"The Most Visited Websites in Spain Do Not Comply Correctly with Privacy Laws and Track Their Users"
A small percentage of the 500 most visited websites in Spain comply with the General Data Protection Regulation (GDPR). This is one of the findings of a study conducted by researchers from the Universitat Oberta de Catalunya (UOC), the University of Girona, and the Center for Cybersecurity Research of Catalonia (CYBERCAT). Automated methods were used to analyze web-tracking techniques and compliance with Internet privacy regulations. In addition to the improper and non-consensual use of cookies, these analysis algorithms revealed web-tracking techniques that the typical user is unfamiliar with, such as web beacons and technologies based on the browser's digital fingerprint. The significance of this research extends beyond the analysis results to the algorithms used to examine compliance with online privacy laws. Due to the massive amount of pages and platforms on the Internet, it is necessary to use automation, as manually examining each case would be impossible. In addition, some web-tracking techniques are difficult to detect because there are no visible indicators of their presence. In order to overcome these obstacles, the researchers devised a proprietary system consisting of four algorithms and a measure called "Websites Degree of Confidence" to evaluate the condition of regulatory compliance. The Consent Inspector Algorithm (CIA) collects clear images of cookie banners and detects buttons that should enable users to modify the use of these tracking elements. The Website Evidence Collector (WEC) collects information on the various web-tracking mechanisms used by each website. Based on the data provided by the WEC, the Cookies Detector Algorithm (CDA) classifies the cookies that websites use in browsers without user consent. In addition to extracting web beacons detected by the WEC, the Web Beacons Detection Algorithm (BDA) identifies browser fingerprinting techniques. This article continues to discuss the widespread non-compliance with privacy laws and the new algorithms used to analyze compliance with the GDPR.