Consent-O-Matic: An Open-Source Tool to Automate GDPR Cookie Consent

The proliferation of cookie consent banners across the web has created a paradox of choice. While regulations like GDPR and ePrivacy Directive were designed to give users control over their data, the practical implementation often results in the same repetitive clicks on every website visit—especially when browsers clear cookies between sessions. Each site presents its own variation of a consent management platform (CMP), requiring users to repeatedly make the same choices.

Consent-O-Matic, an open-source browser extension developed by the Centre for Advanced Visualization and Interaction (CAVI) at Aarhus University, addresses this friction point. The tool automatically recognizes and handles consent banners by applying a user's pre-configured preferences, then confirming with a checkmark icon in the browser toolbar.

How It Works

After installation, users set their consent preferences across six categories: Information Storage and Access, Preferences and Functionality, Performance and Analytics, Content Selection and Delivery, Ad Selection and Delivery, and Other Purposes. These preferences are stored locally in the browser.

When a website loads, Consent-O-Matic scans the page for known CMP implementations. The extension currently supports over 200 different consent platforms, including major providers like UserCentrics, CookieBot, and OneTrust. When a supported banner is detected, the extension automatically applies the user's preferences—accepting or rejecting specific categories as configured—and submits the consent form.

The extension's effectiveness stems from its rule-based approach. Each CMP has a corresponding rule set that defines how to detect the banner, what actions to take, and how to submit consent. These rules are maintained as JSON files that the extension fetches and updates.

The Technical Architecture

The extension operates through a sophisticated rule system that breaks down each consent mechanism into components:

Detectors identify whether a specific CMP is present on the page. They use matchers to check for DOM elements and determine if the consent form is actually visible to the user. A CMP is considered detected if any of its detectors trigger.

Methods define the actions to take once a CMP is detected. There are four supported methods that run in sequence: OPEN_OPTIONS (to expand detailed settings if needed), DO_CONSENT (to apply the user's choices), SAVE_CONSENT (to submit the form), and HIDE_CMP (to hide the banner if it remains visible).

DOM Selection is the core mechanism for interacting with web page elements. The system uses a parent-child selector model that allows for complex element targeting, including navigating shadow DOMs or iframe structures. Each selection can include filters for text content, CSS styles, display properties, and iframe context.

Actions are the executable commands that manipulate the page. Beyond simple clicks, the system supports:

• List actions for running multiple steps in sequence
• Consent actions that apply user preferences to specific categories
• Slide actions for interacting with range sliders in consent forms
• Conditional logic (ifCSS) to handle different UI states
• Wait actions for handling dynamically loaded content
• For-each loops for processing multiple similar elements

Matchers verify the state of DOM elements. The CSS matcher checks for element existence, while the checkbox matcher verifies whether input elements are checked. The consent matcher is specialized for consent categories, checking whether a toggle or button represents an accepted or rejected state.

Privacy and Security Considerations

The extension requires several browser permissions, but its design minimizes data collection:

1. Page Access: It needs to read all pages to detect consent banners, but this is processed locally.
2. Tab URL Access: Required for the per-site toggle feature, allowing users to disable the extension on specific sites.
3. Storage: User preferences are stored directly in the browser's local storage.

The extension only communicates externally in two scenarios:

• When fetching or updating rule lists from Aarhus University's servers
• When users report broken websites through the "Let us know!" button

Reported URLs are sent to a university-hosted endpoint as URI-encoded query strings (e.g., https://gdprconsent.projects.cavi.au.dk/report.php?url=www.linkedin.com). The full list of reported URLs is publicly available, showing how many times each site has been reported.

Open Source and Extensibility

As an open-source project, Consent-O-Matic invites community contributions. Users can:

1. Create custom rule lists for unsupported CMPs or specific websites
2. Submit pull requests to the main repository for new or updated rules
3. Report issues when rules don't work, helping maintain the rule database

The project's academic roots are evident in its research-backed approach. Researchers have published several papers analyzing GDPR cookie banners and demonstrating the tool's effectiveness:

• "Dark patterns after the GDPR: Scraping consent pop-ups and demonstrating their influence" (CHI 2020)
• "Consent-o-Matic: Automatically answering consent pop-ups using adversarial interoperability" (CHI 2022)
• "A Cross-Country Analysis of GDPR Cookie Banners and Flexible Methods For Scraping Them" (CHI 2025)

Installation and Use

The recommended installation method is through official browser extension stores:

For Firefox users, the extension is available through the Firefox Add-ons store. For Chromium-based browsers (Chrome, Edge, Brave, etc.), it's available on the Chrome Web Store.

Safari users can install through the Mac App Store for iOS and macOS.

Microsoft Edge users have access through the Microsoft Store.

Advanced users can also install from source by cloning the GitHub repository, installing dependencies with npm install, and building for their target browser using the provided npm scripts.

Limitations and Trade-offs

While Consent-O-Matic significantly reduces the friction of consent management, it has inherent limitations:

1. Coverage Gaps: Not all CMPs are supported. The extension relies on community contributions to maintain its rule database, which means newer or less common platforms may not work.

2. Dynamic Changes: Websites frequently update their consent mechanisms, which can break existing rules. The extension's effectiveness depends on timely rule updates.

3. Legal Considerations: The tool doesn't provide legal advice about what constitutes valid consent under GDPR. Users must still make informed decisions about their privacy preferences.

4. False Positives/Negatives: The detection system may occasionally misidentify consent banners or fail to recognize them, requiring manual intervention.

Broader Context

Consent-O-Matic represents a practical response to what researchers call "consent fatigue"—the phenomenon where users become so overwhelmed by repetitive consent requests that they either accept everything or develop automated solutions. The tool sits at the intersection of privacy advocacy, user experience research, and open-source software development.

By automating the mechanical aspects of consent management while preserving user choice, it demonstrates how technical solutions can address regulatory compliance without sacrificing usability. The project's academic backing and transparent, open-source approach provide a counterpoint to commercial privacy tools that may have different incentives.

For developers and privacy-conscious users alike, Consent-O-Matic offers both a practical tool and a case study in how to build privacy-enhancing technologies that work within existing web infrastructure rather than against it.

Project Repository: github.com/cavi-au/Consent-O-Matic

Official Documentation: Consent-O-Matic Documentation

Academic Papers: CHI 2020 Paper | CHI 2022 Extended Abstract | CHI 2025 Paper