Most Website Consent Mechanisms ‘Illegal’ Under GDPR

The vast majority of the consent mechanisms put into place on websites as a result of new GDPR data protection regulations do not comply with the law, according to a study.

The research from MIT CSAIL, Denmark’s Aarhus University and University College London found that only 11.8 percent of the consent management platforms (CMPs) used by popular websites met minimal GDPR requirements.

The paper, “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence”, looked at the five most popular outsourced CMPs on the top 10,000 websites in the UK.

“We found that dark patterns and implied consent are ubiquitous,” the paper’s authors wrote.

Implied consent

GDPR rules require users to explicitly consent to a website’s cookie policies, with all aspects of consent being equally as easy to reject as to accept.  Pre-checked options are not allowed.

The researchers found that implicit consent was present on one-third of the websites analysed, while rejecting all tracking was “substantially more difficult than accepting it”.

Browser makers including Mozilla, Microsoft and Apple are working on tools that automatically block cookies from tracking users’ activities across the web.

The new research found that in the median, websites shared data with 315 third-party vendors for tracking purposes.

More than half of the sites in the survey didn’t offer a “reject all” button, while only 12.6 had a “reject all” button that was as easy to click as the “accept all” button.

The researchers found that when users wanted to amend specific consent settings rather than accepting everything, they were “often faced with pre-ticked boxes of the type specifically forbidden by the GDPR”.

‘Clearly illegal’

The researchers also conducted a field experiment with 40 participants to look into how the eight most common CMP designs affect consent choices.

They found the notification style, which presents a banner or barrier, had no effect, while removing the opt-out button from the first page increased consent by 22 to 23 percent.

Providing more granular controls on the CMP’s first page decreased consent by 8 to 20 percent, they found.

The researchers said they intend their findings to be used as the basis for enforcement by EU data protection authorities, which they argue is the only way CMPs can be made to comply with the law.

“The results of our empirical survey of CMPs today illustrates the extent to which illegal practices prevail,” the researchers wrote.

They added that today, CMP vendors turn a blind eye to, or even incentivise, “clearly illegal configurations of their systems”.

The research shows that focusing on the centralised, third-party CMP systems could be an “effective way to increase compliance”, they said.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

View Comments

  • There's a brilliant irony here in that your website's own consent mechanism appears to be deficient.
    There's no easy way to reject cookies and clicking on the 'know more' option take me to page that doesn't exist.
    Ouch!

Recent Posts

Google Jarvis AI Extension Leaked On Chrome Store

Seemingly accidental leak reveals Google is developing Jarvis AI extension that can browse the web…

2 hours ago

Amazon Mulls New Multi-Billion Dollar Investment In Anthropic – Report

Amazon is reportedly in talks to pump billions of dollars more into AI start-up Anthropic,…

6 hours ago

FTX’s Caroline Ellison Begins Her Two Year Prison Sentence

Star witness for the US prosecution of FTX founder Sam Bankman-Fried, has begun her two…

6 hours ago

More Layoffs For iRobot Staff After Abandoned Amazon Deal

After axing 31 percent of its workforce when it failed to be acquired by Amazon,…

23 hours ago

Mozilla Foundation Confirms Layoffs, Eliminates Advocacy Division

Mozilla Foundation axes 30 percent of its staff, and is eliminating its Advocacy Division that…

1 day ago

Google To Make MFA Mandatory Next Year

Improving security. Mandatory multi-factor authentication (MFA) is coming to the Google Cloud by the end…

1 day ago