Recent privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have established legal requirements for obtaining user consent regarding the collection, use, and sharing of personal data. These regulations emphasize that consent must be informed, freely given, specific, and unambiguous. However, there are still many violations, which highlight a gap between legal expectations and actual implementation. Consent mechanisms embedded in functional web forms across websites play a critical role in ensuring compliance with data protection regulations such as the GDPR and CCPA, as well as in upholding user autonomy and trust. However, current research has primarily focused on cookie banners and mobile app dialogs. These forms are diverse in structure, vary in legal basis, and are often difficult to locate or evaluate, creating a significant challenge for automated consent compliance auditing. In this work, we present Cosmic, a novel automated framework for detecting consent-related privacy violations in web forms. We evaluate our developed tool for auditing consent compliance in web forms, across 5,823 websites and 3,598 forms. Cosmic detects 3,384 violations on 94.1% of consent forms, covering key GDPR principles such as freely given consent, purpose disclosure, and withdrawal options. It achieves 98.6% and 99.1% TPR for consent and violation detection, respectively, demonstrating high accuracy and real-world applicability.

翻译：《通用数据保护条例》（GDPR）和《加州消费者隐私法案》（CCPA）等近期隐私法规确立了关于个人数据收集、使用和共享获取用户同意的法律要求。这些法规强调同意必须是知情的、自由给予的、具体的且明确的。然而，违规行为仍然普遍存在，凸显了法律预期与实际实施之间的差距。嵌入网站功能性网页表单中的同意机制，对于确保遵守GDPR和CCPA等数据保护法规以及维护用户自主权和信任至关重要。然而，当前研究主要集中于Cookie横幅和移动应用对话框。这些表单结构多样，法律依据各异，且通常难以定位或评估，这为自动化同意合规审计带来了重大挑战。在本研究中，我们提出了Cosmic，一个用于检测网页表单中同意相关隐私违规的新型自动化框架。我们评估了所开发的工具在5,823个网站和3,598个表单中进行同意合规审计的效果。Cosmic在94.1%的同意表单上检测到3,384项违规，涵盖了自由给予同意、目的披露和撤回选项等关键GDPR原则。其在同意检测和违规检测上分别实现了98.6%和99.1%的真阳性率，展现了高准确性和实际应用价值。