Broken cookies shows how GDPR is subverted by cookie consent tools
GDPR Subverted by Cookie Consent Tools, Study Reveals

GDPR Subverted by Cookie Consent Tools, Study Reveals

European Union (EU) rules for data privacy are being undermined by a large majority of websites, a new study by researchers from MIT, UCL, and Aarhus University suggests. According to “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence,” published on January 8, 2020, fewer than 12% of the top 10,000 websites that were studied met the minimum requirements set out in EU law for the use of cookie consent tools.

According to the researchers, the study illustrates “the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to — or worse, incentivising — clearly illegal configurations of their systems.”

In essence, these illegal practices and configurations result from websites not following the legally prescribed course of action with regards to the use of cookie consent tools in order to obtain consent from their website visitors. Such consent is required by law for all websites in the EU. This comes as a result of guidelines set out in the General Data Protection Regulation (GDPR) that are designed to govern how companies collect and process the personal data of website users.

The cookie consent tools unconcerned with consent

Despite the rule of law, however, many websites are able to effectively navigate around the GDPR — or at least to evade its penalties — by tailoring the design of their consent management platforms (CMPs) to provide a misleading veneer of a consent agreement. For example, although the GDPR only recognizes informed and active consent, many websites flag users who close or ignore cookie consent tools as having, in fact, passed consent.

These CMPs (tools which request website visitors to give consent before visiting the website), which proliferated widely across the internet after the adoption of the GDPR in May 2018, take on a variety of shapes, sizes, and forms in order to display cookie consent notices and manage user consent. Some cookie consent tools, for example, give the user no choice between approving and declining the use of cookies, while others make use of pre-ticked boxes in order to duplicitously garner user consent.

It is in precisely this ambiguous way that many websites are able to gather user consent without the user ever actually having provided consent in the first place.

The recent study echoes the findings of a previous study, published in August 2019 by a joint German-American team of researchers. According to their research, a significant majority of cookie consent tools on EU websites either present no option for consent to users, or they manipulate users outright into unwittingly providing consent.

The findings of January’s study suggest a similar outcome, showing that only a significant minority (11.8%) of websites comply fully to the GDPR’s standards. The study goes one step further by investigating how the designs of different CMPs and cookie consent tools affect whether or not visitors choose to consent in the first place.

For example, the study finds that the familiar banner-style cookie consent tools have no effect on users providing consent. As soon as an opt-out button is added to the interface, consent increases by nearly 25 percent. On the other hand, consent forms which provide a myriad of buttons and choices for users to provide consent (‘granular controls’) seem to marginally decrease the number of users providing consent to the website.

A new job for the GDPR

All things considered, the GDPR is still a relatively new piece of legislation in the world of privacy protection, and data protection regulators are finding themselves rushing to catch up with the adaptations taking place in the online privacy ecosystem.

This is a sentiment that is echoed by the researchers of the study. “Enforcement in this area is sorely lacking,” they point out. “Data protection authorities should make use of automated tools like the one we have designed to expedite discovery and enforcement.”

For the time being, however, there seems to be some degree of industry self-regulation taking place in the online world. For example, ever since concerns around consent rose to the fore, the Internet has been witnessing a rise in automated applications designed to set the user’s desired consent and privacy preferences onto all websites they visit.

Among the developers of one such application are the researchers themselves who were behind January’s study. In December 2019, the team came out with an open-source browser extension called Consent-o-Matic, designed to be a springboard for future developers.

However, until the GDPR and other data protection laws come to be fully and effectively enforced, it would seem likely that CMPs and cookie consent tools will continue to fall short of adequately protecting users from being misled into sharing their personal data.