Setting the Bar Low: Are Websites Complying With the Minimum Requirements of the CCPA?

Nortwick, Maggie Van; Wilson, Christo

doi:10.2478/popets-2022-0030

Cited by 15 publications

(33 citation statements)

References 41 publications

(55 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Prior research has identified that online services design unintuitive and hard to navigate interfaces [39,52], trick users into giving positive consent [59], and do not include controls to opt-out of data selling [67]. Alizadeh et al [39] conducted a user study to understand data rights under GDPR and identified that the participants find data access interfaces unintuitive and hard to navigate.…”

Section: Related Workmentioning

confidence: 99%

“…Specifically, websites often register consent before the user has made any choice, register positive consent regardless of user's choice, or nudge users to give pre-selected positive consent. More recently, Nortwick and Wilson [67], conducted a measurement study of top 500K English websites and identified that only 2% of the websites provided controls to users to opt-out of data selling, i.e., "Do Not Sell My Personal Information" (DNSMPI), under CCPA.…”

Section: Related Workmentioning

confidence: 99%

“…Specifically, as per Section 1798.140 (c) (1), CCPA applies to online services, that have an annual revenue of more than $ 25 million, annually sell data of more than 50K California residents, or earn more than 50% of their revenue from the sale of personal data of California residents. Since most information required to determine applicability is not publically available, it is challenging to determine the applicability criteria at scale [67]. Thus, for our study, we did not strictly follow the CCPA applicability criteria.…”

Section: Limitationsmentioning

confidence: 99%

“…However, despite strict enforcement, prior research has found that online services often trick users into giving positive consent [59], do not include controls to opt-out of data collection and processing [67], or deploy user interfaces that are unintuitive to navigate in terms of providing consent [39,52]. In cases where users are indeed able to exercise their rights, user data is poorly handled.…”

Section: Introductionmentioning

confidence: 99%

“…Regulators have mostly focused on auditing compliance of large well-known corporations, such as Amazon [5] and Google [29], perhaps because of the lack of systematic mechanisms to automatically detect infringements at scale [15]. Prior research [39,52,59,67] has focused on auditing the implementation deficiencies in consent management platforms/tools but it has largely ignored the instances where compliance is correctly conveyed but online services fail to comply. Though, negligence in implementation raises doubts on the seriousness of online services in protecting users' privacy, it does not by itself imply non-compliance.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Opted Out, Yet Tracked: Are Regulations Enough to Protect Your Privacy?

Liu¹,

Iqbal²,

Saxena³

2022

Preprint

View full text Add to dashboard Cite

Data protection regulations, such as GDPR and CCPA, require websites and embedded third-parties, especially advertisers, to seek user consent before they can collect and process user data. Only when the users opt in, can these entities collect, process, and share user data. Websites typically incorporate Consent Management Platforms (CMPs), such as OneTrust and CookieBot, to solicit and convey user consent to the embedded advertisers, with the expectation that the consent will be respected. However, neither the websites nor the regulators currently have any mechanism to audit advertisers' compliance with the user consent, i.e., to determine if advertisers indeed do not collect, process, and share user data when the user opts out.In this paper, we propose an auditing framework that leverages advertisers' bidding behavior to empirically assess the violations of data protection regulations. Using our framework, we conduct a measurement study to evaluate two of the most widely deployed CMPs, i.e., OneTrust and CookieBot, as well as advertiser-offered opt-out controls, i.e., National Advertising Initiative's opt-out, under GDPR and CCPA -arguably two of the most mature data protection regulations.Our results indicate that user data is unfortunately still being collected, processed, and shared even when users opt-out. Our findings suggest that several prominent advertisers (e.g., App-Nexus, PubMatic) might be in potential violation of GDPR and CCPA. Overall, our work casts a doubt if regulations are effective at protecting users' online privacy.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Limitationsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Opted Out, Yet Tracked: Are Regulations Enough to Protect Your Privacy?

Liu¹,

Iqbal²,

Saxena³

2022

Preprint

View full text Add to dashboard Cite

show abstract

Exploring the Cookieverse: A Multi-Perspective Analysis of Web Cookies

Rasaii

Singh

Gosain

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Web cookies have been the subject of many research studies over the last few years. However, most existing research does not consider multiple crucial perspectives that can influence the cookie landscape, such as the client's location, the impact of cookie banner interaction, and from which operating system a website is being visited. In this paper, we conduct a comprehensive measurement study to analyze the cookie landscape for Tranco top-10k websites from different geographic locations and analyze multiple different perspectives. One important factor which influences cookies is the use of cookie banners. We develop a tool, BannerClick , to automatically detect, accept, and reject cookie banners with an accuracy of 99%, 97%, and 87%, respectively. We find banners to be 56% more prevalent when visiting websites from within the EU region. Moreover, we analyze the effect of banner interaction on different types of cookies (i.e., first-party, third-party, and tracking). For instance, we observe that websites send, on average, 5.5× more third-party cookies after clicking "accept", underlining that it is critical to interact with banners when performing Web measurements. Additionally, we analyze statistical consistency, evaluate the widespread deployment of consent management platforms, compare landing to inner pages, and assess the impact of visiting a website on a desktop compared to a mobile phone. Our study highlights that all of these factors substantially impact the cookie landscape, and thus a multi-perspective approach should be taken when performing Web measurement studies.

show abstract