Data protection regulations, such as GDPR and CCPA, require websites and embedded third-parties, especially advertisers, to seek user consent before they can collect and process user data. Only when the users opt in, can these entities collect, process, and share user data. Websites typically incorporate Consent Management Platforms (CMPs), such as OneTrust and CookieBot, to solicit and convey user consent to the embedded advertisers, with the expectation that the consent will be respected. However, neither the websites nor the regulators currently have any mechanism to audit advertisers' compliance with the user consent, i.e., to determine if advertisers indeed do not collect, process, and share user data when the user opts out. In this paper, we propose an auditing framework that leverages advertisers' bidding behavior to empirically assess the violations of data protection regulations. Using our framework, we conduct a measurement study to evaluate two of the most widely deployed CMPs, i.e., OneTrust and CookieBot, as well as advertiser-offered opt-out controls, i.e., National Advertising Initiative's opt-out, under GDPR and CCPA -- arguably two of the most mature data protection regulations. Our results indicate that user data is unfortunately still being collected, processed, and shared even when users opt-out. Our findings suggest that several prominent advertisers (e.g., AppNexus, PubMatic) might be in potential violation of GDPR and CCPA. Overall, our work casts a doubt if regulations are effective at protecting users' online privacy.

翻译：数据保护法规（如GDPR和CCPA）要求网站及嵌入的第三方（尤其是广告商）在收集和处理用户数据前必须征得用户同意。只有当用户选择"同意"时，这些实体才能收集、处理并共享用户数据。网站通常通过部署同意管理平台（CMP）（如OneTrust和CookieBot）向用户征求同意，并将同意信息传递至嵌入的广告商，期望其遵守用户选择。然而，目前网站和监管机构均缺乏审计广告商是否遵守用户同意的机制，即无法判断用户在"选择退出"后，广告商是否确实停止收集、处理及共享用户数据。本文提出一种审计框架，通过分析广告商的竞价行为，实证评估数据保护法规的违规情况。利用该框架，我们在GDPR和CCPA（两项公认最成熟的数据保护法规）框架下，对两个广泛部署的CMP（OneTrust和CookieBot）以及广告商提供的"选择退出"控件（如全国广告倡议的退出选项）进行了测量研究。结果表明，即使选择退出，用户数据仍不幸地被收集、处理和共享。我们的发现指出，多家知名广告商（如AppNexus、PubMatic）可能违反GDPR和CCPA。总体而言，本研究对法规能否有效保护用户在线隐私提出了质疑。