Is your Data Shared even after opting out?

In many cases, even after users opt out through a Consent Management Platform (CMP), user data is still gathered, processed, and shared, according to a recent US research study titled “Opted Out, Yet Tracked: Are Regulations Enough to Protect Your Privacy?”

Is your data shared even after opting out?

The Issue  

The research was based around developing a framework to measure how well Consent Management Platforms (CMPs) worked in terms of data protection and privacy for website users because websites and regulators don’t currently have an effective mechanism to audit advertisers’ compliance with user consent. 

Data protection regulations, such as GDPR and CCPA, require websites and embedded third parties, especially advertisers, to seek user consent before they can collect and process user data. Under these regulations, only when the users opt in, should these entities collect, process, and share user data. 

CMPs Audited 

Computer scientists Zengrui Liu (Texas A&M University), Umar Iqbal (University of Washington), and Nitesh Saxena (Texas A&M University) published a paper outlining the results of their audit of Consent Management Platforms (CMPs). These are the software tools that helps website owners and operators with the data protection of their users by managing user consent for data collection, tracking, and other online activities that may involve personal data, and to help with compliance with world’s major data privacy laws, e.g. GDPR, UK-GDPR, California’s CCPA/CPRA and more. CMPs are, therefore, a way to solicit and convey user consent to the embedded advertisers, with the expectation that the consent will be respected. 

CMPs also allow website visitors to manage their preferences for data collection, storage, and sharing, along with the ability to choose to accept or decline cookies, tracking pixels, and other tracking technologies.  

OneTrust and CookieBot Audited 

The auditing framework used by the researchers assessed the violations of data protection regulations and evaluated two of the most widely deployed CMPs, i.e. OneTrust and CookieBot, as well as advertiser-offered opt-out controls, i.e. National Advertising Initiative’s opt-out, under GDPR and CCPA, arguably two of the most mature data protection regulations. 

The Conclusion – Users Are Still Tracked When They’ve Opted Out 

The results of the research (published on the Cornell University website) show that user data is still collected, processed, and shared – even when users opt-out, and that it is, therefore, doubtful if regulations are effective at protecting users’ online privacy.  The findings, published in the paper, also appear to suggest that several prominent advertisers (e.g. AppNexus and PubMatic) may even be in potential violation of GDPR and CCPA. The researchers say that the results of their study have “cast a serious doubt on the effectiveness of regulations as a sole means of privacy protection. Specifically, even after users opt-out through CMPs, their data may still be used and shared by advertisers.” 

How Can Your Data Still Be Shared Despite Opting Out? 

The research paper highlights two main ways in which advertisers might be able to process and share user information despite negative consent. These are: 

1. Through the inaccurate deployment of CMPs, e.g. the tracking code may execute first before CMPs even have a chance to block cookies or website developers may inaccurately list non-essential cookies as essential.  

2. Advertisers using side-channel information to circumvent enforcement by CMPs. For example, advertisers may change their cookies to avoid detection or rely on browser fingerprinting to track users. 

Roles And Responsibilities 

In the light of the results, the researchers say that regulators have a responsibility to ensure that online services abide by the laws and should be using automated mechanisms (such as the framework created by the researchers) to deploy infringements of regulations at scale. The researchers say this could be done by periodically using their framework at several vantage points, or as a browser extension. 

The researchers also pointed to the fact that website developers have an important role in enforcement of regulations and could deploy CMPs that are better at conveying and enforcing user consent.  

What Does This Mean For Your Business? 

The research has revealed that some CMPs may not be effective in terms of compliance with data protection laws due to the fact that they can be inaccurately deployed, or advertisers can use side-channel information to get around matters of consent. This means that that although CMPs are being trusted to handle consent and compliance with data protection and privacy laws, some prominent advertisers using them may actually be in potential violation of GDPR and CCPA, plus users’ negative consent is effectively being ignored in some cases, which may also be a violation of their rights under data protection laws. It could be concluded, therefore, that CMPs can be unreliable and regulations as a sole means of privacy protection can’t be relied upon.

Without the research, this would not have been known about because there doesn’t appear to have been a framework that could be used to test the effectiveness of CMPs until the researchers made one, which indicates that the problem may be more widespread than first thought.

Advertisers and businesses may, therefore, be leaving themselves open to potential fines under data protection and privacy laws because they are not respecting user opt-out decisions. Regulators may now need to increase detection and enforcement, and businesses may need to check that their CMPs are working properly and may need to consider additional measures to cover themselves. Also, as suggested by the researchers, “CMPs, advertisers, website developers, and regulators should work together to define protocols for conveying and enforcing consent.” 

If you are looking to take on an IT provider, contact us here. We currently offer a free IT consultation, so don’t forget to fill out our IT Workplace Assessment, so we can come back to you with our recommendations.   

Latest posts
Shap-E AI: Generates 3-D Models From Text The Shap-E AI system from OpenAI (creators of ChatGPT) and available for open-source download, can create 3D models from text.  What Is It?  According...
ChatGPT Banned At Apple Apple has reportedly banned the internal use of ChatGPT and other chatbots plus AI writers like Bard, Copilot and GitHub to prevent the sharing...
Protecting passwords made easy In today's digital age, protecting our personal information has become more crucial than ever. Whether you're working on your laptop in a coffee shop...
Twitter Encryption : More Musk Makeovers Twitter has recently added a new encrypted messaging service to its repertoire, offering end-to-end encryption for all direct messages sent across its network. This...
Gmail To Get Blue Checkmarks For Verification Google has announced that Gmail has introduced blue checkmarks next to select senders’ names to help users identify messages from legitimate senders. Will Work...
Website Speed – How to keep your website speed high? Here we look at what website speed means, how important it is for businesses (and why), plus how businesses can test their website speed...
The Online Rip-Off Tip-Off In this insight, we look at the new online form where customers can report online rip-offs that’s been developed as part of the new...

Technologies we work with...

Astec IT Astec IT - Ultimate service through advances in technology 02038026525 [email protected]