During the past few years, mostly as a result of the GDPR and the CCPA,
websites have started to present users with cookie consent banners. These
banners are web forms where the users can state their preference and declare
which cookies they would like to accept, if such option exists. Although
requesting consent before storing any identifiable information is a good start
towards respecting the user privacy, yet previous research has shown that
websites do not always respect user choices. Furthermore, considering the ever
decreasing reliance of trackers on cookies and actions browser vendors take by
blocking or restricting third-party cookies, we anticipate a world where
stateless tracking emerges, either because trackers or websites do not use
cookies, or because users simply refuse to accept any.

In this paper, we explore whether websites use more persistent and
sophisticated forms of tracking in order to track users who said they do not
want cookies. Such forms of tracking include first-party ID leaking, ID
synchronization, and browser fingerprinting. Our results suggest that websites
do use such modern forms of tracking even before users had the opportunity to
register their choice with respect to cookies. To add insult to injury, when
users choose to raise their voice and reject all cookies, user tracking only
intensifies. As a result, users’ choices play very little role with respect to
tracking: we measured that more than 75% of tracking activities happened before
users had the opportunity to make a selection in the cookie consent banner, or
when users chose to reject all cookies.

By admin