Checking Websites’ GDPR Consent Compliance for Marketing Emails

Authors: Karel Kubicek karel.kubicek@inf.ethz.ch, Jakob Merane, Carlos Cotrini, Alexander Stremitzer, Stefan Bechtold, and David Basin

Abstract: The sending of marketing emails is regulated to protect users from unsolicited emails. For instance, the European Union’s ePrivacy Directive states that marketers must obtain users’ prior consent, and the General Data Protection Regulation (GDPR) specifies further that such consent must be freely given, specific, informed, and unambiguous.

Based on these requirements, we design a labeling of legal characteristics for websites and emails. This leads to a simple decision procedure that detects potential legal violations. Using our procedure, we evaluated 1000 websites and the 5000 emails resulting from registering to these websites. Both datasets and evaluations are available upon request. We find that 21.9% of the websites contain potential violations of privacy and unfair competition rules, either in the registration process (17.3%) or email communication (17.7%). We demonstrate with a statistical analysis the possibility of automatically detecting such potential violations.

Bibtex

@article{kubicek2022checking,
  title={Checking Websites' {GDPR} Consent Compliance for Marketing Emails},
  author={Karel Kubicek and Jakob Merane and Carlos Cotrini and Alexander Stremitzer and Stefan Bechtold and David Basin},
  journal={Proceedings on Privacy Enhancing Technologies},
  volume={2022},
  issue={2},
  pages={282-303},
  year={2022},
  publisher={Sciendo},
  doi={10.2478/popets-2022-0046}
}

Websites are sending unsolicited emails

To register for web services, users generally must provide their email addresses. Unfortunately, this information can be used by companies to send unsolicited marketing emails, advertising their products and services. Given how common this practice is, users often do not remember ever registering for a service. Countries counteract these practices by regulations on privacy (GDPR, ePrivacy Directive) and unfair competition (Unfair Competition Act). In this work, we analyze the effectiveness of these regulations.

Annotated dataset

We explain the content of individual datasets below. Note that the dataset is upon request (form), as it contains sensitive data about the websites.

666 websites

From 1k English and German websites, it was possible to register to 666 of them. Our legal assistants annotated these websites with 21 legal properties, like:

Statistics of annotated properties The overview of the annotated properties in the 666 websites where annotators successfully registered.

5k emails

For each annotation, we created an unique email address such that we can link all emails to the website where we registered. We received about 10k of emails, of which we annotated 5k of them with their purpose.

Statistics of annotated properties

We also checked if the emails contain legal notice, unsubscribe links, user-provided passwords in plaintext, and if the email address was used by multiple parties (third-party sharing).

Observations

Using the legal properties, we are able to decide three potential violation types of the consent for sending marketing emails. In the email, we define further five types of potential violations.

Violation typesViolations histogram On the left is the summary of all violation types inspected in this study, split according to websites’ Alexa rank. On the right is the histogram of all websites in our study.

Limitations

Our work is limited in the following aspects.

Future work

We automate the violation detection, the work analyzing compliance of 660k websites is published at The Web Conference 2024, see this post.

Q&A

Acknowledgement

The authors would like to thank:

Updates