The regulations for protecting data, such as GDPR and CCPA, require websites and third-party partners (especially advertisers) to obtain a user’s permission before they can collect and use their personal data. These entities can only collect, process, and share user data when the user agrees to it. Websites typically use Consent Management Platforms (CMPs) like OneTrust and CookieBot to obtain user consent and notify advertisers, assuming that these partners will honor the user’s decision. However, there are currently no measures in place for the websites or authorities to verify if advertisers are complying with user consent by not collecting, processing, or sharing user data when the user opts out.
The authors of this paper propose an auditing framework that assesses potential violations of data protection regulations through the analysis of advertisers’ bidding behavior. They use this framework to conduct a study that evaluates two widely used CMPs (OneTrust and CookieBot) and the opt-out controls offered by advertisers (such as the National Advertising Initiative’s opt-out) under GDPR and CCPA, two established data protection regulations. The study reveals that user data is still collected, processed, and shared even when users opt-out, suggesting that prominent advertisers (such as AppNexus and PubMatic) may be violating GDPR and CCPA. These results raise doubts about the effectiveness of regulations in protecting online privacy.