#privacy: Most EU cookie notices are not GDPR compliant

Researchers have found that 86% of cookie consent notices are offering no options other than a confirmation button.

Researchers from the University of Michigan and Ruhr-University Bochum in Germany, conducted a study looking into how European consumers interact with cookie consent mechanisms, and how various design choices could influence a consumers privacy choice. 

The study gathered roughly 5,000 cookie notices and found that 58% of cookie consent notices are placed at the bottom of the screen, and an overwhelming 86% offered no options other than a confirmation button that does not do anything – simply consumers on those websites were not given a choice. 

Over half of cookie consent notices (57%) were discovered utilising “dark pattern” techniques, to influence a user into consenting. Some of the techniques include highlighting the “agree” button and presenting a less visible button for “more options”. 

The majority of cookie notices (92%) included a link to the website’s privacy policies, however only 39% mentioned the exact purpose for the data collection, and only 21% stated who can access the data. 

Since the implementation of the EU’s General Data Protection Regulation (GDPR) in May 2018, websites responded by putting up cookie consent banners and pop-ups, whereby users are informed as to what cookies are, what they are doing on the site and why, and given a option to consent to store a cookie on their device. 

However from the study conducted, researchers argue that, “it is obvious that the vast majority of cookie consent notices are not compliant with European privacy law.”

“Our results show that a reasonable amount of users are willing to engage with consent notices, especially those who want to opt out or do not want to opt in. Unfortunately, current implementations do not respect this and the large majority offers no meaningful choice.”

Amongst the findings, researchers also discovered a significant difference in interaction rates with consent notices, of between 5 and 55%. The difference can be explained by tweaking positions, presets on cookie notices and options. 

It was identified the more options provided in a cookie notice, the more likely users would decline the use of cookies. 

In their upcoming paper, “(Un)informed Consent: Studying GDPR Consent Notices in the Field”, the researchers further discussed this result, explaining that just 0.1% of site visitors would choose to enable all cookie categories – without being forced to do so by the lack of choice or due to dark patterns. 

“The results show that nudges and pre-selection had a high impact on user decisions, confirming previous work,” the researchers write.

“It also shows that the GDPR requirement of privacy by default should be enforced to make sure that consent notices collect explicit consent.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.