“We found that websites still have a long way to go to correctly implement the requirements set out in the General Data Protection Regulation,” Pérez-Solà noted. The GDPR lays out strict user tracking and data collection requirements. Among other things, it requires websites to obtain users’ consent before collecting, processing, or transferring their personal data. Websites must also clearly state why they are collecting this data. For this study, researchers at the Open University of Catalonia, the University of Girona, and the Center for Cybersecurity Research of Catalonia (CYBERCAT) assessed 500 of the most visited websites in Spain “using novel automated methods.” They analyzed how the websites get users’ consent for cookies, the type of cookies they use and if they use other tracking and data collection techniques like web beacon and browser fingerprinting.
Only 6.41% of 500 Websites Comply With the GDPR
The researchers found that only 6.41% of the 500 websites comply with the GDPR. A large number of these websites lacked appropriate forms to obtain a visitor’s consent. The researchers also found that, on average, each website used nearly seven tracking cookies and 11 web beacons. Furthermore, 10% of the websites use browser fingerprinting techniques. According to Pérez-Solà, websites generally track users and collect their data to deliver targeted ads. “The purpose of all these techniques is usually to track the online behavior of web users in order to create profiles that can then be used to adjust the advertising that will be shown or the prices that will be offered for services or products,” the researcher from Universitat Oberta de Catalunya (UOC) explained. “Many of the websites analysed inform users of the use of cookies, but either do not wait for their consent to use them or acquire this consent improperly,” Pérez-Solà added.
Novel Automated Tools Used to Analyze Websites
The researchers used novel automated techniques to analyze the web-tracking practices of the top websites in Spain based on Alexa rankings. The sites spanned across categories, including government, streaming, and adult content.
“Our method uses a combination of automation and manual inspection. The implemented algorithms automatically browse the analysed websites and take screenshots that are then manually inspected,” Pérez-Solà stated.
The algorithms anaylzed the websites’ consent forms, cookies (including detecting hidden cookies), and web beacons. The researchers also relied on a tool called the Website Evidence Collector developed by the European Data Protection Supervisor.
EU data privacy authorities take a very strict stance towards GDPR violations. Therefore, it will be interesting to see how the Spanish Data Protection Agency responds to this report. In 2022, the Belgian Data Protection Authority ruled that Europe’s Interactive Advertising Bureau’s Ad consent framework fell foul of the GDPR.
If this article got you wondering about your online privacy, take our online anonymity test. Our guide to to browsing the internet anonymously contains useful information on how to safeguard your privacy online.