact of Browser Fingerprinting on Digital Privacy [55.2480439325792]
  Browser fingerprinting is a growing technique for identifying and tracking users online without traditional methods like cookies. This paper gives an overview by examining the various fingerprinting techniques and analyzes the entropy and uniqueness of the collected data.
  arXiv  Detail & Related papers  (2024-11-18T20:32:31Z)
• Browsing without Third-Party Cookies: What Do You See? [5.181502547611254]
  Third-party web cookies are often used for privacy-invasive behavior tracking. To understand the effects of such third-party cookieless browsing, we crawled and measured the top 10,000 Tranco websites. We develop a framework to remove third-party cookies and analyze the differences between the appearance of web pages with and without these cookies.
  arXiv  Detail & Related papers  (2024-10-14T17:47:43Z)
• How Unique is Whose Web Browser? The role of demographics in browser fingerprinting among US users [50.699390248359265]
  Browser fingerprinting can be used to identify and track users across the Web, even without cookies. This technique and resulting privacy risks have been studied for over a decade. We provide a first-of-its-kind dataset to enable further research.
  arXiv  Detail & Related papers  (2024-10-09T14:51:58Z)
• Consent in Crisis: The Rapid Decline of the AI Data Commons [74.68176012363253]
  General-purpose artificial intelligence (AI) systems are built on massive swathes of public web data. We conduct the first, large-scale, longitudinal audit of the consent protocols for the web domains underlying AI training corpora.
  arXiv  Detail & Related papers  (2024-07-20T16:50:18Z)
• Automating Food Drop: The Power of Two Choices for Dynamic and Fair Food Allocation [51.687404103375506]
  We partner with a non-profit organization in the state of Indiana that leads emphFood Drop, a program that is designed to redirect rejected truckloads of food away from landfills and into food banks. Our goal in this partnership is to completely automate Food Drop. In doing so, we need a matching algorithm for making real-time decisions that strikes a balance between ensuring fairness for the food banks that receive the food and optimizing efficiency for the truck drivers.
  arXiv  Detail & Related papers  (2024-06-10T15:22:41Z)
• COOKIEGUARD: Characterizing and Isolating the First-Party Cookie Jar [14.314375420700504]
  Third-party scripts can access and exfiltrate first-party cookies, including those set by other third-party scripts.<n>We conduct the first large-scale measurement of cross-domain access to first-party cookies across 20,000 websites.<n>We propose CookieGuard, a browser-based runtime enforcement mechanism that isolates first-party cookies on a per-script-origin basis.
  arXiv  Detail & Related papers  (2024-06-08T01:02:49Z)
• Towards Browser Controls to Protect Cookies from Malicious Extensions [5.445001663133085]
  Cookies are valuable targets of attacks that attempt to steal them and gain unauthorized access to user accounts. Extensions are third-party HTML/JavaScript add-ons with access to several privileged APIs and can run on multiple websites at once. We propose browser controls based on two new cookie attributes that protect cookies from malicious extensions: BrowserOnly and Tracked.
  arXiv  Detail & Related papers  (2024-05-10T22:04:56Z)
• The Impact of User Location on Cookie Notices (Inside and Outside of the European Union) [3.719580143660037]
  We crawl 1,500 European, American, and Canadian websites from each of 18 countries. Using a series of regression models, we find that the website's Top Level Domain explains a substantial portion of the variance in cookie notice metrics. There is one exception to this finding: cookie notices differ when accessing.com domains from inside versus outside of the EU.
  arXiv  Detail & Related papers  (2021-10-19T10:42:39Z)
• User Tracking in the Post-cookie Era: How Websites Bypass GDPR Consent to Track Users [3.936965297430477]
  We investigate whether websites use persistent and sophisticated forms of tracking in order to track users who said they do not want cookies. Our results suggest that websites do use such modern forms of tracking even before users had the opportunity to register their choice with respect to cookies. As a result, users' choices play very little role with respect to tracking.
  arXiv  Detail & Related papers  (2021-02-17T14:11:10Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.