A new study by researchers at MIT, UCL and Aarhus University suggests that most cookie consent pop-ups served to European internet users are likely defying regional privacy laws such as GDPR.
The researchers published their findings in a paper titled “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence” which argues that vendors of consent management platforms (CMPs) are engaging in illegal practices, saying:
“The results of our empirical survey of CMPs [consent management platforms] today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to — or worse, incentivising — clearly illegal configurations of their systems. Enforcement in this area is sorely lacking.”
- EU rules active consent is required for tracking cookies
- GDPR sees cookies crumble on EU news sites
- Majority of companies still aren't GDPR-compliant
To process web users' personal data, under GDPR consent must be informed, specific and freely given. The Court of Justice of the European Union also recently made it clear that consent must be actively signaled and not inferred.
Consent management platforms
Many websites use CMPs to solicit consent to tracking cookies. However, many consent forms are configured to contain pre-ticked boxes that opt users into sharing their data by default and any consent gathered this way isn't legal.
Before a digital service drops or accesses a cookie, consent to tracking must be obtained first and only service-essential cookies are allowed to be deployed without asking first. Under EU law, it should be just as easy for website visitors to choose not to be tracked as it is for them to agree to have their personal data processed.
To gather data for their “Dark Patterns after GDPR” study, the researchers scraped the top 10,000 UK websites as ranked by Alexa in an effort to learn more about the most popular CMPs on the market.
Lead author of the study, Midas Nowens spoke to TechCrunch about the study and made the point that enforcement agencies should focus on CMPs as opposed to individual websites, saying:
“Enforcement is really the next big challenge if we don’t want the GDPR to go down the same path as the ePrivacy directive. Since enforcement agencies have limited resources, focusing on the popular consent pop-up providers could be a much more effective strategy than targeting individual websites. Unfortunately, while we wait for enforcement, the dark patterns in these pop-ups are still manipulating people into being tracked.”
GDPR is still less than two years old and preventing users from unwanted tracking online will likely remain a hard issue to tackle going forward.
- Also check out our complete list of the best VPN services