Search papers, labs, and topics across Lattice.
This paper analyzes the evolution of GDPR cookie banner compliance from 2018 to 2024, focusing on the roles of publishers, regulators, and Consent Management Platforms (CMPs) in shaping user preferences for online tracking. The study evaluates 11,364 websites across 30 countries, revealing that the presence of a "reject all" button has increased compliance rates from 2.94% to 30.66%, largely driven by website owners rather than CMPs. The findings underscore the need for uniform regulatory guidance and oversight of CMPs to enhance user privacy across the EU digital landscape.
Compliance with GDPR cookie banner regulations has surged, but it's website owners鈥攏ot CMPs鈥攍eading the charge for user privacy.
Since the introduction of the GDPR in 2018, cookie banners have become the primary mechanism for users to express preferences on online tracking and advertising. Consequently, their visual design and the options they present significantly influence user choice. Over time, the cookie banner landscape has evolved under the influence of key players, including publishers (website owners), regulators, and Consent Management Platforms (CMPs). This paper presents an in-depth analysis of the roles of these three key actors and an examination of their impact on cookie banners' design and implementation within the context of EU law. Our results, based on a historical evaluation of 11364 websites across 30 countries, indicate a positive evolution in the privacy landscape, with the compliance rate for websites featuring a "reject all" button increasing from 2.94% in 2018 to 30.66% in 2024. We analyze Data Protection Authority (DPA) activity and find a clear correlation between higher compliance rates and stronger regulatory action and guidance. Our experiments further show that compliance improvements are primarily driven by website owners, with CMPs showing little response to regulatory action or (indirect) influence on compliance rates. Our findings highlight the importance of more uniform collaboration and guidance among EU-level regulators to reduce interpretive divergence and simplify cookie banner compliance, as well as the need for regulatory oversight of CMPs, which in turn could significantly enhance privacy for many websites and users. Our work provides a foundation for academics, regulators, and industry to develop more effective strategies to motivate key players and promote greater user privacy.