Checking Websites’ GDPR Consent Compliance for Marketing Emails

Authors: Karel Kubíček (ETH Zurich), Jakob Merane (ETH Zurich), Carlos Cotrini (ETH Zurich), Alexander Stremitzer (ETH Zurich), Stefan Bechtold (ETH Zurich), David Basin (ETH Zurich)

Volume: 2022
Issue: 2
Pages: 282–303
DOI: https://doi.org/10.2478/popets-2022-0046

Download PDF

Abstract: The sending of marketing emails is regulated to protect users from unsolicited emails. For instance, the European Union’s ePrivacy Directive states that marketers must obtain users’ prior consent, and the General Data Protection Regulation (GDPR) specifies further that such consent must be freely given, specific, informed, and unambiguous. Based on these requirements, we design a labeling of legal characteristics for websites and emails. This leads to a simple decision procedure that detects potential legal violations. Using our procedure, we evaluated 1000 websites and the 5000 emails resulting from registering to these websites. Both datasets and evaluations are available upon request. We find that 21.9% of the websites contain potential violations of privacy and unfair competition rules, either in the registration process (17.3%) or email communication (17.7%). We demonstrate with a statistical analysis the possibility of automatically detecting such potential violations.

Keywords: marketing email, website registration, ePrivacy Directive, GDPR, consent, compliance, privacy

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs license.