A study of gdpr compliance under the transparency and consent framework

This paper presents a study of GDPR compliance under the Interactive Advertising Bureau Europe’s Transparency and Consent Framework (TCF). This framework provides digital advertising market participants a standard for sharing users’ privacy consent choices. TCF is widely used across the Internet, and this paper presents a thorough experimental evaluation of both the compliance of websites with TCF and its impact on user privacy. We reviewed 2,230 websites that use TCF and accepted the automatic decline of user consent by our data collection system. Unlike previous work on GDPR compliance, we found that most websites using TCF properly record the user’s consent choice. However, we found that 72.8% of the websites that were TCF compliant claimed legitimate interest as a rationale for overriding the consent choice. While legitimate interest is legal under GDPR, previous studies have shown that most users disagreed with how it is being used to collect data. Additionally, analysis of cookies set to the browsers indicates that TCF may not fully protect user privacy even when websites are compliant. Our research provides regulators and publishers with a data collection and analysis system to monitor compliance, detect noncompliance, and examine questionable practices of circumventing user consent choices using legitimate interest.

Recommended citation: Smith, M., Torres-Agüero, A., Grossman, R., Sen, P., Chen, Y., & Borcea, C. (2024). A Study of GDPR Compliance under the Transparency and Consent Framework. In Proceedings of the ACM on Web Conference 2024 (pp. 1227-1236).
Download Paper