The Digital Placebo: How "Reject All" Buttons Often Fail to Protect Your Privacy

What if the "Reject All" button you click on every website is nothing more than a digital placebo? For years, regulators have promised that laws like the GDPR and CCPA would return control to the consumer, forcing advertisers to stop selling your browsing habits the moment you say "no." New research suggests that for a staggering number of websites, those choices are being ignored.

By auditing the Alexa Top-100K websites, researchers have uncovered a massive evidentiary gap between the privacy controls you see on your screen and the high-speed data auctions happening behind it. This matters because your digital identity—your health concerns, your financial status, your interests—is being liquidated in real-time. Even after opting out, advertisers appear to be utilizing your data to drive up the price of the ads you see, treating your "no" as a mere suggestion rather than a legal mandate.

The Auditing Framework

The study, published in the Proceedings on Privacy Enhancing Technologies (PETS 2024), provides a detailed look at this compliance gap.

Scope & Methodology

The research focused on a subset of N=352 sites using major Consent Management Platforms (CMPs) and transparent bidding technology. It utilized an automated framework to simulate 16 interest-based personas and measure how data was treated after users clicked "Reject All."

The audit revealed how user data is often still traded, even after an explicit opt-out, depending on the platform in use.

Cookiebot: The Ineffective Gatekeeper

Under the Cookiebot platform, researchers found no significant difference in bidding patterns between opt-out and opt-in cohorts for most personas ( $p > 0.05$ ). This indicates your data was often treated as fair game regardless of your legal choice.

OneTrust: The Bizarre Technical Reality

In the U.S., the audit revealed that cookie syncing events—where advertisers swap data about you—persisted at high frequencies on the OneTrust platform. Intriguingly, under CCPA opt-out conditions, there were an average of 96 events, compared to 81 events when a user actually opted in.

The Financial Leak: Bid Values Remain High

The data confirms the privacy leak has a direct financial impact. For a "Science" persona under GDPR, bid values remained up to 8.2x higher than the Control persona despite an explicit opt-out. This premium indicates advertisers still identified the user and valued their data, in direct violation of the user's choice.

Didomi: Limited, But Some Effectiveness

The Didomi platform showed more promising results, with researchers noting significant changes in advertiser behavior ( $p < 0.05$ and Effect Sizes of 0.15–0.37). However, it still failed to stop tracking entirely, demonstrating that no current solution offers complete protection.

Why the "Reject" Button Fails

The study points to several technical reasons why privacy controls are being bypassed.

Root Causes of the Leak

The privacy "leak" often happens due to two primary factors:

Developer Misconfiguration: Tools are often set up incorrectly.
Advertiser Evasion: Advertisers use "side-channels" like browser fingerprinting to bypass cookie blocks entirely.

Important Limitations & Caveats

While the findings are significant, the researchers note important boundaries to their study.

Scope of the Audit

The findings are limited to client-side bidding.
Modern "black box" auctions, such as Google Open Bidding, remain invisible to this type of external audit.
The study used cloud provider IP addresses in Frankfurt and California, meaning some advertisers might treat residential traffic differently.

The Broken Enforcement Layer & A Path Forward

Ultimately, the data paints a concerning picture of the current state of digital privacy enforcement. While regulations have led to €1.6 billion in fines, the technical infrastructure that is supposed to enforce user choice remains broken.

The scientists' primary recommendation is clear: privacy-conscious users should not rely on a button. Until the underlying infrastructure changes, they suggest keeping your ad-blockers running.

Reference:
Liu, Z., Iqbal, U., & Saxena, N. (2023). Opted Out, Yet Tracked: Are Regulations Enough to Protect Your Privacy? Proceedings on Privacy Enhancing Technologies (PETS 2024).