[THREAD] #GDPR and #ePrivacy directive require #consent for tracking. EU websites rely on IAB #cookie banner providers to implement consent, but what happens behind the cookie banner interface? Our study @CelestinMatte @Cristianapt finds 54% of them are non-compliant. (1/11) 
Many websites rely on third-party cookie banner providers, called Consent Management Providers (CMPs), that implement the IAB Europe Transparency and Consent Framework (TCF): iabeurope.eu/transparency-c… (3/11)
Websites should wait for a user’s decision before storing the user’s consent in the browser. We automatically identified 175 websites out of 1,426 that contain IAB Europe cookie banners storing user's positive consent even before the user has made any choice! (4/11)
Website owners should allow users to opt out of tracking and should provide options to refuse. This is not the case on 38 of the websites we tested! On this French website, the banner exposes users to 565 third party advertisers to silently collect and use her data. (5/11)
According to the EU regulators, and the recent CJEU case (aka “Planet49”), websites should not pre-select options in consent dialogs. On 236 websites, the banner gives users a choice, however some of the choices are pre-selected and set to “accept”. (6/11)
If the user doesn't pay attention to this website and clicks "Save and close", then 47 different third party advertisers are allowed to use the collected data for any purpose. (7/11)
Shockingly, some cookie banners do not respect the choice the users made. On 39 websites banners store a positive consent even if the user has explicitly opted out! This practice can be considered deceptive as it results in accepting data collection against users' will. (8/11)
On this website, the user believes she opted out of tracking, but in fact the banner registered her positive consent for 544 third party advertisers, who can now use the collected data for any of the purposes defined in the framework. (9/11)
Our browser extension for Firefox and Chrome (hopefully, coming soon on add-on stores) called "Cookie Glasses" allows users to verify that the consent stored by CMPs corresponds to their choice: github.com/Perdu/Cookie-G… (10/11)
Conclusion: 305 websites violate GDPR and/or ePrivacy directive:
- 175 websites store a positive consent of the user before any choice
- 38 websites do not allow the user to opt out
- 236 websites have pre-selected choices
- 39 websites do not respect the user’s choice (11/11)
- 175 websites store a positive consent of the user before any choice
- 38 websites do not allow the user to opt out
- 236 websites have pre-selected choices
- 39 websites do not respect the user’s choice (11/11)
@threadreaderapp unroll
