Most Website Consent Mechanisms ‘Illegal’ Under GDPR

The vast majority of the consent mechanisms put into place on websites as a result of new GDPR data protection regulations do not comply with the law, according to a study.

The research from MIT CSAIL, Denmark’s Aarhus University and University College London found that only 11.8 percent of the consent management platforms (CMPs) used by popular websites met minimal GDPR requirements.

The paper, “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence”, looked at the five most popular outsourced CMPs on the top 10,000 websites in the UK.

“We found that dark patterns and implied consent are ubiquitous,” the paper’s authors wrote.

Implied consent

GDPR rules require users to explicitly consent to a website’s cookie policies, with all aspects of consent being equally as easy to reject as to accept.  Pre-checked options are not allowed.

The researchers found that implicit consent was present on one-third of the websites analysed, while rejecting all tracking was “substantially more difficult than accepting it”.

Browser makers including Mozilla, Microsoft and Apple are working on tools that automatically block cookies from tracking users’ activities across the web.

The new research found that in the median, websites shared data with 315 third-party vendors for tracking purposes.

More than half of the sites in the survey didn’t offer a “reject all” button, while only 12.6 had a “reject all” button that was as easy to click as the “accept all” button.

The researchers found that when users wanted to amend specific consent settings rather than accepting everything, they were “often faced with pre-ticked boxes of the type specifically forbidden by the GDPR”.

‘Clearly illegal’

The researchers also conducted a field experiment with 40 participants to look into how the eight most common CMP designs affect consent choices.

They found the notification style, which presents a banner or barrier, had no effect, while removing the opt-out button from the first page increased consent by 22 to 23 percent.

Providing more granular controls on the CMP’s first page decreased consent by 8 to 20 percent, they found.

The researchers said they intend their findings to be used as the basis for enforcement by EU data protection authorities, which they argue is the only way CMPs can be made to comply with the law.

“The results of our empirical survey of CMPs today illustrates the extent to which illegal practices prevail,” the researchers wrote.

They added that today, CMP vendors turn a blind eye to, or even incentivise, “clearly illegal configurations of their systems”.

The research shows that focusing on the centralised, third-party CMP systems could be an “effective way to increase compliance”, they said.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

View Comments

  • There's a brilliant irony here in that your website's own consent mechanism appears to be deficient.
    There's no easy way to reject cookies and clicking on the 'know more' option take me to page that doesn't exist.

Recent Posts

Cryptocurrency Warning From Bank Of England Governor

Blunt message from Bank of England governor Andrew Bailey, warning people only to buy cryptocurrency…

20 hours ago

Jeff Bezos Offloads $2 Billion In Amazon Shares

Needs some spending money...Amazon CEO Jeff Bezos has this week sold nearly $2 billion worth…

21 hours ago

Twitter Suspends Account Sharing Trump Posts

Shutdown again. An account has been suspended by Twitter for sharing the posts from Donald…

22 hours ago

IBM Claims Breakthrough With 2 Nanometer Chip

Research boffins at IBM are touting a major leap forward in performance and energy efficiency…

2 days ago

Twitter Now Prompts Users To Revise ‘Harmful Replies’

Trolls beware. Twitter releases feature that will deliver a 'reconsider prompt' for users, if they…

2 days ago

Old Routers Pose Security Risk, Warns Which?

Elderly routers that can no longer receive firmware updates posed security risk to millions of…

2 days ago