Navigating Cookie Consent Violations Across the Globe
Jun 10, 25
Information
Authors
Brian Tang, Duc Bui , Kang G. Shin
Conference
34th USENIX Security Symposium (2025)
Blog
Intro
Online services provide users with cookie banners to accept/reject the cookies placed on their web browsers. Despite the increased adoption of cookie banners, little has been done to ensure that cookie consent is compliant with privacy laws around the globe. Prior studies have found that cookies are often placed on browsers even after their explicit rejection by users. These inconsistencies in cookie banner behavior circumvent users’ consent preferences and are known as cookie consent violations. To address this important problem, we propose an end-to-end system, called ConsentChk, that detects and analyzes cookie banner behavior. ConsentChk uses a formal model to systematically detect and categorize cookie consent violations. We investigate eight English-speaking regions across the world, and analyze cookie banner behavior across 1,793 globally-popular websites. Cookie behavior, cookie consent violation rates, and cookie banner implementations are found to be highly dependent on region. Our evaluation reveals that consent management platforms (CMPs) and website developers likely tailor cookie banner configurations based on their (often incorrect) interpretations of regional privacy laws. We discuss various root causes behind these cookie consent violations. The resulting implementations produce misleading cookie banners, indicating the prevalence of inconsistently implemented and enforced cookie consent between various regions.
Design Overview
ConsentChk activates cookie banner menus by using a cookie-button extractor and a menu activator. When accessing a web page, if a cookie banner menu is not detected, the extractor analyzes HTML elements to extract the candidate cookie banner buttons that may activate a menu. Cookie consent preferences are extracted in two steps: (1) cookie-category consent and (2) cookies in each category. Finally, cookie consent violations are detected and classified.
Methodology
We first performed crawls in all 8 regions on the top 20k websites in the Tranco list November 2023 (ID: 5Y3LN). We select 10,436 websites, which have an English homepage and were loaded successfully, for further analysis with ConsentChk. Close to 1.8k websites across all regions contained a detected cookie banner. After this initial crawl, we recrawled the union of the sites across all regions 10 times (successfully loaded with cookie banners). Each measurement iteration involved crawling all 8 regions and took roughly 8–12 hours to complete, spanning 1 week to complete the 10 measurements.
We conducted experiments in a distributed framework based on Docker Swarm on 4 machines with 1.08TB RAM and 96 task queue workers. The cookie-consent scanning of the 10,436 websites took 40 hours to perform the measurements from the 8 locations. The crawls were performed during October 4–12, 2024.
We evaluate the detection performance in regions with privacy regulations that generally require user consent before data collection. We select Ireland, the UK, California, Michigan, Canada, South Africa, Singapore, and Australia, as eight measurement locations. These locations were selected because (1) the websites are displayed in English and (2) the location supports a privacy framework requiring notices prior to data collection (except Michigan as a control for a US state without CCPA-like privacy laws). We measured the websites from IP addresses by using proxies running on AWS and DigitalOcean, two major cloud providers.
Results
Finding 1: The US has the most cookies, undeclared cookie violations, and ignored cookie rejection violations. Even in CA, the state with the strictest privacy laws, the prevalence of undeclared cookies per site was found to be higher than the EU by 5.49%. The total undeclared cookie and ignored cookie rejection violation counts across 10 measurements in the US (MI) were 250,447 and 128,871 cookies, respectively.
Finding 2: Cookies are much more prevalent in the non-GDPR regions. European countries have the fewest 1st- and 3rd-party cookies placed on websites (EU has roughly 15.66 1st-party cookies per site and 8.88 3rd-party cookies per site, respectively). The US-MI has the most, with roughly 35.4 (1st-party) and 29.03 (3rd-party) cookies per site, followed by all other non-EU regions with between 27.14–29.26 1st-party cookies per site.
Finding 3: 3rd-party cookies still constitute a large number of cookie consent violations across regions. While the EU andUK have significantly fewer 3rd-party cookies (Figure 4c), all other regions have a large number of 3rd-party cookies placed on each site. Third-party cookies in the US made up roughly 29.03 cookies per site while websites in the EU and UK contained the fewest with an average of 8.88 and 9.16 cookies per site, respectively. These violations were found to be statistically significant.
Finding 4: Regions with fewer undeclared cookie consent violations have more ignored cookie rejection and wrong cookie category violations. Figure 5a and fig. 5b show an inverse correlation between the number of ignored rejection violations and undeclared cookie consent violations. Most likely, website developers are more vigilant about categorizing undeclared cookies for GDPR compliance but neglect to update their non-GDPR CMP cookie lists. Consequently, sites in the EU and UK have higher rates of ignored cookie rejections likely due to an increase in declared cookies, but a lack of properly implemented CMP scripts. Undeclared cookies are placed regardless of rejection. These cookies are not even present in the cookie library and thus cannot be rejected.
Finding 5: Cookie placement and violation rates can be categorized into three groups: EU/UK (fewest cookies, highest compliance), CA, AU, SG, CAN, ZA (moderate cookie count and compliance), US (most cookies, lowest compliance). Without any privacy regulations, the US has poor cookie practices. In our analysis of websites’ cookies and cookie consent violations, we ran pairwise comparisons on websites between different regions, discovering that all other regions, particularly the US, have a significant increase in cookie count and cookie consent violations compared to the EU and UK. These discrepancies were found to be statistically significant.
Finding 6: Cookie banners, their UIs, and their functionalities are different across regions. Across the 8 studied regions, the cookie libraries and cookie banners have a significant number of differences in their configurations. The EU and US have the most pairwise disparities in cookie banner parameters. SG (5084), ZA (5097), and CA (4870) also contain a significant amount of cookie banner implementation differences to the EU, while Canada (3,050) and Australia (2,705) contain fewer differences. Websites in the EU and UK have more privacy-preserving configurations compared to other regions (consent models, reject all button appearance, etc.)
Discussion
We analyzed Onetrust and Cookiebot’s documentation and demos to gain insight into whether CMPs or website developers hold responsibility for cookie consent violations. Although CMPs may act as data controllers or processors, both parties share responsibility. CMPs need to provide stronger guardrails, easier integration methods, support for more legal frameworks, and clearer documentation. Site owners need to ensure no undeclared cookies remain, properly implement cookie/script-blocking, and keep their CMP integrations updated. We find that most undeclared cookies result from either website developers not categorizing cookies or CMP crawlers missing some cookies, whereas ignored cookie rejections stem from developers not integrating CMP scripts correctly.
Citation
@inproceedings{tang2025cookie,
title={Navigating Cookie Consent Violations Across the Globe},
author={Tang, Brian and Bui, Duc and Shin, Kang G.},
booktitle={34th USENIX Security Symposium},
year={2025},
}