A history of GDPR cookie banner compliance: the roles of publishers, regulators and CMPs

📅 2026-06-30
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This study addresses the persistent challenges in ensuring genuine user choice through GDPR-compliant cookie banners, which are shaped by the interplay among publishers, regulatory authorities, and Consent Management Platforms (CMPs). Through a large-scale longitudinal crawl of 11,364 websites across 30 countries, combined with quantitative compliance metrics and regulatory enforcement data, this work provides the first empirical evidence of a strong correlation between active regulatory enforcement and improved website compliance. The findings reveal that the presence of a “Reject All” button—a key indicator of compliance—increased from 2.94% in 2018 to 30.66% in 2024, underscoring publishers as the primary drivers of this improvement. In contrast, CMPs exhibit minimal responsiveness to regulatory developments, highlighting an urgent need for more stringent oversight of these platforms.
📝 Abstract
Since the introduction of the GDPR in 2018, cookie banners have become the primary mechanism for users to express preferences on online tracking and advertising. Consequently, their visual design and the options they present significantly influence user choice. Over time, the cookie banner landscape has evolved under the influence of key players, including publishers (website owners), regulators, and Consent Management Platforms (CMPs). This paper presents an in-depth analysis of the roles of these three key actors and an examination of their impact on cookie banners' design and implementation within the context of EU law. Our results, based on a historical evaluation of 11364 websites across 30 countries, indicate a positive evolution in the privacy landscape, with the compliance rate for websites featuring a "reject all" button increasing from 2.94% in 2018 to 30.66% in 2024. We analyze Data Protection Authority (DPA) activity and find a clear correlation between higher compliance rates and stronger regulatory action and guidance. Our experiments further show that compliance improvements are primarily driven by website owners, with CMPs showing little response to regulatory action or (indirect) influence on compliance rates. Our findings highlight the importance of more uniform collaboration and guidance among EU-level regulators to reduce interpretive divergence and simplify cookie banner compliance, as well as the need for regulatory oversight of CMPs, which in turn could significantly enhance privacy for many websites and users. Our work provides a foundation for academics, regulators, and industry to develop more effective strategies to motivate key players and promote greater user privacy.
Problem

Research questions and friction points this paper is trying to address.

GDPR
cookie banner
compliance
Consent Management Platforms
regulatory oversight
Innovation

Methods, ideas, or system contributions that make the work stand out.

GDPR compliance
cookie banners
Consent Management Platforms
regulatory enforcement
online tracking
🔎 Similar Papers
No similar papers found.