Opted Out, Yet Tracked: Are Regulations Enough to
Protect Your Privacy?

Online trackers capture users browsing histories and activities across the web to facilitate online behavioral advertising, among other use cases (FTCDataBrokers, ). Online tracking is typically conducted through cookies that are set by third party resources loaded on websites, with the key idea being third parties having cross-site access to their cookies. Since most third parties are present on a limited number of websites, they often partner with each other to increase their coverage. Prior research has shown that trackers engage in data sharing partnerships and exchange cookies with as much as 118 other third parties (Englehardt16MillionSiteMeasurementCCS, ), which allows them to increase their coverage by as much as 7 times (PapadopoulosCookieSynchronization19WWW, ).

Online tracking, and especially tracking driven advertising, poses a serious threat to users’ privacy both at the individual and the societal level. At the individual level, trackers collect sensitive personal information, for example, about health and sexual orientation, which is then used to hyper-target the individuals, for instance, through personalized ads (targeted_ads_wp, ; targeted_ads_vox, ). At the societal level, tracking driven advertising has been leveraged to conduct mass surveillance (mass_surveillance_ads, ), increase political polarization (AliAdDeliveryPolarization21WSDM, ), spread misinformation (misinformation_ads, ), and discriminate (discrimination_ads, ). Overall, people are frustrated by the privacy harms facilitated by online tracking.

Header bidding (HB_protocol, ) is a strategy in which websites, known as publishers, allocate various advertising slots for advertisers. The advertiser with the most competitive bid wins the opportunity to showcase their ads within the relevant ad slots. In the context of client-side header bidding, users can conveniently view all the bids directly from their web browser. A prominent illustration of this approach is demonstrated by prebid.js (prebid, ). We’ve identified the Alexa top 100K websites, encompassing those with advertisements (e.g., cnn.com) and those without (e.g., google.com), to verify their utilization of prebid.js. Our findings revealed that 5421 websites are employing prebid.js with the standard API label pbjs (Personalized custom API labels are also utilized within prebid.js, and these are excluded from our tally of detections.). This signifies that over 5% of websites continue to employ prebid.js.

In contrast, server-side header bidding involves conducting the bidding auction on the ad server instead of the user’s browser. Consequently, the bids from participating advertisers remain concealed from the web user’s perspective. Noteworthy instances of server-side header bidding include Google Open Bidding, Amazon TAM, and Prebid Server. Comparing to server-side header bidding, the client side header bidding has the following advantages:

1. (1)

   Through header bidding, publishers retain the ability to select buyers via header bidding wrappers. Additionally, publishers have the authority to set the minimum price for each ad unit. Consequently, the entire auction process becomes visible and clear for both publishers and advertisers. However, such transparency is not as pronounced with server-side header bidding. While publishers still determine the floor price, they lack visibility into the buyers participating in the auction, resulting in a more concealed auction process.

2. (2)

   The primary rationale for favoring client-side header bidding over server-side header bidding lies in auction management. Header bidding wrappers empower publishers to oversee and manage the auction. Publishers can add buyers, establish timeout configurations, and ensure simultaneous bid requests to all buyers using these wrappers. In contrast, server-side header bidding involves the server reaching out to buyers and initiating bid requests, hence the management is primarily executed by the server.

3. (3)

   Client-side header bidding enables advertisers to directly access ad units from publishers’ web pages using wrappers, thereby gaining access to user cookie data. This data can be further employed for targeted advertising. Conversely, server-side header bidding encounters limitations in cookie matching.

Since the server-side header bidding does not expose auction at the client side, we do not consider it in our measurements.

To evaluate if there are significant differences in advertisers bidding behavior when users opt-out under GDPR and CCPA, we conduct Mann-Whitney U test of statistical significance (cohen1977statistical, ). Mann-Whitney U test is a nonparametric test to compare the differences between two distributions. Since we perform multiple comparisons, i.e., compare bid values for all 16 personas, we also conduct Bonferroni correction on the statistical test. Our null hypothesis is that the bid distributions for opt-in and opt-out are similar to each other. We reject the null hypothesis, when the p-value (after correction, i.e., original value multiplied by 16) is less than 0.05 (reflecting a 95% confidence interval), i.e., the distributions are statistically different. We also measure the magnitude of the difference between bid values by calculating the effect size (cohen1977statistical, ). Effect size less than 0.3, between 0.3 and 0.5, and greater than 0.5 is considered small, medium, and large, respectively. Effect sizes are reported only in cases where statistically significant differences are observed. In instances where no bids are accumulated under either opt-out or opt-in conditions, the calculation of p-value and effect size becomes unfeasible, as these measures necessitate two datasets for meaningful comparison.

Prior research has identified that online services design unintuitive and hard to navigate data access interfaces (alizadeh2020gdpr, ; habib19optout, ), trick users into giving positive consent (Matte20SPDoCookieBanners, ), and do not include controls to opt-out of data selling (dnsmpi, ). Alizadeh et al. (alizadeh2020gdpr, ) conducted a user study to understand data rights under GDPR and identified that the participants find data access interfaces unintuitive and hard to navigate. Specifically, users prefer structured and easy-to-navigate data usage reports in contrast to data dumps, that are hard to explore. Habib et al. (alizadeh2020gdpr, ) conducted a measurement study of 150 websites and identified that the privacy controls were hard to locate on the majority of websites. Furthermore, in several instances, links to privacy control did not lead to stated choices. Matte et al. (Matte20SPDoCookieBanners, ) investigated CMPs and identified that the consent is often incorrectly conveyed. Specifically, websites often register consent before the user has made any choice, register positive consent regardless of user’s choice, or nudge users to give pre-selected positive consent. Urban et al. (urban2020beyond, ) discovered that 93% of the examined websites included third-party elements originating from regions that potentially do not conform to the prevailing legal framework. More recently, Nortwick and Wilson (dnsmpi, ), conducted a measurement study of top 500K English websites and identified that only 2% of the websites provided controls to users to opt-out of data selling, i.e., “Do Not Sell My Personal Information” (DNSMPI), under CCPA. The study by Toth et al. (toth-pets22, ) found that CMPs themselves may exhibit dark patterns and could track users’ data to some extent by investigating 10 consent services from 5 CMPs deployed on different blank websites. They also identified that default configurations of consent pop-ups often violate regulations and that their configuration options may lead to non-compliance. Recently, Nguyen et al. (nguyen-ccs22, ) studied the implementation of consent notices specifically on Android apps and identified that about 20% of these apps violate at least one GDPR consent. In the study conducted by Demir et al. (demir2022reproducibility, ), a thorough examination of 114 prior research papers on web measurement was undertaken. The findings revealed a significant trend, with the majority (72.6%) of these papers lacking a comprehensive inventory of the pages they had analyzed. This has substantial implications for experiment reproducibility, as it highlights a prevalent issue where the majority of experiments cannot be replicated in terms of the specific sites and pages that were studied.

Though negligence in obtaining consent and not providing easy-to-navigate opt-out controls raises doubts on online services’ seriousness in protecting users’ data and respecting their consent, it does not automatically imply non-compliance. Prior work, to the best of our knowledge, has not directly measured non-compliance through consent notices on traditional web browsers, especially for the cases where consent is properly conveyed to the online services. To bridge that gap, in our work, we set out to audit the usage and selling of personal user data, where the user has directed online services to cease the processing and selling of their data, and their consent is properly recorded by the CMPs.

Online services, including publishers, advertisers, and trackers, do not offer much transparency in the usage and sharing of collected data, which makes it challenging to directly assess non-compliance. Though prior work has not directly measured advertisers and trackers non-compliance, they have relied on side channel information to infer the usage and sharing of user data (Olejnik14SellingPrivacyNDSS, ; lecuyer2015sunlight, ; Bashir16TrackingFlowsUsenix, ; Papadopoulos17IMCYouAreTheProduct, ; Cook20HeaderBiddingPETS, ).

A series of studies (Cook20HeaderBiddingPETS, ; Olejnik14SellingPrivacyNDSS, ; Papadopoulos17IMCYouAreTheProduct, ) leaked user interest data, in controlled experiments, and leveraged advertisers bidding behavior as a side channel to infer the usage and sharing of user data. Especially in the study (Olejnik14SellingPrivacyNDSS, ) the author mentioned that the prices for profiles “Only category” are about 40% higher than those for “New user”. Their main insight is that the advertisers bidding behavior is shaped by their pre-existing knowledge of the user, which typically results in higher bid values, as compared to bid values for users for which advertisers do not have knowledge. Specifically, higher bids made by the advertiser to which the data was leaked indicates the usage of the leaked data for ad targeting. Whereas, higher bids from the advertiser to which data was not leaked indicates the sharing of data from advertisers to which the data was leaked.

Data sharing is an essential component of online advertising ecosystem and it is baked into ad delivery protocols, such as RTB (RTB_protocol, ) and HB (HB_protocol, ) protocols. Prior work (Englehardt16MillionSiteMeasurementCCS, ; PapadopoulosCookieSynchronization19WWW, ) has identified that advertisers and trackers use ad delivery protocols, to directly share user data with each other at the client side, e.g., by cookie syncing (cookie_syncing, ). Thus, client side data sharing can be directly inferred by analyzing network requests (e.g., redirects), between advertising and tracking services.

We argue that analyzing advertisers bidding behavior and network traffic should suffice in establishing whether advertisers comply with the user consent, when they opt-out of processing and selling of their data under GDPR and CCPA. Thus, in this study, we leverage advertisers bidding behavior and network traffic to audit regulatory compliance of advertisers under GDPR and CCPA.

Recognizing the distinct bidding patterns exhibited by advertisers based on varying user interests, we undertake the simulation of 16 unique user interest personas. These personas are shaped by the categories of the top 16 Alexa-listed websites²²2Adult, Art, Business, Computers, Games, Health, Home, Kids, News, Recreation, Reference, Regional, Science, Shopping, Society, and Sports(alexa, ). Notably, our selection approach compensates for Alexa’s shift in offerings after September 2020(16_lists_github, ).The method of persona simulation involves initializing a fresh browser profile within an OpenWPM instance. This occurs on a pristine EC2 node, each furnished with an exclusive IP address. The process entails iterative visits to the top 50 websites within each category, with the browser profile being updated following each visit. Importantly, it is pertinent to highlight that our interactions were limited to the main pages of these websites. Our rationale for crafting these simulated personas rests upon their potential to persuade advertisers and trackers regarding the interests of each persona. The goal is to incentivize advertisers to submit higher bids when tailoring personalized ads for each persona. Inclusive of the aforementioned 16 personas, our study also introduces a control persona, represented by an empty browser profile. This control persona functions as a benchmark, facilitating the measurement of disparities in bidding behavior across personas. Noteworthy measures undertaken in our methodology encompass the activation of OpenWPM’s bot mitigation features and the introduction of random delays ranging between 10 to 30 seconds subsequent to loading each website. These steps serve to enhance the authenticity of user behavior emulation.

We deployed a total of 34 instances: 17 in Germany (16 personas + 1 Control) using 17 different IPs, and 17 in California (16 personas + 1 Control) using 17 different IPs.

We automated the loading of selected web pages and simulated various user interactions, including mouse movements and scrolls, with random time gaps between actions. The mouse cursor is moved by varying amounts in different directions, scrolling occurs at unpredictable intervals down the page, and waiting periods are introduced randomly to create irregular patterns in page visits. This approach is consistent with previous research in web measurement (Iqbal22USENIXKhaleesi, ; Cook20HeaderBiddingPETS, ).

We shortlist websites that support opt-out through CMPs and also implement header bidding through prebid.js. We identify such websites, by crawling Alexa top-100K websites, using OpenWPM, and probing for the presence of CMPs and prebid.js (as described in Section 3.3.1 and 3.4.2).

Table 1 lists the presence of CMPs and prebid.js on Alexa top-100K websites. We note that a large number of websites deploy CMPs but not all of them deploy prebid.js. However, scanning top-100K websites allows us to filter a meaningful number (i.e., 352) of websites that deploy CMPs and prebid.js under both GDPR and CCPA.

Next, we analyze if there is statistically significant difference between advertisers bidding patterns when users opt-out or opt-in under GDPR and CCPA. It can be seen in Table 3 that advertisers bidding behavior does not significantly changes regardless of whether users opt-out or opt-in under both GDPR and CCPA.

We further investigate cookie syncing frequency of individual advertisers. Table 5 presents the top 5 most prevalent advertisers that participate in cookie syncing, when we opt-out under both GDPR and CCPA. It can be seen from the table that advertisers participate in as many as 3 and 128 cookie syncing events when we opt-out under GDPR and CCPA with Cookiebot, respectively.

For Didomi, Onetrust, Quantcast and NAI, we did similar client-side data sharing analysis and server-side data sharing analysis, as what we did for Cookiebot. The comprehensive analysis details can be found in Appendix A.

In Didomi, significant decreases in data utilization and sharing are observed when users choose to opt-out under the guidelines of GDPR and CCPA. The decline in data usage is more pronounced under CCPA than under GDPR. Conversely, the decrease in client-side data sharing is more prominent under GDPR compared to CCPA. While the utilization of Didomi for obtaining consent noticeably minimizes targeted activities, it does not entirely eradicate them. This is evident in the continued heightened bidding for certain user profiles and the involvement of advertisements in cookie synchronization. Consequently, achieving GDPR compliance might be feasible through Didomi, but ensuring CCPA compliance might not be guaranteed for the same set of websites.

In OneTrust, differences in advertiser behavior between GDPR and CCPA were observed when users opted out. Specifically, opting out did not result in a statistically significant difference in data usage under GDPR, but it did under CCPA. The prevalence of both server-side and client-side data sharing was higher under CCPA compared to GDPR. Surprisingly, advertisers synchronized more cookies (meaning they shared more data on the client side) under CCPA compared to GDPR. This implies that compliance with GDPR and CCPA might not be guaranteed on the same websites.

In Quantcast, significant decreases in data usage and sharing aren’t observed when users choose to opt-out. Advertiser bidding behavior undergoes notable changes for 5 user personas under GDPR, albeit with a minor impact. When users opt-in under GDPR, there’s a noticeable increase in cookie syncing events. This suggests that ensuring compliance with both GDPR and CCPA might not be assured on identical websites.

In NAI, the utilization of advertisers’ data remains relatively stable. Nevertheless, advertisers tend to offer lower bids under CCPA compared to GDPR. Likewise, we have observed a marked decrease in data sharing, both on the server-side and client-side, under CCPA. As a result, it is possible that websites might not be concurrently compliant with both GDPR and CCPA regulations.

In the majority of cases within four CMPs and NAI, compliance with GDPR and CCPA regulations is lacking. There is little distinction in bids between opt-out and opt-in scenarios, and the volume of syncing events remains comparable regardless of opt-out or opt-in choices. It is plausible that some advertisers adhered to GDPR and CCPA regulations, and the CMP or NAI systems effectively functioned. Nonetheless, these advertisers were not extensively involved in most bidding events and cookie syncing occurrences. To validate this presumption, our focus shifted to advertisers, and a more extensive analysis is presented in Section 4.4.

Under GDPR processing personal data is prohibited, unless the data subject has consented to the processing (Article 6). However, under CCPA, data selling and sharing should be stopped immediately stop once consumers opt-out (Section 798.120 (a), Section 7013 (a)). Thus to eliminate the impact of data collection and sharing prior to opting-out, we conduct additional experiments where we opt-out prior to simulating personas. Similar to post opt-out, we note that under both GDPR and CCPA advertisers continue to use data even when we opt-out prior to collecting bids. We discuss advertisers bidding behavior with pre-opt-out in detail in Appendix B.

Overall we note that under CMPs most personas receive higher bids compared to control when users opt-out of data processing and selling under GDPR and CCPA. The variability in bid values, particularly higher bids as compared to control, indicates that the leaked user interests are used to target ads to users, despite users’ consent to opt-out of data processing as part of the regulations. We also note that opt-out is not statistically different from opt-in. The similarity in bid values for opt-in and opt-out indicates that the user consent in most cases does not have any effect on processing and selling of data. However some CMPs perform better than the others. For example, advertisers bidding behavior significantly changes under CCPA when the consent is conveyed through Didomi.

We note that advertisers participate in data sharing activities both at the server and the client side without user consent. At the server side, we received higher bid values from advertisers, who we did not explicitly leak user interests; which indicates potential selling and sharing from advertisers who we leaked user data. At the client side, we notice that the advertisers share unique user identifiers in plain sight and share their data with as many other advertisers.

Advertiser-offered opt-out controls are also ineffective in curbing the processing and selling of user data despite user consent to opt-out. While advertisers at large do not honor their own opt-out controls, they slightly share less data as compared to the state-enforced regulations. The following is one example set of client-side data sharing.

At a high level, CMPs block or allow cookies to enforce user consent (cookiebot_functions, ; didomi_cookies_storage, ). As a first step, CMPs scan the website and identify all first and third-party cookies. After identifying the cookies, CMPs classify them into essential (i.e., necessary for websites to operate) and non-essential (e.g., advertising, tracking, marketing, etc.) cookies. To identify necessary cookies, CMPs rely on information from the website developers To identify non-essential cookies, CMPs do not clearly disclose their techniques, but they might just be relying on information shared by advertising and tracking services about the purpose of their cookies (e.g., Google declares the purpose of their cookies (google_ads_cookies, )). Many CMPs, such as OneTrust and Cookiebot, consolidate the information across websites and maintain database of cookies and their purposes (onetrust_zero_code_cookie_block, ; cookiebot_functions, ). Consolidating information allows CMPs to automatically identify essential and non-essential cookies on new websites.

CMPs typically take user consent and store it at the client side in first-party cookies. In addition to blocking cookies, CMPs also block execution of elements (e.g., scripts, iframes, videos, images) that might exfiltrate non-essential cookies before user consent is stored. To give website developers more control in order to accurately enforce user consent and avoid breakage by blocking essential cookies, CMPs allow website developers to block or allow cookies.

There are two main ways in which advertisers might be able to process and share user information despite negative consent. One, website developers may inaccurately deploy CMPs. For example, tracking code may execute first before CMPs even have a chance to block cookies or website developers may inaccurately list non-essential cookies as essential. Two, advertisers may rely on side channel information to circumvent enforcement by CMPs. For example, advertisers may routinely change their cookies to avoid detection or they may rely on browser fingerprinting to track users (Iqbal21FPInspectorSP, ). Recently, Toth et al. (toth-pets22, ) found that CMPs themselves may violate regulations and that their configuration options may lead to non-compliance.

Our findings in general cast a serious doubt on the effectiveness of regulations as a sole means of privacy protection. Specifically, even after users opt-out through CMPs, their data may still be used and shared by advertiser. Unfortunately, in order to fully protect privacy, users still need to rely on privacy-enhancing tools, such as ad/tracker blocking browser extensions and privacy-focused browsers (e.g., Brave Browser). However, not all users may utilize privacy-enhancing tools to protect their privacy.

Website developers have an important role in enforcement of regulations. Specifically, they could deploy CMPs that are better at conveying and enforcing user consent. For example, research like ours could help inform the effectiveness of consent conveyance by different CMPs. Moving forward, we also recommended that CMPs, advertisers, website developers, and regulators should work together to define protocols for conveying and enforcing consent.

Main page and subpages: In our experiment, the framework exclusively accessed the main pages of each training website. Discrepancies may arise between visits to main pages and the inclusion of subpages (aqeel2020landing, ). Our analysis indicates that opting out on testing websites does not prevent tracking when solely accessing their main pages. Our primary aim was to illustrate that opting out does not guarantee evasion of tracking. The possibility of training personas by exploring subpages of training websites remains a potential avenue for future exploration. Notably, the focus of visiting testing websites was to gather bid data, rather than persona training, which is why we limited our visits to main pages.

CCPA applicability criteria: CCPA applies to online services that meet its broad applicability criteria. Specifically, as per Section 1798.140 (c) (1), CCPA applies to online services, that have an annual revenue of more than $ 25 million, annually sell data of more than 50K California residents, or earn more than 50% of their revenue from the sale of personal data of California residents. Since most information required to determine applicability is not publicly available, it is challenging to determine the applicability criteria at scale (dnsmpi, ). Thus, for our study, we did not strictly follow the CCPA applicability criteria. However, it is noteworthy that the prevalent advertisers (Table 5) in our dataset are mostly large corporates with revenue exceeding hundreds of millions (appnexux_revenue, ; pubmatic_revenue, ).

Sample size: In comparison to prior work that analyzed ad bidding (e.g., Cook et al. (Cook20HeaderBiddingPETS, ) analyzed 25 websites), we analyze a substantially large number of websites (i.e., 352 that support Didomi, Quantcast, OneTrust, and CookieBot). We also repeat our measurements several times (i.e., 8 times) to reduce the chance of the sample size biasing our results. In future, researchers could further increase the sample size by incorporating websites that support various CMPs. We leave the non-trivial task of automating opt-outs from different CMPs at scale as future work. In future, researchers could also rely on alternative methodologies that use ad content e.g., (musa2022atom, ), to eliminate the need to rely on ad bidding altogether for inference of data usage and sharing. Such techniques might allows researchers to audit online services at a much larger scale.

Server-side data sharing: We rely on the insight, also leveraged by prior research (Cook20HeaderBiddingPETS, ; Bashir16TrackingFlowsUsenix, ), that the advertisers behavior is shaped by their pre-existing knowledge of the user. Using that insight, we make an inference that higher bids from advertisers to which data was not leaked indicates the sharing of data from advertisers to which the data was leaked. However, there may be other additional uncontrolled factors that might impact the bids.

Automated data collection: We rely on OpenWPM to automatically collect bids and use Amazon’s EC2 cloud platform to simulate crawls from Germany and California. In order to more accurately simulate real users, we enable bot mitigation in OpenWPM and also randomly wait between 10–30 seconds after loading each website. We also refrain from using public proxy servers, which may be black listed, and instead rely on Amazon EC2.