Semantics-Aware Cookie Purpose Compliance

Baiqi Chen; Jiawei Lyu; Tingmin Wu; Mohan Baruwal Chhetri; Guangdong Bai

doi:10.1145/3696410.3714746

Semantics-Aware Cookie Purpose Compliance

Baiqi Chen, Jiawei Lyu, Tingmin Wu, Mohan Baruwal Chhetri, Guangdong Bai^*

^*Corresponding author for this work

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

1 Citation (Scopus)

Abstract

Websites commonly display cookie banners to inform users about the use and purposes of cookies. However, they may still, whether intentionally or unintentionally (e.g., due to third-party libraries imported), mis-declare cookies that may be abused for tracking. In this work, we introduce Coover (cookie value examiner) to assess the non-compliance between the website-declared purpose and the semantic-intended purpose of cookies (denoted as potential cookie purpose violation). We advocate that the value of the cookie is a more reliable indicator of its semantic-intended purpose compared to other features such as expiration time. Coover decomposes the cookie value into primitive segments representing minimal semantic units, and fine-tunes a GPT-3.5 model to automatically interpret their value-inferred semantics. Based on the interpretation, it classifies cookies into four GDPR-defined purposes. Coover achieves an F1 score of 95%, significantly outperforming other methods. We employ Coover to analyze Alexa Top 1k websites to understand the status quo of potential cookie purpose violation on the web. Remarkably, out of 15,339 cookies across these websites, only 3.1% quality as truly necessary cookies, while 44.1% of websites suffer from issues of potential purpose violation. © 2025 the owner/author(s).

Original language	English
Title of host publication	WWW '25 - Proceedings of the ACM Web Conference 2025
Place of Publication	New York, NY
Publisher	Association for Computing Machinery
Pages	1602-1613
Number of pages	12
ISBN (Print)	9798400712746
DOIs	https://doi.org/10.1145/3696410.3714746
Publication status	Published - Apr 2025
Externally published	Yes
Event	34th ACM Web Conference (WWW’25) - Sydney Convention & Exhibition Centre, Sydney, Australia Duration: 28 Apr 2025 → 2 May 2025 https://www2025.thewebconf.org/

Publication series

Name	WWW - Proceedings of the ACM Web Conference

Conference

Conference	34th ACM Web Conference (WWW’25)
Abbreviated title	WWW 2025
Place	Australia
City	Sydney
Period	28/04/25 → 2/05/25
Internet address	https://www2025.thewebconf.org/

Funding

We thank reviewers for their insightful comments. This research has been partially supported by Australian Research Council Discovery Projects (DP230101196, DP240103068). Baiqi Chen is supported by the University of Queensland and CSIRO’s Data61 PhD scholarship.

Research Keywords

cookie policy
cookies
privacy compliance

Publisher's Copyright Statement

This full text is made available under CC-BY 4.0. https://creativecommons.org/licenses/by/4.0/

Access Output

10.1145/3696410.3714746

382960254.pdfFinal Published version, 3.34 MBLicence: CC BY

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

@inproceedings{a3eb1b7d0c9247c7bf778f1545867538,

title = "Semantics-Aware Cookie Purpose Compliance",

abstract = "Websites commonly display cookie banners to inform users about the use and purposes of cookies. However, they may still, whether intentionally or unintentionally (e.g., due to third-party libraries imported), mis-declare cookies that may be abused for tracking. In this work, we introduce Coover (cookie value examiner) to assess the non-compliance between the website-declared purpose and the semantic-intended purpose of cookies (denoted as potential cookie purpose violation). We advocate that the value of the cookie is a more reliable indicator of its semantic-intended purpose compared to other features such as expiration time. Coover decomposes the cookie value into primitive segments representing minimal semantic units, and fine-tunes a GPT-3.5 model to automatically interpret their value-inferred semantics. Based on the interpretation, it classifies cookies into four GDPR-defined purposes. Coover achieves an F1 score of 95%, significantly outperforming other methods. We employ Coover to analyze Alexa Top 1k websites to understand the status quo of potential cookie purpose violation on the web. Remarkably, out of 15,339 cookies across these websites, only 3.1% quality as truly necessary cookies, while 44.1% of websites suffer from issues of potential purpose violation. {\textcopyright} 2025 the owner/author(s).",

keywords = "cookie policy, cookies, privacy compliance",

author = "Baiqi Chen and Jiawei Lyu and Tingmin Wu and {Baruwal Chhetri}, Mohan and Guangdong Bai",

year = "2025",

month = apr,

doi = "10.1145/3696410.3714746",

language = "English",

isbn = "9798400712746",

series = "WWW - Proceedings of the ACM Web Conference",

publisher = "Association for Computing Machinery",

pages = "1602--1613",

booktitle = "WWW '25 - Proceedings of the ACM Web Conference 2025",

address = "United States",

note = "34th ACM Web Conference (WWW{\textquoteright}25), WWW 2025 ; Conference date: 28-04-2025 Through 02-05-2025",

url = "https://www2025.thewebconf.org/",

}

Chen, B, Lyu, J, Wu, T, Baruwal Chhetri, M & Bai, G 2025, Semantics-Aware Cookie Purpose Compliance. in WWW '25 - Proceedings of the ACM Web Conference 2025. WWW - Proceedings of the ACM Web Conference, Association for Computing Machinery, New York, NY, pp. 1602-1613, 34th ACM Web Conference (WWW’25), Sydney, New South Wales, Australia, 28/04/25. https://doi.org/10.1145/3696410.3714746

Semantics-Aware Cookie Purpose Compliance. / Chen, Baiqi; Lyu, Jiawei; Wu, Tingmin et al.
WWW '25 - Proceedings of the ACM Web Conference 2025. New York, NY: Association for Computing Machinery, 2025. p. 1602-1613 (WWW - Proceedings of the ACM Web Conference).

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

TY - GEN

T1 - Semantics-Aware Cookie Purpose Compliance

AU - Chen, Baiqi

AU - Lyu, Jiawei

AU - Wu, Tingmin

AU - Baruwal Chhetri, Mohan

AU - Bai, Guangdong

PY - 2025/4

Y1 - 2025/4

N2 - Websites commonly display cookie banners to inform users about the use and purposes of cookies. However, they may still, whether intentionally or unintentionally (e.g., due to third-party libraries imported), mis-declare cookies that may be abused for tracking. In this work, we introduce Coover (cookie value examiner) to assess the non-compliance between the website-declared purpose and the semantic-intended purpose of cookies (denoted as potential cookie purpose violation). We advocate that the value of the cookie is a more reliable indicator of its semantic-intended purpose compared to other features such as expiration time. Coover decomposes the cookie value into primitive segments representing minimal semantic units, and fine-tunes a GPT-3.5 model to automatically interpret their value-inferred semantics. Based on the interpretation, it classifies cookies into four GDPR-defined purposes. Coover achieves an F1 score of 95%, significantly outperforming other methods. We employ Coover to analyze Alexa Top 1k websites to understand the status quo of potential cookie purpose violation on the web. Remarkably, out of 15,339 cookies across these websites, only 3.1% quality as truly necessary cookies, while 44.1% of websites suffer from issues of potential purpose violation. © 2025 the owner/author(s).

AB - Websites commonly display cookie banners to inform users about the use and purposes of cookies. However, they may still, whether intentionally or unintentionally (e.g., due to third-party libraries imported), mis-declare cookies that may be abused for tracking. In this work, we introduce Coover (cookie value examiner) to assess the non-compliance between the website-declared purpose and the semantic-intended purpose of cookies (denoted as potential cookie purpose violation). We advocate that the value of the cookie is a more reliable indicator of its semantic-intended purpose compared to other features such as expiration time. Coover decomposes the cookie value into primitive segments representing minimal semantic units, and fine-tunes a GPT-3.5 model to automatically interpret their value-inferred semantics. Based on the interpretation, it classifies cookies into four GDPR-defined purposes. Coover achieves an F1 score of 95%, significantly outperforming other methods. We employ Coover to analyze Alexa Top 1k websites to understand the status quo of potential cookie purpose violation on the web. Remarkably, out of 15,339 cookies across these websites, only 3.1% quality as truly necessary cookies, while 44.1% of websites suffer from issues of potential purpose violation. © 2025 the owner/author(s).

KW - cookie policy

KW - cookies

KW - privacy compliance

UR - http://www.scopus.com/inward/record.url?scp=105005143741&partnerID=8YFLogxK

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-105005143741&origin=recordpage

U2 - 10.1145/3696410.3714746

DO - 10.1145/3696410.3714746

M3 - RGC 32 - Refereed conference paper (with host publication)

SN - 9798400712746

T3 - WWW - Proceedings of the ACM Web Conference

SP - 1602

EP - 1613

BT - WWW '25 - Proceedings of the ACM Web Conference 2025

PB - Association for Computing Machinery

CY - New York, NY

T2 - 34th ACM Web Conference (WWW’25)

Y2 - 28 April 2025 through 2 May 2025

ER -

Semantics-Aware Cookie Purpose Compliance

Abstract

Publication series

Conference

Funding

Research Keywords

Publisher's Copyright Statement

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this