Research has found that only 11.8% of consent management platforms (CMPs) meet the minimal requirements under GDPR and Europe’s eDirective regulations regarding cookies and consent.
A study conducted by researchers at MIT CSAIL, Denmark’s Aarhus University and University College London, analysed how prevalent CMP designs impact people’s consent choices.
Under EU law, consent must be explicit, all aspects of consent must be as easy to give as to withdraw/refuse, and there should be no pre-ticked boxes.
Researchers scraped the designs of the five most popular CMPs on the top 10,000 most popular UK websites in the UK, and checked to see if it complied with European law.
The study revealed that of the 10,000 websites scraped, implicit consent was present in only a third of the websites (32.5%).
An array of actions that websites count as consent, but EU law does not, was extracted from their code, such as visiting the site (16.8%), revisiting/refreshing the page (7.6%), navigating within the site (6.2%), scrolling or clicking on the page (5.3%) or closing the banner (1.6%).
Researchers identified that the vast majority of CMPs has made it extremely difficult to reject all tracking, with just over half of sites (50.1%) not having a “reject all” button. Only 12.6% of sites had a “reject all” button which was accessible with the same or fewer number of clicks as an “accept all” button.
An overwhelming 74.3% of reject all buttons were one layer deep, thus requiring two clicks to press, whilst 0.9% were two layers deep.
“Furthermore, when users went to amend specific consent settings rather than accept everything, they are often faced with pre-ticked boxes of the type specifically forbidden by the GDPR,” the researchers wrote.
Additionally, the sites relied on a vast amount of third party trackers which would take a long time for users to fully understand clearly.
“The results of our empirical survey of CMPs today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to — or worse, incentivising —- clearly illegal configurations of their systems,” the researchers concluded.
“Enforcement in this area is sorely lacking. Data protection authorities should make use of automated tools like the one we have designed to expedite discovery and enforcement.
“Designers might help here to design tools for regulators, rather than just for users or for websites. Regulators should also work further upstream and consider placing requirements on the vendors of CMPs to only allow compliant designs to be placed on the markets.”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/