Skip to Main content Skip to Navigation
Preprints, Working Papers, ...

Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners

Cristiana Santos 1 Nataliia Bielova 2 Célestin Matte 3
1 INDES - Secure Diffuse Programming
CRISAM - Inria Sophia Antipolis - Méditerranée
2 PRIVATICS - Privacy Models, Architectures and Tools for the Information Society
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services
Abstract : In this work, we analyze the legal requirements on cookie banners as a consent mechanism in Web applications. We describe how banners are supposed to be implemented to be fully compliant with the ePrivacy Directive and the GDPR. Our contribution resides in the definition of 22 operational and fine-grained requirements on cookie banner design that are legally compliant, and moreover, we define whether and when the verification of compliance of each requirement is feasible. The definition of requirements emerges from a joint interdisciplinary analysis composed of lawyers and computer scientists in the domain of web tracking technologies. As such, while some requirements are provided by explicitly codified legal sources, others result from the domain-expertise of computer scientists. In our work, we match each requirement against existing cookie banners designs of websites. We exemplify each requirement with compliant and non-compliant cookie banners. For each requirement, we perform a technical assessment to decide if technical (with computer science tools), manual (with any human operator) or user studies (with a significant number of users) verification is needed to assess compliance of consent. We show that it's not possible to fully assess compliance with the law for the majority of requirements because of the current architecture of the Web. With this approach, we aim to support practically-minded parties (compliance officers, regulators, privacy NGOs, researchers, social and computer scientists) to assess compliance and detect violations in cookie banners' design and implementation, specially under the current revision of the EU ePrivacy framework.
Complete list of metadatas

Cited literature [45 references]  Display  Hide  Download

https://hal.inria.fr/hal-02875447
Contributor : Nataliia Bielova <>
Submitted on : Friday, June 19, 2020 - 4:51:08 PM
Last modification on : Wednesday, July 8, 2020 - 12:43:31 PM

File

Journal paper 19-6-2020.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-02875447, version 1

Citation

Cristiana Santos, Nataliia Bielova, Célestin Matte. Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners. 2020. ⟨hal-02875447⟩

Share

Metrics

Record views

407

Files downloads

2230