Automated Detection of GDPR Violations in Cookie Notices Using Machine Learning

Abstract

Privacy regulations such as the General Data Protection Regulation require websites to inform EU-based users of the collection of their data and to request their consent to use non-essential cookies. This led to a global adaptation of cookie notices. Several studies showed that websites’ implementation of cookie notices tends to violate these regulations. However, most of these studies focused on a limited subset of websites, detected only simple violations using prescribed patterns, or restricted their analysis to only the first layer of cookie notices. This master’s thesis addresses these limitations. Our method automatically navigates through cookie notices using several heuristics, extracts their text, observes declared processing purposes and available consent options with Natural Language Processing, and analyzes websites’ cookies. We find that 47% of websites are highly susceptible of collecting users’ data despite negative consent, and that around 61% of cookie notices do not offer users the option to opt-out of consent.