A new study by researchers at MIT, UCL and Aarhus University suggests that most cookie consent pop-ups served to European internet users are likely defying regional privacy laws such as GDPR.
The researchers published their findings in a paper titled “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence” which argues that vendors of consent management platforms (CMPs) are engaging in illegal practices, saying:
“The results of our empirical survey of CMPs [consent management platforms] today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to — or worse, incentivising — clearly illegal configurations of their systems. Enforcement in this area is sorely lacking.”
EU rules active consent is required for tracking cookiesGDPR sees cookies crumble on EU news sitesMajority of companies still aren’t GDPR-compliant
To process web users’ personal data, under GDPR consent must be informed, specific and freely given. The Court of Justice of the European Union also recently made it clear that consent must be actively signaled and not inferred.
Consent management platforms
Many websites use CMPs to solicit consent to tracking cookies. However, many consent forms are configured to contain pre-ticked boxes that opt users into sharing their data by default and any consent gathered this way isn’t legal.
Before a digital service drops or accesses a cookie, consent to tracking must be obtained first and only service-essential cookies are allowed to be deployed without asking first. Under EU law, it should be just as easy for website visitors to choose not to be tracked as it is for them to agree to have their personal data processed.
To gather data for their “Dark Patterns after GDPR” study, the researchers scraped the top 10,000 UK websites as ranked by Alexa in an effort to learn …read more