This study presents the first systematic empirical evaluation of GDPR-compliant consent withdrawal mechanisms across the top 200 global websites and 281 IAB Transparency and Consent Framework (TCF)–compliant sites, addressing a critical gap in privacy compliance research. We propose a hybrid measurement framework integrating automated crawling, browser extension-based monitoring, HTTP traffic analysis, TCF protocol parsing, and manual validation. Our multi-dimensional audit assesses (i) UI/UX usability of withdrawal interfaces, (ii) backend efficacy in deleting user cookies, and (iii) synchronization of withdrawal signals to authorized third parties. Results reveal severe non-compliance: 2.48% of sites lack any withdrawal mechanism; 57.5% fail to delete stored cookies upon withdrawal; 101 sites omit withdrawal notifications to previously authorized vendors; and 22 TCF implementations erroneously retain consent status post-withdrawal. These findings expose systemic failures across interface design, data governance, and ecosystem-wide coordination—providing actionable evidence for regulators and privacy engineers.

The GDPR requires websites to facilitate the right to revoke consent from Web users. While numerous studies measured compliance of consent with the various consent requirements, no prior work has studied consent revocation on the Web. Therefore, it remains unclear how difficult it is to revoke consent on the websites' interfaces, nor whether revoked consent is properly stored and communicated behind the user interface. Our work aims to fill this gap by measuring compliance of consent revocation on the Web on the top-200 websites. We found that 19.87% of websites make it difficult for users to revoke consent throughout different interfaces, 20.5% of websites require more effort than acceptance, and 2.48% do not provide consent revocation at all, thus violating legal requirements for valid consent. 57.5% websites do not delete the cookies after consent revocation enabling continuous illegal processing of users' data. Moreover, we analyzed 281 websites implementing the IAB Europe TCF, and found 22 websites that store a positive consent despite user's revocation. Surprisingly, we found that on 101 websites, third parties that have received consent upon user's acceptance, are not informed of user's revocation, leading to the illegal processing of users' data by such third parties. Our findings emphasise the need for improved legal compliance of consent revocation, and proper, consistent, and uniform implementation of revocation communication and data deletion practices.