CNIL-Inria 2025 Prize: Are consent banners effective in preventing data tracking ?

On July 1^st, 2024, the co-presidents of the CNIL-Inria Award Jury, Benjamin Nguyen and Vincent Toubiana, presented the Privacy Award to Nataliia Bielova, Inria Research Director, Cristiana Santos, assistant professor at Utrecht University School of Law (The Netherlands) and Colin M. Gray, associate professor at Indiana University Bloomington (USA), for their article “Two worlds apart! Closing the gap between regulating EU consent and user studies”. 

The award-winning study, published at the Harvard Journal of Law & Technology, is the result of a long-standing transdisciplinary collaboration/nataliia- that started in 2020, aims to identify the bridges and gaps between computer science research and regulatory compliance in the field of privacy and data protection.

Discrepancies between user behaviors and regulatory guidelines

In the context of the EU General Data Protection Regulation (GDPR) and ePrivacy Directive, the study involved an in-depth analysis of, on the one hand, sixteen guidelines issued by regulators suggesting best practices for compliant design of banners requesting users' consent to be tracked on a website; and, on the other, eleven empirical studies of user behavior in front of said banners over the last ten years. “We have identified numerous discrepancies both among the regulators across the EU, and also between the guidelines describing best consent banners, as set out by the regulators, and the actual behavior of users observed in user studies when they interact with such banners”, says Nataliia Bielova, who insists: “It's as if there were two separate worlds: the regulatory guidelines on one side, and the user behavior on the other”.

Manipulation tactics are common

The regulators acting in each European country don't necessarily agree on the design rules to be applied to make consent banners compliant with European law. What's more, it's very difficult to regulate user interface, since there are an infinite number of possibilities. The three researchers from different disciplines (law, Human-Computer Interaction (HCI), computer science) observed that between best practices that comply with the law and banners that are truly outlawed, there exists a vast grey zone. A zone in which consent practices do not guarantee that users have freely given their consent to be tracked on the website they are visiting.

To improve the situation, the conclusions of this study formulate concrete recommendations for regulators, and point the academic world to additional user research assessments that would be worthwhile to carry out. “Finally, we recommend that EU regulators, human-computer interaction specialists and design researchers to engage in a transdisciplinary dialogue to bridge the gap between EU guidelines and user studies", concludes Nataliia Bielova.