Trusted Reviews may earn an affiliate commission when you purchase through links on our site. Learn More

Vast majority of websites don’t follow GDPR cookies law, study finds

More than 80% of websites are not adhering to the EU’s General Data Protection Regulation (GDPR) when they push tracking cookies onto your computer, a recent study shows.

The study, titled ‘Dark Patterns after the GDPR’ saw researchers from MIT, UCL and Aarhus University trawl through 10,000 websites. The research found that just 11.8% of these websites met “the minimal requirements that we set based on Europeans law”.

We continually check thousands of prices to show you the best deals. If you buy a product through our site we will earn a small commission from the retailer – a sort of automated referral fee – but our reviewers are always kept separate from this process. You can read more about how we make money in our Ethics Policy.

Best VPNs For Privacy and Security


Express VPN gets you unrestricted access to Netflix, Amazon Prime and the like. Get 49% off on their one year subscription and receive a further three months completely free.

Private Internet Access

Equipped with a VPN kill sitch and IPv6 leak protection are two of many reasons PIA is rated as our top VPN for security. Get yourself a year subscription and save 67%.


Save 70% off your total bill with the NordVPN 3-year subscription. You'll have one payment of £96.74 over the 3 year period making it just £2.68 per month.

Powered by Trusted Reviews

The problem lies with consent management platforms (CMPs), many of which were originally introduced to help companies comply with GDPR laws.

GDPR was formally introduced through the EU in May 2018. The law requires all visitors to a website to consent before their personal data can be collected and processed by that company. However, the study found that the vast majority of sites have found sneaky ways to convince their users to click that ‘accept’ button.

The researchers scraped the designs of the five most popular CMPs across the top 10,000 websites in the UK. Of these 10,000 sites, only 11.8% were found to meet the minimal requirements based on GDPR law.

Many CMPs influenced site visitors by making rejecting tracking cookies a more difficult process than simply accepting them.

Just 12.6% of sites had a ‘reject all’ button accessible within the same or fewer clicks as an ‘accept all’ button, while over half of the sites analysed simply did not have a ‘reject all’ button at all.

While an ‘accept all’ button was consistently easy to spot in the first layer, three quarters of all ‘reject all’ buttons were hidden within an additional layer and 0.9% were buried beneath two layers. This made rejecting tracking cookies a longer process than accepting them, making visitors more likely to give in and let them collect your personal data.

Confirming this, removing the opt out button from the first page increased tracking consent by up to 23%, while providing more detailed controls on the first page decreased consent by up to 20%.

Related: Best laptop

“A core takeaway from the user study is that placing controls or information below the first layer renders it effectively ignored. This leaves a few options for genuine control of tracking online”, concluded the researchers.

“The results of our empirical survey of CMPs today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to — or worse, incentivising — clearly illegal configurations of their systems. Enforcement in this area is sorely lacking. Data protection authorities should make use of automated tools like the one we have designed to expedite discovery and enforcement”.

Unlike other sites, we thoroughly review everything we recommend, using industry standard tests to evaluate products. We’ll always tell you what we find. We may get a commission if you buy via our price links. Tell us what you think – email the Editor