Opted Out, Yet Tracked: Are Regulations Enough to Protect Your Privacy?

2 minute read

Publish Date:

Overview. GDPR (in the EU) and CCPA (in California) are two of the first “User Data Right” policies in existence. The goal of these policies is to give the user rights’ over their data, which has been commodified by advertisers and trackers. These rights enable users’ to know “what” is collected from them, “why” it is collected and by “whom”. In addition, the users’ can also “opt out” of their data being shared/sold.

Compliance Measurement. Enforcement of these laws has lead to several big tech companies getting served massive fines for non-compliance. However, most of these cases have been reactive (to media or consumer reports) rather than pro-active. Mostly because these laws are not mature enough and there is no systematic mechanism to measure compliance of these rights. Keeping this in mind, the authors of this work create a framework that measures compliance of the “opt out” right.

Compliance Proxy. Similar to most of these user rights, the opt out right does not have a systemic way to be measured other than the word of the businesses asked to stop sale/sharing of user data. To this end, the authors use advertiser bids as a proxy to measure compliance. Based on insights from previous works, they hypothesize that advertisers bid differently on users’ they know more about as compared to unknown users’. Hence, a user that opts out of their data being shared/sold, should receive different bid values as compared to users’ who do not.

Crawling Infrastructure. The measurement infrastructure has 3 major components: (1) Persona training (2) Managing Opt Out (3) Collecting Ads. The first component is executed in consistency with previous similar work that trains personas online (by creating search history). To opt out/in of businesses selling their data, they use OpenWPM to automate the process of managing opting out\in on ~20 websites that support opt out via CookieBot and OneTrust (platforms that manage execution of user data rights). After opting out, they use prebid.js (javascript API) to collect ads from websites. They repeat this process for 16 categories of personas (gathered from Alexa) plus one control profile (no browsing history). Next, to measure affects of opting in as compared to opting out, they repeat this entire process while opting in to businesses selling/sharing their data.

Results. Analyzing the bid values, the authors are able to show no significant difference between opting in and opting out. Indicating no significance, or faulty implementation of opting out functionality. Furthermore, they show advertisers bid higher for personas as compared to control, indicating they have previous knowledge about the persona. Since opt out should have restricted this knowledge flow, this shows lack of compliance w.r.t opting out functionality.

Conclusion. In summary, this paper sheds insights on how businesses are avoiding compliance to user data rights. Furthermore, this work highlights the difficulty and need, of a systematic compliance measuring framework.