Most Website Consent Mechanisms ‘Illegal’ Under GDPR

The vast majority of the consent mechanisms put into place on websites as a result of new GDPR data protection regulations do not comply with the law, according to a study.

The research from MIT CSAIL, Denmark’s Aarhus University and University College London found that only 11.8 percent of the consent management platforms (CMPs) used by popular websites met minimal GDPR requirements.

The paper, “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence”, looked at the five most popular outsourced CMPs on the top 10,000 websites in the UK.

“We found that dark patterns and implied consent are ubiquitous,” the paper’s authors wrote.

Implied consent

GDPR rules require users to explicitly consent to a website’s cookie policies, with all aspects of consent being equally as easy to reject as to accept.  Pre-checked options are not allowed.

The researchers found that implicit consent was present on one-third of the websites analysed, while rejecting all tracking was “substantially more difficult than accepting it”.

Browser makers including Mozilla, Microsoft and Apple are working on tools that automatically block cookies from tracking users’ activities across the web.

The new research found that in the median, websites shared data with 315 third-party vendors for tracking purposes.

More than half of the sites in the survey didn’t offer a “reject all” button, while only 12.6 had a “reject all” button that was as easy to click as the “accept all” button.

The researchers found that when users wanted to amend specific consent settings rather than accepting everything, they were “often faced with pre-ticked boxes of the type specifically forbidden by the GDPR”.

‘Clearly illegal’

The researchers also conducted a field experiment with 40 participants to look into how the eight most common CMP designs affect consent choices.

They found the notification style, which presents a banner or barrier, had no effect, while removing the opt-out button from the first page increased consent by 22 to 23 percent.

Providing more granular controls on the CMP’s first page decreased consent by 8 to 20 percent, they found.

The researchers said they intend their findings to be used as the basis for enforcement by EU data protection authorities, which they argue is the only way CMPs can be made to comply with the law.

“The results of our empirical survey of CMPs today illustrates the extent to which illegal practices prevail,” the researchers wrote.

They added that today, CMP vendors turn a blind eye to, or even incentivise, “clearly illegal configurations of their systems”.

The research shows that focusing on the centralised, third-party CMP systems could be an “effective way to increase compliance”, they said.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

View Comments

  • There's a brilliant irony here in that your website's own consent mechanism appears to be deficient.
    There's no easy way to reject cookies and clicking on the 'know more' option take me to page that doesn't exist.
    Ouch!

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago