Johnny Still Can't Opt-out: Assessing the IAB CCPA Compliance Framework
Authors: Muhammad Abu Bakar Aziz (Northeastern University), Christo Wilson (Northeastern University)
Volume: 2024
Issue: 4
Pages: 349–363
DOI: https://doi.org/10.56553/popets-2024-0120
Abstract: The privacy laws and regulations that govern the collection, sharing, and selling of online data are changing. In the U.S., California adopted the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), and twelve other U.S. states have adopted similar laws. Industry has responded by developing technical standards for collecting and disseminating consent information, such as the IAB CCPA Compliance Framework. While publishers are adopting this framework and the IAB is extending it to cover privacy laws in other U.S. states, recent work has observed that opt-out signals are not being honored under the framework.
In this study, we take a deep dive into the IAB CCPA Compliance Framework to measure end-to-end flows of consent information and better understand why opt-out signals are not being honored. Using data crawled from top websites under different experimental conditions, we examine overall adoption of the framework, the flow of consent information from publishers to third parties and between third parties, and finally the reach of opt-out signals. Our results uncover numerous issues with the adoption and implementation of the framework that prevent users' consent choices from being honored by third parties.
Keywords: California Consumer Privacy Act, Internet Advertising Bureau U.S. Privacy Framework, Global Privacy Control
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.