Are cookie banners indeed compliant with the law?

Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners

  • Cristiana Santos Utrecht University
  • Nataliia Bielova Université Côte d'Azur, Inria, France
  • Célestin Matte Université Côte d'Azur, Inria, France
Keywords: consent, GDPR, cookie banners, compliance, ePrivacy Directive, web tracking technologies

Abstract

In this work, we analyze the legal requirements on how cookie banners are supposed to be implemented to be fully compliant with the ePrivacy Directive and the GDPR.

Our contribution resides in the definition of 17 operational and fine-grained requirements on cookie banner design that are legally compliant, and moreover, we define whether and when the verification of compliance of each requirement is technically feasible.

The definition of requirements emerges from a joint interdisciplinary analysis composed of lawyers and computer scientists in the domain of web tracking technologies. As such, while some requirements are provided by explicitly codified legal sources, others result from the domain-expertise of computer scientists. In our work, we match each requirement against existing cookie banners design of websites. For each requirement, we exemplify with compliant and non-compliant cookie banners.

As an outcome of a technical assessment, we verify per requirement if technical (with computer science tools) or manual (with any human operator) verification is needed to assess compliance of consent and we also show which requirements are impossible to verify with certainty in the current architecture of the Web.  For example, we explain how the GDPR’s requirement for revocable consent could be implemented in practice: when consent is revoked, the publisher should delete the consent cookie and communicate the withdrawal to all third parties who have previously received consent.

With this approach we aim to support practically-minded parties (compliance officers, regulators, privacy NGOs, researchers, and computer scientists) to assess compliance and detect violations in cookie banners’ design and implementation, specially under the current revision of the EU ePrivacy framework.

Author Biographies

Cristiana Santos, Utrecht University

Cristiana Santos is lecturer and researcher at Utrecht University, the Netherlands.

Nataliia Bielova, Université Côte d'Azur, Inria, France

Nataliia Bielova is a Research Scientist at PRIVATICS team in Inria, France.

Célestin Matte, Université Côte d'Azur, Inria, France

Célestin Matte is independent researcher.

Published
2020-12-01
How to Cite
Santos, C., Bielova, N., & Matte, C. (2020). Are cookie banners indeed compliant with the law? . Technology and Regulation, 2020, 91-135. https://doi.org/10.26116/techreg.2020.009
Section
Articles