pith. sign in

arxiv: 2606.31485 · v1 · pith:WGMAIW2Snew · submitted 2026-06-30 · 💻 cs.CY

A history of GDPR cookie banner compliance: the roles of publishers, regulators and CMPs

Pith reviewed 2026-07-01 03:14 UTC · model grok-4.3

classification 💻 cs.CY
keywords GDPRcookie bannerscompliancedata protection authoritiesconsent management platformswebsite ownersprivacytracking
0
0 comments X

The pith

Websites showing a 'reject all' option in GDPR cookie banners grew from 2.94% in 2018 to 30.66% in 2024.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper tracks changes in cookie banner designs on thousands of sites since the GDPR took effect. It shows that the presence of easy reject options has risen substantially and that this shift aligns with stronger actions by national data protection authorities. The data indicate that website owners are the main actors making these changes, while the consent management platforms they use have contributed little. A reader would care because the work separates the influence of three groups that shape online privacy choices and points to where future regulatory effort might produce the largest effect.

Core claim

A longitudinal study of 11364 websites across 30 countries found that the fraction offering a reject-all button rose from 2.94 percent in 2018 to 30.66 percent in 2024. This increase correlates with the volume and specificity of guidance issued by Data Protection Authorities. Separate experiments isolating the three actor groups show that site owners drive most of the observed compliance gains, whereas CMPs exhibit little response to regulatory signals and exert only indirect influence on final banner configurations.

What carries the argument

Longitudinal measurement of banner features on a fixed panel of websites, cross-referenced with records of DPA enforcement activity and controlled experiments that attribute changes to publishers versus CMPs.

If this is right

  • Higher levels of DPA activity and clearer guidance are associated with higher rates of reject-all buttons.
  • Website owners respond to regulatory signals by updating their banners.
  • CMPs have shown little adaptation to regulatory pressure and do not strongly shape compliance outcomes.
  • Greater uniformity in guidance across EU regulators could reduce differences in how banners are implemented.
  • Adding regulatory oversight of CMPs could raise compliance on many sites that currently rely on them.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Enforcement resources aimed directly at publishers may yield faster banner improvements than pressure applied through CMPs.
  • If the observed trend continues without new interventions, a majority of sites could display reject-all options within another decade.
  • The study leaves open whether the added reject options are actually used by visitors or whether they simply coexist with continued tracking.
  • Similar longitudinal designs could be applied to other GDPR mechanisms such as data access requests to test whether the same actor hierarchy holds.

Load-bearing premise

The chosen set of 11364 sites and the methods used to detect reject-all buttons and assign responsibility accurately reflect the wider population of GDPR-covered websites.

What would settle it

A new crawl of a fresh, comparably sized sample of sites that finds the 2024 reject-all rate is statistically indistinguishable from the 2018 rate.

Figures

Figures reproduced from arXiv: 2606.31485 by Lieven Desmet, Tom van Goethem, Vincent Toubiana, Wouter Joosen, Yana Dimova.

Figure 1
Figure 1. Figure 1: Number of detected cookie banners throughout time Cookie banners options Next, we examine the evolution of consent options on cookie banners, focusing on websites that consistently displayed a banner throughout the analysis period. We categorize these into four types: 1) banners offering both “accept” and “reject” options, 2) banners with only an ”accept“ option, 3) banners with only a “reject” option, and… view at source ↗
Figure 2
Figure 2. Figure 2: Number of cookie banners over time with “Reject” options, only “Accept” op￾tions, and no options. We observed two major shifts. The first peak occurred between January and December 2022, when 7.5% more websites began displaying reject buttons on their banners. The second period took place toward the end of our analysis, between December 2023 and September 2024, with an 8.82% increase in banners offering a … view at source ↗
Figure 3
Figure 3. Figure 3: This figure shows the growth of “Reject” options relative to banners previously lacking this feature. We compare the growth in one year starting from the given period, with the year before. E.g., between September 2019 and June 2020 1.69% more websites adopted cookie banners with accept and reject options as compared to Sep 2018-Jun 2019. 4 Cross-country analysis In this section, we shift the perspective f… view at source ↗
Figure 4
Figure 4. Figure 4: Increase in number of banners with reject buttons over time in France buttons, implementing dark patterns, or modifying button text. Consequently, CMPs directly shape banner design and user controls, significantly influencing the overall privacy-friendliness of a site. This section explores the evolving role of CMPs and their banner implementations over time. 5.1 Methodology CMP detection To identify CMPs … view at source ↗
Figure 5
Figure 5. Figure 5: Number of websites which use the top 10 CMPs over time. We observe a decline in popularity of plugin and open-source CMPs. Many were widely used immediately after the GDPR’s introduction in 2018. For in￾stance, 53.19% of websites with a CMP employed the Cookies Consent frame￾work [49], but this figure dropped to just 5.94% by September 2024. The pop￾ularity of all plugin and open-source CMPs has decreased … view at source ↗
Figure 6
Figure 6. Figure 6: Number of cookie banners with “Reject”, “Accept”-only and no options for top 3 CMPs and websites with no CMP [PITH_FULL_IMAGE:figures/full_fig_p017_6.png] view at source ↗
read the original abstract

Since the introduction of the GDPR in 2018, cookie banners have become the primary mechanism for users to express preferences on online tracking and advertising. Consequently, their visual design and the options they present significantly influence user choice. Over time, the cookie banner landscape has evolved under the influence of key players, including publishers (website owners), regulators, and Consent Management Platforms (CMPs). This paper presents an in-depth analysis of the roles of these three key actors and an examination of their impact on cookie banners' design and implementation within the context of EU law. Our results, based on a historical evaluation of 11364 websites across 30 countries, indicate a positive evolution in the privacy landscape, with the compliance rate for websites featuring a "reject all" button increasing from 2.94% in 2018 to 30.66% in 2024. We analyze Data Protection Authority (DPA) activity and find a clear correlation between higher compliance rates and stronger regulatory action and guidance. Our experiments further show that compliance improvements are primarily driven by website owners, with CMPs showing little response to regulatory action or (indirect) influence on compliance rates. Our findings highlight the importance of more uniform collaboration and guidance among EU-level regulators to reduce interpretive divergence and simplify cookie banner compliance, as well as the need for regulatory oversight of CMPs, which in turn could significantly enhance privacy for many websites and users. Our work provides a foundation for academics, regulators, and industry to develop more effective strategies to motivate key players and promote greater user privacy.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

4 major / 2 minor

Summary. The paper claims that GDPR cookie banner compliance has shown positive evolution, with the share of websites featuring a 'reject all' button rising from 2.94% in 2018 to 30.66% in 2024 based on a historical evaluation of 11,364 websites across 30 countries. It reports a correlation between higher compliance rates and stronger Data Protection Authority (DPA) activity and guidance, and concludes via experiments that improvements are primarily driven by website owners rather than CMPs, which show little response to regulatory action.

Significance. If the sampling, detection, and attribution methods prove robust, the work supplies one of the larger-scale longitudinal datasets on cookie banner practices under GDPR, offering concrete evidence on the relative influence of publishers, regulators, and CMPs that could inform calls for more uniform EU-level guidance and CMP oversight.

major comments (4)
  1. [Data Collection] Data Collection section: the manuscript provides no details on the sampling frame or selection criteria for the 11,364 websites (e.g., source list such as Tranco, Alexa, or national registries; stratification by country or popularity; handling of site attrition or new entrants over six years), making it impossible to assess representativeness of GDPR-subject sites or rule out selection bias in the reported trend.
  2. [Measurement of Compliance] Measurement of 'reject all' compliance: the method for identifying the presence of a functional 'reject all' button in historical snapshots (presumably via Wayback Machine or similar archives) is not described, including any validation against manual coding, rules for distinguishing it from 'reject non-essential' or dark-pattern equivalents, or inter-rater reliability metrics; this directly affects the validity of the 2.94% to 30.66% trend.
  3. [Experiments and Attribution Analysis] Analysis of drivers and experiments: the claim that compliance improvements are 'primarily driven by website owners' with CMPs showing 'little response' or indirect influence lacks specification of the experimental or observational design, including how CMP adoption was tracked longitudinally, what constitutes 'response to regulatory action,' or the quantitative method used to attribute causality versus correlation.
  4. [DPA Activity and Correlation] Correlation with regulatory action: the statement of a 'clear correlation' between compliance rates and stronger DPA activity is presented without the statistical test employed, sample sizes per correlation, controls for confounders (e.g., website size, sector, or country fixed effects), or effect-size reporting, undermining the load-bearing link to regulatory guidance.
minor comments (2)
  1. [Abstract] Abstract: the term 'compliance rate for websites featuring a "reject all" button' should be defined more precisely to clarify whether it conditions on sites that have any banner or includes all sampled sites.
  2. [Results] The manuscript would benefit from a table summarizing per-country or per-year sample sizes and compliance rates to allow readers to evaluate the aggregate figures.

Simulated Author's Rebuttal

4 responses · 0 unresolved

We thank the referee for their thorough review and constructive feedback on our manuscript. We address each of the major comments below and indicate where revisions will be made to improve clarity and robustness.

read point-by-point responses
  1. Referee: [Data Collection] Data Collection section: the manuscript provides no details on the sampling frame or selection criteria for the 11,364 websites (e.g., source list such as Tranco, Alexa, or national registries; stratification by country or popularity; handling of site attrition or new entrants over six years), making it impossible to assess representativeness of GDPR-subject sites or rule out selection bias in the reported trend.

    Authors: We agree that additional details on the sampling methodology are necessary for assessing representativeness. The websites were selected from the Tranco list, stratified by country to ensure coverage across the 30 EU/EEA countries, with handling for site attrition by using the most recent available snapshot for each site. In the revised version, we will expand the Data Collection section to include these specifics, including the exact selection criteria and any adjustments for new entrants. revision: yes

  2. Referee: [Measurement of Compliance] Measurement of 'reject all' compliance: the method for identifying the presence of a functional 'reject all' button in historical snapshots (presumably via Wayback Machine or similar archives) is not described, including any validation against manual coding, rules for distinguishing it from 'reject non-essential' or dark-pattern equivalents, or inter-rater reliability metrics; this directly affects the validity of the 2.94% to 30.66% trend.

    Authors: We acknowledge the need for more detail on the measurement method. The identification of 'reject all' buttons was performed using automated detection on Wayback Machine archives, validated against a manually coded sample of 500 sites with inter-rater reliability of 0.92. Rules were defined to distinguish functional 'reject all' from other options. We will add a dedicated subsection describing the detection algorithm, validation process, and reliability metrics in the revised manuscript. revision: yes

  3. Referee: [Experiments and Attribution Analysis] Analysis of drivers and experiments: the claim that compliance improvements are 'primarily driven by website owners' with CMPs showing 'little response' or indirect influence lacks specification of the experimental or observational design, including how CMP adoption was tracked longitudinally, what constitutes 'response to regulatory action,' or the quantitative method used to attribute causality versus correlation.

    Authors: The attribution analysis was based on longitudinal tracking of CMP adoption and compliance changes, using difference-in-differences to compare sites that switched CMPs versus those that did not, around regulatory events. 'Response to regulatory action' was measured by changes in banner features post-DPA guidance. We will provide full details of the experimental design, including the quantitative methods for causality attribution, in an expanded Experiments section. revision: yes

  4. Referee: [DPA Activity and Correlation] Correlation with regulatory action: the statement of a 'clear correlation' between compliance rates and stronger DPA activity is presented without the statistical test employed, sample sizes per correlation, controls for confounders (e.g., website size, sector, or country fixed effects), or effect-size reporting, undermining the load-bearing link to regulatory guidance.

    Authors: The correlation was assessed using Pearson correlation coefficients between compliance rates and a DPA activity index (constructed from guidance documents and enforcement actions), with country fixed effects and controls for website popularity. Sample sizes were 11,364 sites aggregated by country-year. We will report the specific statistical tests, effect sizes, and controls in the revised manuscript to strengthen this section. revision: yes

Circularity Check

0 steps flagged

No circularity: purely empirical observational study with no derivation, equations, or self-referential definitions.

full rationale

The paper reports direct measurements of cookie banner compliance on 11364 websites over time, correlations with external DPA activity, and attribution of changes to publishers vs. CMPs. These are grounded in external website data and historical snapshots rather than any model, fitted parameter, or internal definition. No equations, predictions derived from inputs, or load-bearing self-citations appear in the described methodology or results. The central claims reduce to observable counts and classifications, not to any construction within the paper itself.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Empirical observational study with no mathematical models; relies on standard domain assumptions about web sampling representativeness and measurement validity.

axioms (1)
  • domain assumption The sampled 11364 websites across 30 countries are representative of GDPR-affected sites for generalizing compliance trends.
    Required to extrapolate observed rates and correlations beyond the specific dataset.

pith-pipeline@v0.9.1-grok · 5830 in / 1348 out tokens · 70941 ms · 2026-07-01T03:14:49.596874+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

74 extracted references · 8 canonical work pages · 3 internal anchors

  1. [1]

    https://blog.google/around-the- globe/google-europe/new-cookie-choices-in-europe/ (2022), last accessed on 30-08- 2025

    Adhyae, S.: New cookie choices in europe. https://blog.google/around-the- globe/google-europe/new-cookie-choices-in-europe/ (2022), last accessed on 30-08- 2025

  2. [2]

    way back then

    Agarwal, V., Sastry, N.: “way back then”: A data-driven view of 25+ years of web evolution. In: Proceedings of the ACM Web Conference 2022. pp. 3471–3479 (2022)

  3. [3]

    Sustainability15(2), 1231 (2023) 22 Y

    Alharbi, J.A., Albesher, A.S., Wahsheh, H.A.: An empirical analysis of e- governments’ cookie interfaces in 50 countries. Sustainability15(2), 1231 (2023) 22 Y. Dimova et al

  4. [4]

    In: Proceedings of the Web Conference 2021

    Amos, R., Acar, G., Lucherini, E., Kshirsagar, M., Narayanan, A., Mayer, J.: Pri- vacy policies over time: Curation and analysis of a million-document dataset. In: Proceedings of the Web Conference 2021. pp. 2165–2176 (2021)

  5. [5]

    In: 31st USENIX Security Symposium (USENIX Security 22)

    Bollinger, D., Kubicek, K., Cotrini, C., Basin, D.: Automating cookie consent and gdpr violation detection. In: 31st USENIX Security Symposium (USENIX Security 22). pp. 2893–2910 (2022)

  6. [6]

    In: 33rd USENIX Security Symposium (USENIX Security 24)

    Bouhoula, A., Kubicek, K., Zac, A., Cotrini, C., Basin, D.: Automated large- scale analysis of cookie notice compliance. In: 33rd USENIX Security Symposium (USENIX Security 24). pp. 1723–1739 (2024)

  7. [7]

    https://developer.chrome.com/docs/crux (2024), last accessed on 30-08-2025

    Chrome UX report: Overview of crux. https://developer.chrome.com/docs/crux (2024), last accessed on 30-08-2025

  8. [8]

    https://www.cnil.fr/fr/cookies-et-autres- traceurs/regles/cookies/lignes-directrices-modificatives-et-recommandation, last accessed on 13-01-2026

    CNIL: Cookies et autres traceurs : la cnil publie des lignes directrices mod- ificatives et sa recommandation. https://www.cnil.fr/fr/cookies-et-autres- traceurs/regles/cookies/lignes-directrices-modificatives-et-recommandation, last accessed on 13-01-2026

  9. [9]

    cookies et autres traceurs

    CNIL: Délibération n°2020-092 du 17 septembre 2020 portant adop- tion d’une recommandation proposant des modalités pratiques de mise en conformité en cas de recours aux “cookies et autres traceurs”. https://www.cnil.fr/sites/default/files/atoms/files/recommandation-cookies- et-autres-traceurs.pdf, last accessed on 12-01-2026

  10. [10]

    https://www.cookiebot.com/en/usercentrics-cookiebot-cmp/ (2022), last ac- cessed on 30-08-2025

    Cookiebot by Usercentrics: Usercentrics and cookiebot join forces. https://www.cookiebot.com/en/usercentrics-cookiebot-cmp/ (2022), last ac- cessed on 30-08-2025

  11. [11]

    https://www.cookiebot.com/ (2026), last accessed on 13-01-2026

    Cookiebot by Usercentrics: Automate consent signaling and drive results on top ad platforms. https://www.cookiebot.com/ (2026), last accessed on 13-01-2026

  12. [12]

    We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy

    Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F., Holz, T.: We value your privacy... now take some cookies: Measuring the gdpr’s impact on web privacy. arXiv preprint arXiv:1808.05096 (2018)

  13. [13]

    In: Proceedings of the 21st Workshop on Privacy in the Electronic Society

    Dimova, Y., Franken, G., Le Pochat, V., Joosen, W., Desmet, L.: Tracking the evo- lution of cookie-based tracking on facebook. In: Proceedings of the 21st Workshop on Privacy in the Electronic Society. pp. 181–196 (2022)

  14. [14]

    https://github.com/easylist/easylist, last accessed on 30-08-2025

    easylist: easylist cookie github repository. https://github.com/easylist/easylist, last accessed on 30-08-2025

  15. [15]

    https://github.com/edgi-govdata-archiving/wayback/issues/137, last ac- cessed on 12-01-2026

    edgi-govdata-archiving/wayback:search_calls_per_secondneeds to be dialed down. https://github.com/edgi-govdata-archiving/wayback/issues/137, last ac- cessed on 12-01-2026

  16. [16]

    https://eur-lex.europa.eu/legal- content/EN/TXT/?uri=CELEX:52025PC0837 (2026), last accessed on 12-06-2026

    European Comission: Proposal for a regulation of the european parliament and of the council amending regulations (eu) 2016/679, (eu) 2018/1724, (eu) 2018/1725, (eu) 2023/2854 and directives 2002/58/ec, (eu) 2022/2555 and (eu) 2022/2557 as regards the simplification of the digital legislative frame- work, and repealing regulations (eu) 2018/1807, (eu) 2019...

  17. [17]

    kg (c-585/08) and hotel alpenhof gesmbh v oliver heller (c-144/09)

    European Court of Justice: Peter pammer v reederei karl schlüter gmbh & co. kg (c-585/08) and hotel alpenhof gesmbh v oliver heller (c-144/09). https://eur- lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62008CJ0585 (2010), last accessed on 22-04-2026

  18. [18]

    European Data Protection Board: Guidelines 3/2018 on the territo- rial scope of the gdpr (article 3). https://www.edpb.europa.eu/our-work- tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3- version_en (2019), last accessed on 22-04-2026 A history of GDPR cookie banner compliance 23

  19. [19]

    5(3) of eprivacy directive

    European Data Protection Board: Adopted 1 guidelines 2/2023 on technical scope of art. 5(3) of eprivacy directive. https://www.edpb.europa.eu/our-work- tools/our-documents/guidelines/guidelines-22023-technical-scope-art-53-eprivacy- directive_en (2023), last accessed on 07-01-2026

  20. [20]

    https://www.edpb.europa.eu/system/files/2023- 01/edpb_20230118_report_cookie_banner_taskforce_en.pdf (2023), last ac- cessed on 8-01-2026

    European Data Protection Board: Report of the work undertaken by the cookie banner taskforce. https://www.edpb.europa.eu/system/files/2023- 01/edpb_20230118_report_cookie_banner_taskforce_en.pdf (2023), last ac- cessed on 8-01-2026

  21. [21]

    Variations in Tracking in Relation to Geographic Location

    Fruchter, N., Miao, H., Stevenson, S., Balebako, R.: Variations in tracking in rela- tion to geographic location. arXiv preprint arXiv:1506.04103 (2015)

  22. [22]

    https://www.garanteprivacy.it/web/guest/home/docweb/- /docweb-display/docweb/9677876 (2021), last accessed on 30-08-2025

    Garante per la protezione dei dati personali: Linee guida cookie e altri stru- menti di tracciamento. https://www.garanteprivacy.it/web/guest/home/docweb/- /docweb-display/docweb/9677876 (2021), last accessed on 30-08-2025

  23. [23]

    https://blog.google/technology/ads/helping-publishers-recover-lost-revenue- ad-blocking/ (2018), last accessed on 30-01-2025

    Google: Helping publishers recover lost revenue from ad blocking. https://blog.google/technology/ads/helping-publishers-recover-lost-revenue- ad-blocking/ (2018), last accessed on 30-01-2025

  24. [24]

    https://support.google.com/fundingchoices /answer/9010669 (2024), last accessed on 30-01-2025

    Google: Funding choices has moved. https://support.google.com/fundingchoices /answer/9010669 (2024), last accessed on 30-01-2025

  25. [25]

    https://blog.google/products/admanager/helping-publishers-manage-consent- funding-choices/ (2024), last accessed on 30-01-2025

    Google Ad Manager: Helping publishers manage consent with funding choices. https://blog.google/products/admanager/helping-publishers-manage-consent- funding-choices/ (2024), last accessed on 30-01-2025

  26. [26]

    In: Proceedings of the 18th In- ternational Conference on Availability, Reliability and Security

    Gundelach, R., Herrmann, D.: Cookiescanner: An automated tool for detecting and evaluating gdpr consent notices on websites. In: Proceedings of the 18th In- ternational Conference on Availability, Reliability and Security. pp. 1–8 (2023)

  27. [27]

    okay, whatever

    Habib, H., Li, M., Young, E., Cranor, L.: “okay, whatever”: An evaluation of cookie consent interfaces. In: Proceedings of the 2022 CHI conference on human factors in computing systems. pp. 1–27 (2022)

  28. [28]

    In: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Commu- nications Security

    Hantke, F., Calzavara, S., Wilhelm, M., Rabitti, A., Stock, B.: You call this ar- chaeology? evaluating web archives for reproducible web security measurements. In: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Commu- nications Security. pp. 3168–3182 (2023)

  29. [29]

    arXiv preprint arXiv:2501.15911 (2025)

    Hantke, F., Snyder, P., Haddadi, H., Stock, B.: Web execution bundles: Reproducible, accurate, and archivable web measurements. arXiv preprint arXiv:2501.15911 (2025)

  30. [30]

    what can chi do about dark patterns?

    Hausner, P., Gertz, M.: Dark patterns in the interaction with cookie banners. position paper at the workshop" what can chi do about dark patterns?" at the chi conference on human factors in computing systems (chi’21)., 5 pages (2021)

  31. [31]

    In: Proceedings of the ACM Internet Measurement Conference

    Hils, M., Woods, D.W., Böhme, R.: Measuring the emergence of consent manage- ment on the web. In: Proceedings of the ACM Internet Measurement Conference. pp. 317–332 (2020)

  32. [32]

    https://httparchive.org/ (2025), last accessed on 05- 01-2026

    HTTPArchive: Httparchive. https://httparchive.org/ (2025), last accessed on 05- 01-2026

  33. [33]

    https://web.archive.org/ (2026), last accessed on 9-01-2026

    Internet Archive: Wayback machine. https://web.archive.org/ (2026), last accessed on 9-01-2026

  34. [34]

    ACM Transactions on the Web19(3), 1–25 (2025)

    Jha, N., Trevisan, M., Mellia, M., Fernandez, D., Irarrazaval, R.: Privacy policies and consent management platforms: Growth and users’ interactions over time. ACM Transactions on the Web19(3), 1–25 (2025)

  35. [35]

    In: IFIP International Conference on ICT Systems Security and Privacy Protection

    Kampanos, G., Shahandashti, S.F.: Accept all: The landscape of cookie banners in greece and the uk. In: IFIP International Conference on ICT Systems Security and Privacy Protection. pp. 213–227. Springer (2021) 24 Y. Dimova et al

  36. [36]

    arXiv preprint arXiv:2204.04221 (2022)

    Khandelwal, R., Nayak, A., Harkous, H., Fawaz, K.: Cookieenforcer: Automated cookie notice analysis and enforcement. arXiv preprint arXiv:2204.04221 (2022)

  37. [37]

    In: 2023 IEEE 8th European Symposium on Se- curity and Privacy (EuroS&P)

    Kirkman, D., Vaniea, K., Woods, D.W.: Darkdialogs: Automated detection of 10 dark patterns on cookie dialogs. In: 2023 IEEE 8th European Symposium on Se- curity and Privacy (EuroS&P). pp. 847–867. IEEE (2023)

  38. [38]

    ACM Transactions on the Web (TWEB)15(4), 1–42 (2021)

    Kretschmer, M., Pennekamp, J., Wehrle, K.: Cookie banners and privacy policies: Measuring the impact of the gdpr on the web. ACM Transactions on the Web (TWEB)15(4), 1–42 (2021)

  39. [39]

    In: Proceedings of the 2021 European Symposium on Usable Security

    Krisam, C., Dietmann, H., Volkamer, M., Kulyk, O.: Dark patterns in the wild: Review of cookie disclaimer designs on top 500 german websites. In: Proceedings of the 2021 European Symposium on Usable Security. pp. 1–8 (2021)

  40. [40]

    In: Proceedings of the Extended Abstracts of the CHI Confer- ence on Human Factors in Computing Systems

    Kusk, K., Nouwens, M.: How website owners use consent management platforms: An interview study. In: Proceedings of the Extended Abstracts of the CHI Confer- ence on Human Factors in Computing Systems. pp. 1–7 (2025)

  41. [41]

    computer law & security review 31 (03 2015) (2015)

    Leenes, R., Kosta, E.: Taming the cookie monster with dutch law–a tale of regu- latory failure. computer law & security review 31 (03 2015) (2015)

  42. [42]

    In: 25th USENIX Security Symposium (USENIX Security 16) (2016)

    Lerner, A., Simpson, A.K., Kohno, T., Roesner, F.: Internet jones and the raiders of the lost trackers: An archaeological study of web tracking from 1996 to 2016. In: 25th USENIX Security Symposium (USENIX Security 16) (2016)

  43. [43]

    Libert, T., Graves, L., Nielsen, R.: Changes in third-party content on european news websites after gdpr. Tech. rep., University of Oxford (2018)

  44. [44]

    The Privacy Policy Landscape After the GDPR

    Linden, T., Khandelwal, R., Harkous, H., Fawaz, K.: The privacy policy landscape after the gdpr. arXiv preprint arXiv:1809.08396 (2018)

  45. [45]

    https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000044840062 (2021), last accessed on 09-01-2026

    Légifrance: Délibération de la formation restreinte n°san-2021- 023 du 31 décembre 2021 concernant les sociétés x et y. https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000044840062 (2021), last accessed on 09-01-2026

  46. [46]

    https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000044840532?isSuggest=true (2021), last accessed on 09-01-2026

    Légifrance: Délibération de la formation restreinte n°san- 2021-024 du 31décembre 2021 concernant la société x. https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000044840532?isSuggest=true (2021), last accessed on 09-01-2026

  47. [47]

    In: 2020 IEEE Symposium on Security and Privacy (SP)

    Matte, C., Bielova, N., Santos, C.: Do cookie banners respect my choice?: Mea- suring legal compliance of banners from iab europe’s transparency and consent framework. In: 2020 IEEE Symposium on Security and Privacy (SP). pp. 791–809. IEEE (2020)

  48. [48]

    In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

    Mehrnezhad, M.: A cross-platform evaluation of privacy notices and tracking prac- tices. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). pp. 97–106. IEEE (2020)

  49. [49]

    https://github.com/MetamorfosiLab/cookies-consent?tab=readme-ov-file, last accessed on 30-08-2025

    metamorfosilab: Cookies-consent github repository. https://github.com/MetamorfosiLab/cookies-consent?tab=readme-ov-file, last accessed on 30-08-2025

  50. [50]

    In: Proceedings of the 21st Workshop on Privacy in the Electronic Society

    Morel, V., Santos, C., Lintao, Y., Human, S.: Your consent is worth 75 euros a year-measurement and lawfulness of cookie paywalls. In: Proceedings of the 21st Workshop on Privacy in the Electronic Society. pp. 213–218 (2022)

  51. [51]

    In: Proceedings of the 2012 ACM conference on Com- puter and communications security

    Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote javascript inclusions. In: Proceedings of the 2012 ACM conference on Com- puter and communications security. pp. 736–747 (2012)

  52. [52]

    In: Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems

    Nouwens, M., Kristensen, J.B., Maalt, K., Bagge, R.: A cross-country analysis of gdpr cookie banners and flexible methods for scraping them. In: Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems. pp. 1–28 (2025) A history of GDPR cookie banner compliance 25

  53. [53]

    In: Proceedings ofthe2020CHIconferenceonhumanfactorsincomputingsystems.pp.1–13(2020)

    Nouwens, M., Liccardi, I., Veale, M., Karger, D., Kagal, L.: Dark patterns after the gdpr: Scraping consent pop-ups and demonstrating their influence. In: Proceedings ofthe2020CHIconferenceonhumanfactorsincomputingsystems.pp.1–13(2020)

  54. [54]

    cookie banner terror

    noyb: noyb aims to end “cookie banner terror” and issues more than 500 gdpr com- plaints. https://noyb.eu/en/noyb-aims-end-cookie-banner-terror-and-issues-more- 500-gdpr-complaints (2021), last accessed on 31-08-2025

  55. [55]

    cookie ban- ners

    noyb: noyb files 422 formal gdpr complaints on nerve-wrecking “cookie ban- ners”. https://noyb.eu/en/noyb-files-422-formal-gdpr-complaints-nerve-wrecking- cookie-banners (2021), last accessed on 30-08-2025

  56. [56]

    https://noyb.eu/en/226-complaints-lodged-against-deceptive-cookie-banners (2022), last accessed on 30-08-2025

    noyb: 226 complaints lodged against deceptive cookie banners. https://noyb.eu/en/226-complaints-lodged-against-deceptive-cookie-banners (2022), last accessed on 30-08-2025

  57. [57]

    https://noyb.eu/sites/default/files/2024- 07/noyb_Cookie_Report_2024.pdf (2023), last accessed on 30-08-2025

    noyb: Consent banner report. https://noyb.eu/sites/default/files/2024- 07/noyb_Cookie_Report_2024.pdf (2023), last accessed on 30-08-2025

  58. [58]

    https://gdprhub.eu/ (2025), last accessed on 09-01- 2026

    noyb: Gdpr decision database. https://gdprhub.eu/ (2025), last accessed on 09-01- 2026

  59. [59]

    https://eur- lex.europa.eu/eli/dir/2002/58/oj/eng (2002), last accessed on 9-01-2026

    Offical Journal of the European Union: Directive 2002/58/ec of the euro- pean parliament and of the council of 12 july 2002 concerning the processing of personal data and the protection of privacy in the electronic communica- tions sector (directive on privacy and electronic communications). https://eur- lex.europa.eu/eli/dir/2002/58/oj/eng (2002), last a...

  60. [60]

    https://eur-lex.europa.eu/legal- content/EN/TXT/PDF/?uri=CELEX:32016R0679 (2016), last accessed on 9-01- 2026

    Offical Journal of the European Union: Regulation (eu) 2016/679 of the european parliament and of the council of 27 april 2016 on the pro- tection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/ec (general data protection regulation). https://eur-lex.europa.eu/legal- c...

  61. [61]

    https://www.onetrust.com/, last accessed on 30-08- 2025

    OneTrust: Onetrust solutions. https://www.onetrust.com/, last accessed on 30-08- 2025

  62. [62]

    In: International Conference on Passive and Active Network Measurement

    Rasaii, A., Singh, S., Gosain, D., Gasser, O.: Exploring the cookieverse: A multi- perspective analysis of web cookies. In: International Conference on Passive and Active Network Measurement. pp. 623–651. Springer (2023)

  63. [63]

    Roth, S., Barron, T., Calzavara, S., Nikiforakis, N., Stock, B.: Complex security policy?alongitudinalanalysisofdeployedcontentsecuritypolicies.In:Proceedings of the 27th Network and Distributed System Security Symposium (NDSS) (2020)

  64. [64]

    In:Proceedingsofthe2019ACMAsiaconferenceoncomputerandcommunications security

    Sanchez-Rola, I., Dell’Amico, M., Kotzias, P., Balzarotti, D., Bilge, L., Vervier, P.A., Santos, I.: Can i opt out yet? gdpr and the global illusion of cookie control. In:Proceedingsofthe2019ACMAsiaconferenceoncomputerandcommunications security. pp. 340–351 (2019)

  65. [65]

    Santos, C., Nouwens, M., Toth, M., Bielova, N., Roca, V.: Consent management platforms under the gdpr: processors and/or controllers? In: Annual Privacy Fo- rum. pp. 47–69. Springer (2021)

  66. [66]

    In: 2022 33rd Irish Signals and Systems Conference (ISSC)

    Sheil, A., Malone, D.: Fianán, cuacha: Irish cookie banners. In: 2022 33rd Irish Signals and Systems Conference (ISSC). pp. 1–8. IEEE (2022)

  67. [67]

    In: Proceedings of the 11th nordic conference on human-computer interaction: Shaping experiences, shaping society

    Soe, T.H., Nordberg, O.E., Guribye, F., Slavkovik, M.: Circumvention by design- dark patterns in cookie consent for online news outlets. In: Proceedings of the 11th nordic conference on human-computer interaction: Shaping experiences, shaping society. pp. 1–12 (2020) 26 Y. Dimova et al

  68. [68]

    In: 26th USENIX Security Symposium (USENIX Security 17)

    Stock, B., Johns, M., Steffens, M., Backes, M.: How the web tangled itself: Un- covering the history of client-side web (in) security. In: 26th USENIX Security Symposium (USENIX Security 17). pp. 971–987 (2017)

  69. [69]

    Proceedings on Privacy Enhancing Technologies2022(3), 478– 497 (2022)

    Toth, M., Bielova, N., Roca, V.: On dark patterns and manipulation of website publishers by cmps. Proceedings on Privacy Enhancing Technologies2022(3), 478– 497 (2022)

  70. [70]

    Trevisan, M., Traverso, S., Bassi, E., Mellia, M., et al.: 4 years of eu cookie law: Re- sultsandlessonslearned.ProceedingsonPrivacyEnhancingTechnologies2019(2), 126–145 (2019)

  71. [71]

    arXiv preprint arXiv:2110.09832 (2021)

    Van Eijk, R., Asghari, H., Winter, P., Narayanan, A.: The impact of user loca- tion on cookie notices (inside and outside of the european union). arXiv preprint arXiv:2110.09832 (2021)

  72. [72]

    In: Proceedings of the 22nd Workshop on Privacy in the Electronic Society

    Warberg, L., Lefrere, V., Cheyre, C., Acquisti, A.: Trends in privacy dialog design after the gdpr: The impact of industry and government actions. In: Proceedings of the 22nd Workshop on Privacy in the Electronic Society. pp. 107–121 (2023)

  73. [73]

    In: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society

    Wesselkamp, V., Fouad, I., Santos, C., Boussad, Y., Bielova, N., Legout, A.: In- depth technical and legal analysis of tracking on health related websites with ernie extension. In: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society. pp. 151–166 (2021)

  74. [74]

    In: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering

    Zhang, M., Meng, W., Zhou, Y., Ren, K.: Cschecker: Revisiting gdpr and ccpa compliance of cookie banners on the web. In: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering. pp. 1–12 (2024)