Most consent requests for digital cookies to track users’ web activity do not comply with Europe’s data collection regulations, according to new research, detailed in a report from TechCrunch.
The findings echo another study published in August, which also suggested that consent notices routinely fail to offer the meaningful choice required by EU law—which states that consent for data collection must be informed, specific, and freely given.
Another recent decision by the European Court of Justice clarified that consent must be active and not merely implied, for example, by closing a pop-up window without responding. Offering pre-ticked boxes that require a user to opt-out is not legal, according to the court.
To comply with European law, it must as easy to reject cookie tracking as to accept it.
The new paper, called “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence,” found that only about one in ten of the most prevalent Consent Management Platforms [CMPs] satisfied these requirements. They defined compliance as having “no optional boxes pre-ticked, if rejection is as easy as acceptance, and if consent is explicit.”
A third of the CMPs relied on implied consent—often, simply ignoring a pop-up and continuing to use the website was interpreted as consent.
The researchers wrote:
“Popular CMP implementation wizards still allow their clients to choose implied consent, even when they have already indicated the CMP should check whether the visitor’s IP is within the geographical scope of the EU, which should be mutually exclusive. This raises significant questions over adherence with the concept of data protection by design in the GDPR.”
They said the overwhelming majority made it more difficult to reject tracking than to accept it. Many CMP tools offer an “accept all” option that’s much more visible and easily accessible than the corresponding “reject all” button.
“74.3% of reject all buttons were one layer deep, requiring two clicks to press; 0.9% of them were two layers away, requiring at minimum three,” they wrote.
Furthermore, the sheer number of third-party trackers used by sites means it can take a “prohibitively long time” for users to become properly informed to give legal consent. One site used cookies from over 500 different third-party vendors.
In additional research, they studied the reactions of 40 participants to some of the most common CMP designs, finding that design choices like burying ‘reject all’ buttons had a significant effect on the likelihood that a user would give consent. Manipulative designs, they suggest, may violate the legal requirement that consent is freely given.
Finally, responses in surveys suggest that pressure to consent is built into the model of pop-up consent requests, “not because of specific design decisions but merely because an action is required before the user can accomplish their main task and because they appear too frequently if they are shown on a website-by-website basis.”
The study was conducted by researchers from University College London, MIT, and Aarhus University.