Abstract

As online services diversify, protecting user privacy becomes more complicated since user tracking as well as presented privacy options vary across platforms. We conduct a cross-platform evaluation on three different platforms: PC browser, mobile browser, and mobile apps, which is the first study of its kind. We study the tracking behaviours, privacy notice presentation, user control options, and further privacy enhancing technologies. Our study considers the top 116 EU websites and their corresponding Android apps (available for 101 out of 116 services). The results show that the privacy consent banner is presented to the user in various and inconsistent ways across websites, browsers, and mobile apps, where the majority of these consent notices do not comply with the GDPR. In addition, most of these services start tracking the user right after the website is loaded and the app starts running, without waiting for the user to interact with the privacy consent. This behaviour can be considered not respectful to the user and is, indeed, not compliant with current regulations.