Data protection regulations, such as GDPR and CCPA, require websites and embedded third-parties, especially advertisers, to seek user consent before they can collect and process user data. Only when the users opt in, can these entities collect, process, and share user data. Websites typically incorporate Consent Management Platforms (CMPs), such as OneTrust and CookieBot, to solicit and convey user consent to the embedded advertisers, with the expectation that the consent will be respected. However, neither the websites nor the regulators currently have any mechanism to audit advertisers' compliance with the user consent, i.e., to determine if advertisers indeed do not collect, process, and share user data when the user opts out. In this paper, we propose an auditing framework that leverages advertisers' bidding behavior to empirically assess the violations of data protection regulations. Using our framework, we conduct a measurement study to evaluate four of the most widely deployed CMPs, i.e., Didomi, Quantcast, OneTrust, and CookieBot, as well as advertiser-offered opt-out controls, i.e., National Advertising Initiative's opt-out, under GDPR and CCPA. Our results indicate that in many cases user data is unfortunately still being collected, processed, and shared even when users opt-out. We also find that some CMPs are better than the others at conveying user consent and that several ad platforms ignore user consent. Our results also indicate that advertiser-offered opt-out are equally ineffective at protecting user privacy.

翻译：数据保护法规（如GDPR和CCPA）要求网站及嵌入的第三方（尤其是广告商）在收集和处理用户数据前需征得用户同意。只有用户选择同意后，这些实体才能收集、处理及共享用户数据。网站通常采用同意管理平台（CMP），例如OneTrust和CookieBot，以征求用户同意并将其传达给嵌入的广告商，并期望这些同意能被尊重。然而，目前无论是网站还是监管机构，均缺乏审查广告商遵守用户同意的机制，即无法判断用户选择退出时广告商是否确实未收集、处理及共享用户数据。本文提出一个审计框架，利用广告商的出价行为来实证评估数据保护法规的违规情况。通过该框架，我们开展了一项测量研究，评估了四种最广泛部署的CMP（即Didomi、Quantcast、OneTrust和CookieBot）以及广告商提供的退出控制机制（即国家广告倡议的退出选项）在GDPR和CCPA下的表现。结果表明，在许多情况下，即使用户选择退出，用户数据仍不幸地被收集、处理和共享。我们还发现某些CMP在传达用户同意方面优于其他平台，而部分广告平台忽视了用户同意。研究结果同样表明，广告商提供的退出机制在保护用户隐私方面同样无效。