Most Website Consent Mechanisms ‘Illegal’ Under GDPR

The vast majority of the consent mechanisms put into place on websites as a result of new GDPR data protection regulations do not comply with the law, according to a study.

The research from MIT CSAIL, Denmark’s Aarhus University and University College London found that only 11.8 percent of the consent management platforms (CMPs) used by popular websites met minimal GDPR requirements.

The paper, “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence”, looked at the five most popular outsourced CMPs on the top 10,000 websites in the UK.

“We found that dark patterns and implied consent are ubiquitous,” the paper’s authors wrote.

Implied consent

GDPR rules require users to explicitly consent to a website’s cookie policies, with all aspects of consent being equally as easy to reject as to accept.  Pre-checked options are not allowed.

The researchers found that implicit consent was present on one-third of the websites analysed, while rejecting all tracking was “substantially more difficult than accepting it”.

Browser makers including Mozilla, Microsoft and Apple are working on tools that automatically block cookies from tracking users’ activities across the web.

The new research found that in the median, websites shared data with 315 third-party vendors for tracking purposes.

More than half of the sites in the survey didn’t offer a “reject all” button, while only 12.6 had a “reject all” button that was as easy to click as the “accept all” button.

The researchers found that when users wanted to amend specific consent settings rather than accepting everything, they were “often faced with pre-ticked boxes of the type specifically forbidden by the GDPR”.

‘Clearly illegal’

The researchers also conducted a field experiment with 40 participants to look into how the eight most common CMP designs affect consent choices.

They found the notification style, which presents a banner or barrier, had no effect, while removing the opt-out button from the first page increased consent by 22 to 23 percent.

Providing more granular controls on the CMP’s first page decreased consent by 8 to 20 percent, they found.

The researchers said they intend their findings to be used as the basis for enforcement by EU data protection authorities, which they argue is the only way CMPs can be made to comply with the law.

“The results of our empirical survey of CMPs today illustrates the extent to which illegal practices prevail,” the researchers wrote.

They added that today, CMP vendors turn a blind eye to, or even incentivise, “clearly illegal configurations of their systems”.

The research shows that focusing on the centralised, third-party CMP systems could be an “effective way to increase compliance”, they said.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

View Comments

  • There's a brilliant irony here in that your website's own consent mechanism appears to be deficient.
    There's no easy way to reject cookies and clicking on the 'know more' option take me to page that doesn't exist.
    Ouch!

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

6 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

8 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

10 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

10 hours ago