A Study of GDPR Compliance under the Transparency and Consent Framework
Keywords: Privacy Regulation, GDPR Compliance, Consent Management Platforms, Transparency and Consent Framework (TCF), Ad Tech
TL;DR: We studied publisher and CMP compliance with TCF and how it relates to GDPR compliance.
Abstract: This paper presents a study of GDPR compliance under the Interactive Advertising Bureau Europe’s Transparency and Consent Framework (TCF). This framework provides digital advertising market participants a standard for sharing users’ privacy consent choices. TCF is widely used across the Internet, and this paper presents its first thorough evaluation, investigating both the compliance of websites with TCF and its impact on user privacy. We reviewed 2,230 websites that use TCF and accepted the automatic decline of user consent by our data collection system. Unlike previous work on GDPR compliance, we found that most websites using TCF properly record the user’s consent choice. However, we found that 72.8% of the websites that were TCF compliant claimed legitimate interest as a rationale for overriding the consent choice. While legitimate interest is legal under GDPR, previous studies have shown that most users disagreed with how it is being used to collect data. Additionally, analysis of cookies set to the browsers indicates that TCF may not fully protect user privacy even when websites are compliant. Our research provides regulators and publishers with a data collection and analysis system to monitor compliance, detect non-compliance, and examine questionable practices of circumventing user consent choices using legitimate interest.
Track: Responsible Web
Submission Guidelines Scope: Yes
Submission Guidelines Blind: Yes
Submission Guidelines Format: Yes
Submission Guidelines Limit: Yes
Submission Guidelines Authorship: Yes
Student Author: No
Submission Number: 1815
Loading