Intractable Cookie Crumbs: Unveiling the Nexus of Stateful Banner Interaction and Tracking Cookies
Authors: Ali Rasaii (Max Planck Institute for Informatics), Ha Dao (Max Planck Institute for Informatics), Anja Feldmann (Max Planck Institute for Informatics), Mohammadmahdi Javid (Max Planck Institute for Informatics), Oliver Gasser (IPinfo), Devashish Gosain (Indian Institute of Technology Bombay)
Volume: 2025
Issue: 4
Pages: 429–445
DOI: https://doi.org/10.56553/popets-2025-0138
Abstract: In response to the ePrivacy Directive and the consent requirements introduced by the GDPR, websites began deploying consent banners to obtain user permission for data collection and processing. However, due to shared third-party services and technical loopholes, non-consensual cross-site tracking can still occur. In fact, contrary to user expectations of seemingly isolated consent, a user's decision on one website may affect tracking behavior on others. In this study, we investigate the technical and behavioral mechanisms behind these discrepancies. Specifically, we disclose a persistent tracking mechanism exploiting web cookies. These cookies, which we refer to as intractable, are initially set on websites with accepted banners, persist in the browser, and are subsequently sent to trackers before the user provides explicit consent on other websites. To meticulously analyze this covert tracking behavior, we conduct an extensive measurement study performing stateful crawls on over 20k domains from the Tranco top list, strategically accepting banners in the first half of domains and measuring intractable cookies in the second half. Our findings reveal that around 50% of websites send at least one intractable cookie, with the majority set to expire after more than 10 days. In addition, enabling the Global Privacy Control (GPC) signal initially reduces the number of intractable cookies by 30% on average, with a further 32% reduction possible on subsequent visits by rejecting the banners. Moreover, websites with Consent Management Platform (CMP) banners, on average, send 6.9 times more intractable cookies compared to those with native banners. Our research further reveals that even if users reject all other banners, they still receive a large number of intractable cookies set by websites with cookie paywalls. Additionally, our measurement on the partitioned cookies---cookies that are restricted to the top-level site and thus mitigate cross-site tracking---shows that only 1.3% of tracking cookies are marked as such, indicating their minimal impact on cross-site tracking via intractable cookies.
Keywords: Privacy Regulation, GDPR, Tracking Cookies, Web Tracking, Cookie Banner, Intractable Cookies, Cross-Site Tracking
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
