Data protection regulations, such as GDPR and CCPA, require websites and embedded third-parties, especially advertisers, to seek user consent before they can collect and process user data. Only when the users opt in, can these entities collect, process, and share user data. Websites typically incorporate Consent Management Platforms (CMPs), such as OneTrust and CookieBot, to solicit and convey user consent to the embedded advertisers, with the expectation that the consent will be respected. However, neither the websites nor the regulators currently have any mechanism to audit advertisers' compliance with the user consent, i.e., to determine if advertisers indeed do not collect, process, and share user data when the user opts out. In this paper, we propose an auditing framework that leverages advertisers' bidding behavior to empirically assess the violations of data protection regulations. Using our framework, we conduct a measurement study to evaluate two of the most widely deployed CMPs, i.e., OneTrust and CookieBot, as well as advertiser-offered opt-out controls, i.e., National Advertising Initiative's opt-out, under GDPR and CCPA -- arguably two of the most mature data protection regulations. Our results indicate that user data is unfortunately still being collected, processed, and shared even when users opt-out. Our findings suggest that several prominent advertisers (e.g., AppNexus, PubMatic) might be in potential violation of GDPR and CCPA. Overall, our work casts a doubt if regulations are effective at protecting users' online privacy.
翻译:GDPR和CCPA等数据保护条例要求网站和嵌入的第三方,特别是广告商,在收集和处理用户数据之前,必须征得用户同意才能收集和处理用户数据。 只有当用户选择加入时,这些实体才能收集、处理和分享用户数据。 网站通常包含OneTrust和CookieBot等协议管理平台(CMPs),以征求和传达用户对嵌入广告商的认可,期望其同意得到尊重。然而,网站和监管机构目前都没有任何机制来审计广告商遵守用户同意的情况,即,在用户选择退出时,确定广告商是否确实不收集、处理和分享用户数据。 在本文中,我们提议一个审计框架,利用广告商的招标行为对违反数据保护条例的行为进行实证评估,以便利用我们的框架,评估最广泛部署的两个CMPs,即OneTR和CookieBot(Orent Apper-Orent Apper Apper), 以及(eb NCLFA倡议的多数用户选择性规则, 和OFPA) 的在线保护结果。