Most Website Consent Mechanisms ‘Illegal’ Under GDPR
Study finds websites’ consent platforms largely fail to comply with data protection rules, and may even incentivise ‘illegal configurations’
The vast majority of the consent mechanisms put into place on websites as a result of new GDPR data protection regulations do not comply with the law, according to a study.
The research from MIT CSAIL, Denmark’s Aarhus University and University College London found that only 11.8 percent of the consent management platforms (CMPs) used by popular websites met minimal GDPR requirements.
The paper, “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence”, looked at the five most popular outsourced CMPs on the top 10,000 websites in the UK.
“We found that dark patterns and implied consent are ubiquitous,” the paper’s authors wrote.
Implied consent
GDPR rules require users to explicitly consent to a website’s cookie policies, with all aspects of consent being equally as easy to reject as to accept. Pre-checked options are not allowed.
The researchers found that implicit consent was present on one-third of the websites analysed, while rejecting all tracking was “substantially more difficult than accepting it”.
Browser makers including Mozilla, Microsoft and Apple are working on tools that automatically block cookies from tracking users’ activities across the web.
The new research found that in the median, websites shared data with 315 third-party vendors for tracking purposes.
More than half of the sites in the survey didn’t offer a “reject all” button, while only 12.6 had a “reject all” button that was as easy to click as the “accept all” button.
The researchers found that when users wanted to amend specific consent settings rather than accepting everything, they were “often faced with pre-ticked boxes of the type specifically forbidden by the GDPR”.
‘Clearly illegal’
The researchers also conducted a field experiment with 40 participants to look into how the eight most common CMP designs affect consent choices.
They found the notification style, which presents a banner or barrier, had no effect, while removing the opt-out button from the first page increased consent by 22 to 23 percent.
Providing more granular controls on the CMP’s first page decreased consent by 8 to 20 percent, they found.
The researchers said they intend their findings to be used as the basis for enforcement by EU data protection authorities, which they argue is the only way CMPs can be made to comply with the law.
“The results of our empirical survey of CMPs today illustrates the extent to which illegal practices prevail,” the researchers wrote.
They added that today, CMP vendors turn a blind eye to, or even incentivise, “clearly illegal configurations of their systems”.
The research shows that focusing on the centralised, third-party CMP systems could be an “effective way to increase compliance”, they said.