Breaking the illusion: Automated Reasoning of GDPR Consent Violations

TL;DR

This paper introduces Cosmic, an automated tool that detects GDPR consent violations in web forms, revealing widespread non-compliance across thousands of websites with high accuracy, thus addressing a critical gap in privacy regulation enforcement.

Contribution

The paper presents Cosmic, a novel automated framework for identifying consent violations in web forms, significantly advancing privacy compliance auditing methods.

Findings

Detected violations in 94.1% of consent forms

Achieved 98.6% true positive rate for consent detection

Achieved 99.1% true positive rate for violation detection

Abstract

Recent privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have established legal requirements for obtaining user consent regarding the collection, use, and sharing of personal data. These regulations emphasize that consent must be informed, freely given, specific, and unambiguous. However, there are still many violations, which highlight a gap between legal expectations and actual implementation. Consent mechanisms embedded in functional web forms across websites play a critical role in ensuring compliance with data protection regulations such as the GDPR and CCPA, as well as in upholding user autonomy and trust. However, current research has primarily focused on cookie banners and mobile app dialogs. These forms are diverse in structure, vary in legal basis, and are often difficult to locate or evaluate, creating a significant challenge for automated consent compliance auditing. In this work, we present Cosmic, a novel automated framework for detecting consent-related privacy violations in web forms. We evaluate our developed tool for auditing consent compliance in web forms, across 5,823 websites and 3,598 forms. Cosmic detects 3,384 violations on 94.1% of consent forms, covering key GDPR principles such as freely given consent, purpose disclosure, and withdrawal options. It achieves 98.6% and 99.1% TPR for consent and violation detection, respectively, demonstrating high accuracy and real-world applicability.