Websites often provide visitors with the opportunity to opt out of data collection. This is not out of their abundant concern for your privacy – it’s the law and they’re forced to do it. But according to a trio of privacy researchers, opting out doesn’t always work – visitor data still gets collected.
Legal frameworks like Europe’s General Data Protection Regulation (GDPR) require websites and associated third parties to get consent before collecting and processing personal data. To help website operators comply with that requirement, vendors like Didomi, Quantcast, OneTrust, and Usercentrics offer what’s known as a consent management platform (CMP).
Yet computer scientists Zengrui Liu (Texas A&M University), Umar Iqbal (University of Washington), and Nitesh Saxena (Texas A&M University) devised an auditing mechanism to test the effectiveness of CMP-based opt-out controls and found these platforms don’t necessarily ensure compliance with GDPR and CCPA requirements.
They describe their findings in a paper [PDF] titled “Opted Out, Yet Tracked: Are Regulations Enough to Protect Your Privacy?“
This story originally appeared on The Register.