Vast majority of websites don’t follow GDPR cookies law, study finds
More than 80% of websites are not adhering to the EU’s General Data Protection Regulation (GDPR) when they push tracking cookies onto your computer, a recent study shows.
The study, titled ‘Dark Patterns after the GDPR’ saw researchers from MIT, UCL and Aarhus University trawl through 10,000 websites. The research found that just 11.8% of these websites met “the minimal requirements that we set based on Europeans law”.
The problem lies with consent management platforms (CMPs), many of which were originally introduced to help companies comply with GDPR laws.
GDPR was formally introduced through the EU in May 2018. The law requires all visitors to a website to consent before their personal data can be collected and processed by that company. However, the study found that the vast majority of sites have found sneaky ways to convince their users to click that ‘accept’ button.
The researchers scraped the designs of the five most popular CMPs across the top 10,000 websites in the UK. Of these 10,000 sites, only 11.8% were found to meet the minimal requirements based on GDPR law.
Many CMPs influenced site visitors by making rejecting tracking cookies a more difficult process than simply accepting them.
Just 12.6% of sites had a ‘reject all’ button accessible within the same or fewer clicks as an ‘accept all’ button, while over half of the sites analysed simply did not have a ‘reject all’ button at all.
While an ‘accept all’ button was consistently easy to spot in the first layer, three quarters of all ‘reject all’ buttons were hidden within an additional layer and 0.9% were buried beneath two layers. This made rejecting tracking cookies a longer process than accepting them, making visitors more likely to give in and let them collect your personal data.
Confirming this, removing the opt out button from the first page increased tracking consent by up to 23%, while providing more detailed controls on the first page decreased consent by up to 20%.
Related: Best laptop
“A core takeaway from the user study is that placing controls or information below the first layer renders it effectively ignored. This leaves a few options for genuine control of tracking online”, concluded the researchers.
“The results of our empirical survey of CMPs today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to — or worse, incentivising — clearly illegal configurations of their systems. Enforcement in this area is sorely lacking. Data protection authorities should make use of automated tools like the one we have designed to expedite discovery and enforcement”.