Johnny Can’t Revoke Consent Either: Measuring Compliance of Consent Revocation on the Web

Gayatri Priyadarsini Kancherla; Nataliia Bielova; Cristiana Santos; Abhishek Bichhawat

Johnny Can’t Revoke Consent Either: Measuring Compliance of Consent Revocation on the Web

Authors: Gayatri Priyadarsini Kancherla (Indian Institute of Technology Gandhinagar), Nataliia Bielova (Inria Centre at University Côte d'Azur), Cristiana Santos (Utrecht University), Abhishek Bichhawat (Indian Institute of Technology Gandhinagar)

Volume: 2025
Issue: 4
Pages: 329–347
DOI: https://doi.org/10.56553/popets-2025-0133

Download PDF

Abstract: The EU General Data Protection Regulation (GDPR) requires websites to facilitate the right to revoke consent from Web users. Prior works have examined consent management by auditing that user choices are correctly stored, and comparing cookies set upon acceptance versus rejection to assess compliance. While these studies measured compliance of consent with respect to the various consent requirements, no prior work has studied consent revocation on the Web. Therefore, it is unclear how difficult it is to revoke consent on the websites’ interfaces, and whether the revoked consent is properly stored and communicated behind the user interface. Our work aims to fill this gap by measuring compliance of consent revocation on the Web on Tranco’s top-200 websites. We found that 19.87% of websites make it difficult for users to revoke consent throughout different interfaces, 20.5% of websites require more effort than acceptance, and 2.48% do not provide consent revocation at all, thus violating EU legal requirements for valid consent. 57.5% websites do not delete the cookies after consent revocation enabling continuous illegal processing of users’ data. Further, we analyzed 281 websites implementing the IAB Europe Transparency & Consent Framework, and found 22 websites that store a positive consent despite user’s revocation. Surprisingly, we found that on 101 websites, third parties that have received consent upon user’s acceptance, are not informed of revocation, leading to the illegal processing of users’ data by such third parties according to EU laws. Our findings emphasize the need for improved legal compliance of consent revocation, and proper, consistent, and uniform implementation of revocation communication to third-parties.

Keywords: Consent revocation, consent withdrawal, opt-out, GDPR, consent banners

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.