Thought You'd Opted Out Of Online Tracking? Think Again

Websites often provide visitors with the opportunity to opt out of data collection. This is not out of their abundant concern for your privacy – it's the law and they're forced to do it. But according to a trio of privacy researchers, opting out doesn't always work – visitor data still gets collected.

Legal frameworks, like Europe's General Data Protection Regulation (GDPR) and ePrivacy Directive, require websites and associated third parties to get consent before collecting and processing personal data. To help website operators comply with that requirement, vendors like Didomi, Quantcast, OneTrust, and Usercentrics offer what's known as a consent management platform (CMP).

These firms provide software that websites use to prompt visitors to accept or reject cookies in order to control how personal information gets handled. They claim their respective CMPs allow companies to comply with privacy laws in the US, EU, UK, Brazil, South Africa, Singapore, and elsewhere.

As Germany-based Usercentrics puts it: "Surveillance on the internet is real and pervasive – using a consent management platform can make your website a safe private space."

Yet computer scientists Zengrui Liu (Texas A&M University), Umar Iqbal (University of Washington), and Nitesh Saxena (Texas A&M University) devised an auditing mechanism to test the effectiveness of CMP-based opt-out controls and found these platforms don't necessarily ensure compliance with GDPR and the California Consumer Privacy Act (CCPA) requirements.

They describe their findings in a paper [PDF] titled "Opted Out, Yet Tracked: Are Regulations Enough to Protect Your Privacy?"

Spoiler alert: No.

"Our results indicate that in many cases user data is unfortunately still being collected, processed, and shared even when users opt out," the researchers state in their paper. "Our findings suggest that several prominent advertisers might be in potential violation of GDPR and CCPA."

In many cases user data is unfortunately still being collected, processed, and shared even when users opt out

Opt-out under the law thus is not all that different from "Do Not Track" – a web specification that allowed browser users to declare the desire not to be tracked, without any consequences for ignoring that preference.

The researchers devised a way to audit opt-out compliance using OpenWPM, an open source web privacy measurement framework. The process involved visiting the top 50 websites in 16 different interest categories (computers, news, sports and so on) to simulate user interest personas.

They focused on top websites that support both header bidding through prebid.js and opting out using CMPs from Didomi, Quantcast, OneTrust, and Usercentrics (CookieBot) tuned for GDPR and CCPA compliance.

• Meta faces lawsuit to stop 'surveillance advertising'
• Google dumps interest-based ad system for another interest-based ad system
• Data tracking poses a 'national security risk' FTC told
• Apple iOS privacy clampdown 'did little' to reduce tracking

Header bidding – a technology Google allegedly tried to kill – is a way for publishers to auction their ad inventory to multiple ad exchanges, known as Supply-Side Platforms (or SSPs), before passing the winning bid on to an ad server like Google Ad Manager. And since header bidding via prebid.js occurs on the client, the researchers were able to intercept and analyze related client-side transactions.

To check whether their opt-outs were being respected, the boffins visited their set of websites with user interest personas (expecting higher bids for ads targeted at those interests) and a control persona – a blank browser profile. They collected bids and network requests from advertisers for both opt-in and opt-out settings, then analyzed the results.

In theory, opting out should reduce advertiser bids to a level comparable to the blank control persona in terms of data usage, client-side data sharing, and server-side data sharing. Alas, that often was not the case.

The leaked user interests are used to target ads to users, despite users' consent to opt out of processing of data as part of the regulations

"Overall we note that under CMPs most personas receive higher bids compared to control when users opt out of data processing and selling under GDPR and CCPA," the researchers observe. "The variability in bid values, particularly higher bids as compared to control, indicates that the leaked user interests are used to target ads to users, despite users' consent to opt out of processing of data as part of the regulations."

The boffins also observe that the opt-out results are not statistically different from opt-in, which they interpret to mean that user content largely has no effect on the processing and selling of data.

However, they do note that some CMPS appear to convey consent more effectively – specifically Didomi.

OneTrust and Usercentrics did not immediately respond to a request for comment.

"Our findings in general cast a serious doubt on the effectiveness of regulations as a sole means of privacy protection," the researchers conclude. "Specifically, even after users opt out through CMPs, their data may still be used and shared by advertisers. Unfortunately, in order to fully protect privacy, users still need to rely on privacy-enhancing tools, such as ad/tracker blocking browser extensions and privacy-focused browsers (e.g., Brave Browser)."

Yet this is asking too much of internet users, the researchers argue. Regulators need to step up enforcement and work on detecting law violations at scale. ®