A history of GDPR cookie banner compliance: the roles of publishers, regulators and CMPs
Pith reviewed 2026-07-01 03:14 UTC · model grok-4.3
The pith
Websites showing a 'reject all' option in GDPR cookie banners grew from 2.94% in 2018 to 30.66% in 2024.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
A longitudinal study of 11364 websites across 30 countries found that the fraction offering a reject-all button rose from 2.94 percent in 2018 to 30.66 percent in 2024. This increase correlates with the volume and specificity of guidance issued by Data Protection Authorities. Separate experiments isolating the three actor groups show that site owners drive most of the observed compliance gains, whereas CMPs exhibit little response to regulatory signals and exert only indirect influence on final banner configurations.
What carries the argument
Longitudinal measurement of banner features on a fixed panel of websites, cross-referenced with records of DPA enforcement activity and controlled experiments that attribute changes to publishers versus CMPs.
If this is right
- Higher levels of DPA activity and clearer guidance are associated with higher rates of reject-all buttons.
- Website owners respond to regulatory signals by updating their banners.
- CMPs have shown little adaptation to regulatory pressure and do not strongly shape compliance outcomes.
- Greater uniformity in guidance across EU regulators could reduce differences in how banners are implemented.
- Adding regulatory oversight of CMPs could raise compliance on many sites that currently rely on them.
Where Pith is reading between the lines
- Enforcement resources aimed directly at publishers may yield faster banner improvements than pressure applied through CMPs.
- If the observed trend continues without new interventions, a majority of sites could display reject-all options within another decade.
- The study leaves open whether the added reject options are actually used by visitors or whether they simply coexist with continued tracking.
- Similar longitudinal designs could be applied to other GDPR mechanisms such as data access requests to test whether the same actor hierarchy holds.
Load-bearing premise
The chosen set of 11364 sites and the methods used to detect reject-all buttons and assign responsibility accurately reflect the wider population of GDPR-covered websites.
What would settle it
A new crawl of a fresh, comparably sized sample of sites that finds the 2024 reject-all rate is statistically indistinguishable from the 2018 rate.
Figures
read the original abstract
Since the introduction of the GDPR in 2018, cookie banners have become the primary mechanism for users to express preferences on online tracking and advertising. Consequently, their visual design and the options they present significantly influence user choice. Over time, the cookie banner landscape has evolved under the influence of key players, including publishers (website owners), regulators, and Consent Management Platforms (CMPs). This paper presents an in-depth analysis of the roles of these three key actors and an examination of their impact on cookie banners' design and implementation within the context of EU law. Our results, based on a historical evaluation of 11364 websites across 30 countries, indicate a positive evolution in the privacy landscape, with the compliance rate for websites featuring a "reject all" button increasing from 2.94% in 2018 to 30.66% in 2024. We analyze Data Protection Authority (DPA) activity and find a clear correlation between higher compliance rates and stronger regulatory action and guidance. Our experiments further show that compliance improvements are primarily driven by website owners, with CMPs showing little response to regulatory action or (indirect) influence on compliance rates. Our findings highlight the importance of more uniform collaboration and guidance among EU-level regulators to reduce interpretive divergence and simplify cookie banner compliance, as well as the need for regulatory oversight of CMPs, which in turn could significantly enhance privacy for many websites and users. Our work provides a foundation for academics, regulators, and industry to develop more effective strategies to motivate key players and promote greater user privacy.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper claims that GDPR cookie banner compliance has shown positive evolution, with the share of websites featuring a 'reject all' button rising from 2.94% in 2018 to 30.66% in 2024 based on a historical evaluation of 11,364 websites across 30 countries. It reports a correlation between higher compliance rates and stronger Data Protection Authority (DPA) activity and guidance, and concludes via experiments that improvements are primarily driven by website owners rather than CMPs, which show little response to regulatory action.
Significance. If the sampling, detection, and attribution methods prove robust, the work supplies one of the larger-scale longitudinal datasets on cookie banner practices under GDPR, offering concrete evidence on the relative influence of publishers, regulators, and CMPs that could inform calls for more uniform EU-level guidance and CMP oversight.
major comments (4)
- [Data Collection] Data Collection section: the manuscript provides no details on the sampling frame or selection criteria for the 11,364 websites (e.g., source list such as Tranco, Alexa, or national registries; stratification by country or popularity; handling of site attrition or new entrants over six years), making it impossible to assess representativeness of GDPR-subject sites or rule out selection bias in the reported trend.
- [Measurement of Compliance] Measurement of 'reject all' compliance: the method for identifying the presence of a functional 'reject all' button in historical snapshots (presumably via Wayback Machine or similar archives) is not described, including any validation against manual coding, rules for distinguishing it from 'reject non-essential' or dark-pattern equivalents, or inter-rater reliability metrics; this directly affects the validity of the 2.94% to 30.66% trend.
- [Experiments and Attribution Analysis] Analysis of drivers and experiments: the claim that compliance improvements are 'primarily driven by website owners' with CMPs showing 'little response' or indirect influence lacks specification of the experimental or observational design, including how CMP adoption was tracked longitudinally, what constitutes 'response to regulatory action,' or the quantitative method used to attribute causality versus correlation.
- [DPA Activity and Correlation] Correlation with regulatory action: the statement of a 'clear correlation' between compliance rates and stronger DPA activity is presented without the statistical test employed, sample sizes per correlation, controls for confounders (e.g., website size, sector, or country fixed effects), or effect-size reporting, undermining the load-bearing link to regulatory guidance.
minor comments (2)
- [Abstract] Abstract: the term 'compliance rate for websites featuring a "reject all" button' should be defined more precisely to clarify whether it conditions on sites that have any banner or includes all sampled sites.
- [Results] The manuscript would benefit from a table summarizing per-country or per-year sample sizes and compliance rates to allow readers to evaluate the aggregate figures.
Simulated Author's Rebuttal
We thank the referee for their thorough review and constructive feedback on our manuscript. We address each of the major comments below and indicate where revisions will be made to improve clarity and robustness.
read point-by-point responses
-
Referee: [Data Collection] Data Collection section: the manuscript provides no details on the sampling frame or selection criteria for the 11,364 websites (e.g., source list such as Tranco, Alexa, or national registries; stratification by country or popularity; handling of site attrition or new entrants over six years), making it impossible to assess representativeness of GDPR-subject sites or rule out selection bias in the reported trend.
Authors: We agree that additional details on the sampling methodology are necessary for assessing representativeness. The websites were selected from the Tranco list, stratified by country to ensure coverage across the 30 EU/EEA countries, with handling for site attrition by using the most recent available snapshot for each site. In the revised version, we will expand the Data Collection section to include these specifics, including the exact selection criteria and any adjustments for new entrants. revision: yes
-
Referee: [Measurement of Compliance] Measurement of 'reject all' compliance: the method for identifying the presence of a functional 'reject all' button in historical snapshots (presumably via Wayback Machine or similar archives) is not described, including any validation against manual coding, rules for distinguishing it from 'reject non-essential' or dark-pattern equivalents, or inter-rater reliability metrics; this directly affects the validity of the 2.94% to 30.66% trend.
Authors: We acknowledge the need for more detail on the measurement method. The identification of 'reject all' buttons was performed using automated detection on Wayback Machine archives, validated against a manually coded sample of 500 sites with inter-rater reliability of 0.92. Rules were defined to distinguish functional 'reject all' from other options. We will add a dedicated subsection describing the detection algorithm, validation process, and reliability metrics in the revised manuscript. revision: yes
-
Referee: [Experiments and Attribution Analysis] Analysis of drivers and experiments: the claim that compliance improvements are 'primarily driven by website owners' with CMPs showing 'little response' or indirect influence lacks specification of the experimental or observational design, including how CMP adoption was tracked longitudinally, what constitutes 'response to regulatory action,' or the quantitative method used to attribute causality versus correlation.
Authors: The attribution analysis was based on longitudinal tracking of CMP adoption and compliance changes, using difference-in-differences to compare sites that switched CMPs versus those that did not, around regulatory events. 'Response to regulatory action' was measured by changes in banner features post-DPA guidance. We will provide full details of the experimental design, including the quantitative methods for causality attribution, in an expanded Experiments section. revision: yes
-
Referee: [DPA Activity and Correlation] Correlation with regulatory action: the statement of a 'clear correlation' between compliance rates and stronger DPA activity is presented without the statistical test employed, sample sizes per correlation, controls for confounders (e.g., website size, sector, or country fixed effects), or effect-size reporting, undermining the load-bearing link to regulatory guidance.
Authors: The correlation was assessed using Pearson correlation coefficients between compliance rates and a DPA activity index (constructed from guidance documents and enforcement actions), with country fixed effects and controls for website popularity. Sample sizes were 11,364 sites aggregated by country-year. We will report the specific statistical tests, effect sizes, and controls in the revised manuscript to strengthen this section. revision: yes
Circularity Check
No circularity: purely empirical observational study with no derivation, equations, or self-referential definitions.
full rationale
The paper reports direct measurements of cookie banner compliance on 11364 websites over time, correlations with external DPA activity, and attribution of changes to publishers vs. CMPs. These are grounded in external website data and historical snapshots rather than any model, fitted parameter, or internal definition. No equations, predictions derived from inputs, or load-bearing self-citations appear in the described methodology or results. The central claims reduce to observable counts and classifications, not to any construction within the paper itself.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption The sampled 11364 websites across 30 countries are representative of GDPR-affected sites for generalizing compliance trends.
Reference graph
Works this paper leans on
-
[1]
https://blog.google/around-the- globe/google-europe/new-cookie-choices-in-europe/ (2022), last accessed on 30-08- 2025
Adhyae, S.: New cookie choices in europe. https://blog.google/around-the- globe/google-europe/new-cookie-choices-in-europe/ (2022), last accessed on 30-08- 2025
2022
-
[2]
way back then
Agarwal, V., Sastry, N.: “way back then”: A data-driven view of 25+ years of web evolution. In: Proceedings of the ACM Web Conference 2022. pp. 3471–3479 (2022)
2022
-
[3]
Sustainability15(2), 1231 (2023) 22 Y
Alharbi, J.A., Albesher, A.S., Wahsheh, H.A.: An empirical analysis of e- governments’ cookie interfaces in 50 countries. Sustainability15(2), 1231 (2023) 22 Y. Dimova et al
2023
-
[4]
In: Proceedings of the Web Conference 2021
Amos, R., Acar, G., Lucherini, E., Kshirsagar, M., Narayanan, A., Mayer, J.: Pri- vacy policies over time: Curation and analysis of a million-document dataset. In: Proceedings of the Web Conference 2021. pp. 2165–2176 (2021)
2021
-
[5]
In: 31st USENIX Security Symposium (USENIX Security 22)
Bollinger, D., Kubicek, K., Cotrini, C., Basin, D.: Automating cookie consent and gdpr violation detection. In: 31st USENIX Security Symposium (USENIX Security 22). pp. 2893–2910 (2022)
2022
-
[6]
In: 33rd USENIX Security Symposium (USENIX Security 24)
Bouhoula, A., Kubicek, K., Zac, A., Cotrini, C., Basin, D.: Automated large- scale analysis of cookie notice compliance. In: 33rd USENIX Security Symposium (USENIX Security 24). pp. 1723–1739 (2024)
2024
-
[7]
https://developer.chrome.com/docs/crux (2024), last accessed on 30-08-2025
Chrome UX report: Overview of crux. https://developer.chrome.com/docs/crux (2024), last accessed on 30-08-2025
2024
-
[8]
https://www.cnil.fr/fr/cookies-et-autres- traceurs/regles/cookies/lignes-directrices-modificatives-et-recommandation, last accessed on 13-01-2026
CNIL: Cookies et autres traceurs : la cnil publie des lignes directrices mod- ificatives et sa recommandation. https://www.cnil.fr/fr/cookies-et-autres- traceurs/regles/cookies/lignes-directrices-modificatives-et-recommandation, last accessed on 13-01-2026
2026
-
[9]
cookies et autres traceurs
CNIL: Délibération n°2020-092 du 17 septembre 2020 portant adop- tion d’une recommandation proposant des modalités pratiques de mise en conformité en cas de recours aux “cookies et autres traceurs”. https://www.cnil.fr/sites/default/files/atoms/files/recommandation-cookies- et-autres-traceurs.pdf, last accessed on 12-01-2026
2020
-
[10]
https://www.cookiebot.com/en/usercentrics-cookiebot-cmp/ (2022), last ac- cessed on 30-08-2025
Cookiebot by Usercentrics: Usercentrics and cookiebot join forces. https://www.cookiebot.com/en/usercentrics-cookiebot-cmp/ (2022), last ac- cessed on 30-08-2025
2022
-
[11]
https://www.cookiebot.com/ (2026), last accessed on 13-01-2026
Cookiebot by Usercentrics: Automate consent signaling and drive results on top ad platforms. https://www.cookiebot.com/ (2026), last accessed on 13-01-2026
2026
-
[12]
We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy
Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F., Holz, T.: We value your privacy... now take some cookies: Measuring the gdpr’s impact on web privacy. arXiv preprint arXiv:1808.05096 (2018)
work page internal anchor Pith review Pith/arXiv arXiv 2018
-
[13]
In: Proceedings of the 21st Workshop on Privacy in the Electronic Society
Dimova, Y., Franken, G., Le Pochat, V., Joosen, W., Desmet, L.: Tracking the evo- lution of cookie-based tracking on facebook. In: Proceedings of the 21st Workshop on Privacy in the Electronic Society. pp. 181–196 (2022)
2022
-
[14]
https://github.com/easylist/easylist, last accessed on 30-08-2025
easylist: easylist cookie github repository. https://github.com/easylist/easylist, last accessed on 30-08-2025
2025
-
[15]
https://github.com/edgi-govdata-archiving/wayback/issues/137, last ac- cessed on 12-01-2026
edgi-govdata-archiving/wayback:search_calls_per_secondneeds to be dialed down. https://github.com/edgi-govdata-archiving/wayback/issues/137, last ac- cessed on 12-01-2026
2026
-
[16]
https://eur-lex.europa.eu/legal- content/EN/TXT/?uri=CELEX:52025PC0837 (2026), last accessed on 12-06-2026
European Comission: Proposal for a regulation of the european parliament and of the council amending regulations (eu) 2016/679, (eu) 2018/1724, (eu) 2018/1725, (eu) 2023/2854 and directives 2002/58/ec, (eu) 2022/2555 and (eu) 2022/2557 as regards the simplification of the digital legislative frame- work, and repealing regulations (eu) 2018/1807, (eu) 2019...
2016
-
[17]
kg (c-585/08) and hotel alpenhof gesmbh v oliver heller (c-144/09)
European Court of Justice: Peter pammer v reederei karl schlüter gmbh & co. kg (c-585/08) and hotel alpenhof gesmbh v oliver heller (c-144/09). https://eur- lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62008CJ0585 (2010), last accessed on 22-04-2026
2010
-
[18]
European Data Protection Board: Guidelines 3/2018 on the territo- rial scope of the gdpr (article 3). https://www.edpb.europa.eu/our-work- tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3- version_en (2019), last accessed on 22-04-2026 A history of GDPR cookie banner compliance 23
2018
-
[19]
5(3) of eprivacy directive
European Data Protection Board: Adopted 1 guidelines 2/2023 on technical scope of art. 5(3) of eprivacy directive. https://www.edpb.europa.eu/our-work- tools/our-documents/guidelines/guidelines-22023-technical-scope-art-53-eprivacy- directive_en (2023), last accessed on 07-01-2026
2023
-
[20]
https://www.edpb.europa.eu/system/files/2023- 01/edpb_20230118_report_cookie_banner_taskforce_en.pdf (2023), last ac- cessed on 8-01-2026
European Data Protection Board: Report of the work undertaken by the cookie banner taskforce. https://www.edpb.europa.eu/system/files/2023- 01/edpb_20230118_report_cookie_banner_taskforce_en.pdf (2023), last ac- cessed on 8-01-2026
2023
-
[21]
Variations in Tracking in Relation to Geographic Location
Fruchter, N., Miao, H., Stevenson, S., Balebako, R.: Variations in tracking in rela- tion to geographic location. arXiv preprint arXiv:1506.04103 (2015)
work page internal anchor Pith review Pith/arXiv arXiv 2015
-
[22]
Garante per la protezione dei dati personali: Linee guida cookie e altri stru- menti di tracciamento. https://www.garanteprivacy.it/web/guest/home/docweb/- /docweb-display/docweb/9677876 (2021), last accessed on 30-08-2025
-
[23]
https://blog.google/technology/ads/helping-publishers-recover-lost-revenue- ad-blocking/ (2018), last accessed on 30-01-2025
Google: Helping publishers recover lost revenue from ad blocking. https://blog.google/technology/ads/helping-publishers-recover-lost-revenue- ad-blocking/ (2018), last accessed on 30-01-2025
2018
-
[24]
https://support.google.com/fundingchoices /answer/9010669 (2024), last accessed on 30-01-2025
Google: Funding choices has moved. https://support.google.com/fundingchoices /answer/9010669 (2024), last accessed on 30-01-2025
-
[25]
https://blog.google/products/admanager/helping-publishers-manage-consent- funding-choices/ (2024), last accessed on 30-01-2025
Google Ad Manager: Helping publishers manage consent with funding choices. https://blog.google/products/admanager/helping-publishers-manage-consent- funding-choices/ (2024), last accessed on 30-01-2025
2024
-
[26]
In: Proceedings of the 18th In- ternational Conference on Availability, Reliability and Security
Gundelach, R., Herrmann, D.: Cookiescanner: An automated tool for detecting and evaluating gdpr consent notices on websites. In: Proceedings of the 18th In- ternational Conference on Availability, Reliability and Security. pp. 1–8 (2023)
2023
-
[27]
okay, whatever
Habib, H., Li, M., Young, E., Cranor, L.: “okay, whatever”: An evaluation of cookie consent interfaces. In: Proceedings of the 2022 CHI conference on human factors in computing systems. pp. 1–27 (2022)
2022
-
[28]
In: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Commu- nications Security
Hantke, F., Calzavara, S., Wilhelm, M., Rabitti, A., Stock, B.: You call this ar- chaeology? evaluating web archives for reproducible web security measurements. In: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Commu- nications Security. pp. 3168–3182 (2023)
2023
-
[29]
arXiv preprint arXiv:2501.15911 (2025)
Hantke, F., Snyder, P., Haddadi, H., Stock, B.: Web execution bundles: Reproducible, accurate, and archivable web measurements. arXiv preprint arXiv:2501.15911 (2025)
-
[30]
what can chi do about dark patterns?
Hausner, P., Gertz, M.: Dark patterns in the interaction with cookie banners. position paper at the workshop" what can chi do about dark patterns?" at the chi conference on human factors in computing systems (chi’21)., 5 pages (2021)
2021
-
[31]
In: Proceedings of the ACM Internet Measurement Conference
Hils, M., Woods, D.W., Böhme, R.: Measuring the emergence of consent manage- ment on the web. In: Proceedings of the ACM Internet Measurement Conference. pp. 317–332 (2020)
2020
-
[32]
https://httparchive.org/ (2025), last accessed on 05- 01-2026
HTTPArchive: Httparchive. https://httparchive.org/ (2025), last accessed on 05- 01-2026
2025
-
[33]
https://web.archive.org/ (2026), last accessed on 9-01-2026
Internet Archive: Wayback machine. https://web.archive.org/ (2026), last accessed on 9-01-2026
2026
-
[34]
ACM Transactions on the Web19(3), 1–25 (2025)
Jha, N., Trevisan, M., Mellia, M., Fernandez, D., Irarrazaval, R.: Privacy policies and consent management platforms: Growth and users’ interactions over time. ACM Transactions on the Web19(3), 1–25 (2025)
2025
-
[35]
In: IFIP International Conference on ICT Systems Security and Privacy Protection
Kampanos, G., Shahandashti, S.F.: Accept all: The landscape of cookie banners in greece and the uk. In: IFIP International Conference on ICT Systems Security and Privacy Protection. pp. 213–227. Springer (2021) 24 Y. Dimova et al
2021
-
[36]
arXiv preprint arXiv:2204.04221 (2022)
Khandelwal, R., Nayak, A., Harkous, H., Fawaz, K.: Cookieenforcer: Automated cookie notice analysis and enforcement. arXiv preprint arXiv:2204.04221 (2022)
-
[37]
In: 2023 IEEE 8th European Symposium on Se- curity and Privacy (EuroS&P)
Kirkman, D., Vaniea, K., Woods, D.W.: Darkdialogs: Automated detection of 10 dark patterns on cookie dialogs. In: 2023 IEEE 8th European Symposium on Se- curity and Privacy (EuroS&P). pp. 847–867. IEEE (2023)
2023
-
[38]
ACM Transactions on the Web (TWEB)15(4), 1–42 (2021)
Kretschmer, M., Pennekamp, J., Wehrle, K.: Cookie banners and privacy policies: Measuring the impact of the gdpr on the web. ACM Transactions on the Web (TWEB)15(4), 1–42 (2021)
2021
-
[39]
In: Proceedings of the 2021 European Symposium on Usable Security
Krisam, C., Dietmann, H., Volkamer, M., Kulyk, O.: Dark patterns in the wild: Review of cookie disclaimer designs on top 500 german websites. In: Proceedings of the 2021 European Symposium on Usable Security. pp. 1–8 (2021)
2021
-
[40]
In: Proceedings of the Extended Abstracts of the CHI Confer- ence on Human Factors in Computing Systems
Kusk, K., Nouwens, M.: How website owners use consent management platforms: An interview study. In: Proceedings of the Extended Abstracts of the CHI Confer- ence on Human Factors in Computing Systems. pp. 1–7 (2025)
2025
-
[41]
computer law & security review 31 (03 2015) (2015)
Leenes, R., Kosta, E.: Taming the cookie monster with dutch law–a tale of regu- latory failure. computer law & security review 31 (03 2015) (2015)
2015
-
[42]
In: 25th USENIX Security Symposium (USENIX Security 16) (2016)
Lerner, A., Simpson, A.K., Kohno, T., Roesner, F.: Internet jones and the raiders of the lost trackers: An archaeological study of web tracking from 1996 to 2016. In: 25th USENIX Security Symposium (USENIX Security 16) (2016)
1996
-
[43]
Libert, T., Graves, L., Nielsen, R.: Changes in third-party content on european news websites after gdpr. Tech. rep., University of Oxford (2018)
2018
-
[44]
The Privacy Policy Landscape After the GDPR
Linden, T., Khandelwal, R., Harkous, H., Fawaz, K.: The privacy policy landscape after the gdpr. arXiv preprint arXiv:1809.08396 (2018)
work page internal anchor Pith review Pith/arXiv arXiv 2018
-
[45]
https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000044840062 (2021), last accessed on 09-01-2026
Légifrance: Délibération de la formation restreinte n°san-2021- 023 du 31 décembre 2021 concernant les sociétés x et y. https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000044840062 (2021), last accessed on 09-01-2026
2021
-
[46]
https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000044840532?isSuggest=true (2021), last accessed on 09-01-2026
Légifrance: Délibération de la formation restreinte n°san- 2021-024 du 31décembre 2021 concernant la société x. https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000044840532?isSuggest=true (2021), last accessed on 09-01-2026
2021
-
[47]
In: 2020 IEEE Symposium on Security and Privacy (SP)
Matte, C., Bielova, N., Santos, C.: Do cookie banners respect my choice?: Mea- suring legal compliance of banners from iab europe’s transparency and consent framework. In: 2020 IEEE Symposium on Security and Privacy (SP). pp. 791–809. IEEE (2020)
2020
-
[48]
In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
Mehrnezhad, M.: A cross-platform evaluation of privacy notices and tracking prac- tices. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). pp. 97–106. IEEE (2020)
2020
-
[49]
https://github.com/MetamorfosiLab/cookies-consent?tab=readme-ov-file, last accessed on 30-08-2025
metamorfosilab: Cookies-consent github repository. https://github.com/MetamorfosiLab/cookies-consent?tab=readme-ov-file, last accessed on 30-08-2025
2025
-
[50]
In: Proceedings of the 21st Workshop on Privacy in the Electronic Society
Morel, V., Santos, C., Lintao, Y., Human, S.: Your consent is worth 75 euros a year-measurement and lawfulness of cookie paywalls. In: Proceedings of the 21st Workshop on Privacy in the Electronic Society. pp. 213–218 (2022)
2022
-
[51]
In: Proceedings of the 2012 ACM conference on Com- puter and communications security
Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote javascript inclusions. In: Proceedings of the 2012 ACM conference on Com- puter and communications security. pp. 736–747 (2012)
2012
-
[52]
In: Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems
Nouwens, M., Kristensen, J.B., Maalt, K., Bagge, R.: A cross-country analysis of gdpr cookie banners and flexible methods for scraping them. In: Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems. pp. 1–28 (2025) A history of GDPR cookie banner compliance 25
2025
-
[53]
In: Proceedings ofthe2020CHIconferenceonhumanfactorsincomputingsystems.pp.1–13(2020)
Nouwens, M., Liccardi, I., Veale, M., Karger, D., Kagal, L.: Dark patterns after the gdpr: Scraping consent pop-ups and demonstrating their influence. In: Proceedings ofthe2020CHIconferenceonhumanfactorsincomputingsystems.pp.1–13(2020)
2020
-
[54]
cookie banner terror
noyb: noyb aims to end “cookie banner terror” and issues more than 500 gdpr com- plaints. https://noyb.eu/en/noyb-aims-end-cookie-banner-terror-and-issues-more- 500-gdpr-complaints (2021), last accessed on 31-08-2025
2021
-
[55]
cookie ban- ners
noyb: noyb files 422 formal gdpr complaints on nerve-wrecking “cookie ban- ners”. https://noyb.eu/en/noyb-files-422-formal-gdpr-complaints-nerve-wrecking- cookie-banners (2021), last accessed on 30-08-2025
2021
-
[56]
https://noyb.eu/en/226-complaints-lodged-against-deceptive-cookie-banners (2022), last accessed on 30-08-2025
noyb: 226 complaints lodged against deceptive cookie banners. https://noyb.eu/en/226-complaints-lodged-against-deceptive-cookie-banners (2022), last accessed on 30-08-2025
2022
-
[57]
https://noyb.eu/sites/default/files/2024- 07/noyb_Cookie_Report_2024.pdf (2023), last accessed on 30-08-2025
noyb: Consent banner report. https://noyb.eu/sites/default/files/2024- 07/noyb_Cookie_Report_2024.pdf (2023), last accessed on 30-08-2025
2024
-
[58]
https://gdprhub.eu/ (2025), last accessed on 09-01- 2026
noyb: Gdpr decision database. https://gdprhub.eu/ (2025), last accessed on 09-01- 2026
2025
-
[59]
https://eur- lex.europa.eu/eli/dir/2002/58/oj/eng (2002), last accessed on 9-01-2026
Offical Journal of the European Union: Directive 2002/58/ec of the euro- pean parliament and of the council of 12 july 2002 concerning the processing of personal data and the protection of privacy in the electronic communica- tions sector (directive on privacy and electronic communications). https://eur- lex.europa.eu/eli/dir/2002/58/oj/eng (2002), last a...
2002
-
[60]
https://eur-lex.europa.eu/legal- content/EN/TXT/PDF/?uri=CELEX:32016R0679 (2016), last accessed on 9-01- 2026
Offical Journal of the European Union: Regulation (eu) 2016/679 of the european parliament and of the council of 27 april 2016 on the pro- tection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/ec (general data protection regulation). https://eur-lex.europa.eu/legal- c...
2016
-
[61]
https://www.onetrust.com/, last accessed on 30-08- 2025
OneTrust: Onetrust solutions. https://www.onetrust.com/, last accessed on 30-08- 2025
2025
-
[62]
In: International Conference on Passive and Active Network Measurement
Rasaii, A., Singh, S., Gosain, D., Gasser, O.: Exploring the cookieverse: A multi- perspective analysis of web cookies. In: International Conference on Passive and Active Network Measurement. pp. 623–651. Springer (2023)
2023
-
[63]
Roth, S., Barron, T., Calzavara, S., Nikiforakis, N., Stock, B.: Complex security policy?alongitudinalanalysisofdeployedcontentsecuritypolicies.In:Proceedings of the 27th Network and Distributed System Security Symposium (NDSS) (2020)
2020
-
[64]
In:Proceedingsofthe2019ACMAsiaconferenceoncomputerandcommunications security
Sanchez-Rola, I., Dell’Amico, M., Kotzias, P., Balzarotti, D., Bilge, L., Vervier, P.A., Santos, I.: Can i opt out yet? gdpr and the global illusion of cookie control. In:Proceedingsofthe2019ACMAsiaconferenceoncomputerandcommunications security. pp. 340–351 (2019)
2019
-
[65]
Santos, C., Nouwens, M., Toth, M., Bielova, N., Roca, V.: Consent management platforms under the gdpr: processors and/or controllers? In: Annual Privacy Fo- rum. pp. 47–69. Springer (2021)
2021
-
[66]
In: 2022 33rd Irish Signals and Systems Conference (ISSC)
Sheil, A., Malone, D.: Fianán, cuacha: Irish cookie banners. In: 2022 33rd Irish Signals and Systems Conference (ISSC). pp. 1–8. IEEE (2022)
2022
-
[67]
In: Proceedings of the 11th nordic conference on human-computer interaction: Shaping experiences, shaping society
Soe, T.H., Nordberg, O.E., Guribye, F., Slavkovik, M.: Circumvention by design- dark patterns in cookie consent for online news outlets. In: Proceedings of the 11th nordic conference on human-computer interaction: Shaping experiences, shaping society. pp. 1–12 (2020) 26 Y. Dimova et al
2020
-
[68]
In: 26th USENIX Security Symposium (USENIX Security 17)
Stock, B., Johns, M., Steffens, M., Backes, M.: How the web tangled itself: Un- covering the history of client-side web (in) security. In: 26th USENIX Security Symposium (USENIX Security 17). pp. 971–987 (2017)
2017
-
[69]
Proceedings on Privacy Enhancing Technologies2022(3), 478– 497 (2022)
Toth, M., Bielova, N., Roca, V.: On dark patterns and manipulation of website publishers by cmps. Proceedings on Privacy Enhancing Technologies2022(3), 478– 497 (2022)
2022
-
[70]
Trevisan, M., Traverso, S., Bassi, E., Mellia, M., et al.: 4 years of eu cookie law: Re- sultsandlessonslearned.ProceedingsonPrivacyEnhancingTechnologies2019(2), 126–145 (2019)
2019
-
[71]
arXiv preprint arXiv:2110.09832 (2021)
Van Eijk, R., Asghari, H., Winter, P., Narayanan, A.: The impact of user loca- tion on cookie notices (inside and outside of the european union). arXiv preprint arXiv:2110.09832 (2021)
-
[72]
In: Proceedings of the 22nd Workshop on Privacy in the Electronic Society
Warberg, L., Lefrere, V., Cheyre, C., Acquisti, A.: Trends in privacy dialog design after the gdpr: The impact of industry and government actions. In: Proceedings of the 22nd Workshop on Privacy in the Electronic Society. pp. 107–121 (2023)
2023
-
[73]
In: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society
Wesselkamp, V., Fouad, I., Santos, C., Boussad, Y., Bielova, N., Legout, A.: In- depth technical and legal analysis of tracking on health related websites with ernie extension. In: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society. pp. 151–166 (2021)
2021
-
[74]
In: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering
Zhang, M., Meng, W., Zhou, Y., Ren, K.: Cschecker: Revisiting gdpr and ccpa compliance of cookie banners on the web. In: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering. pp. 1–12 (2024)
2024
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.