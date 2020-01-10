Most cookie consent pop-ups served to Internet users in the European Union -- ostensibly seeking permission to track people's web activity -- are likely to be flouting regional privacy laws, a new study by researchers at MIT, UCL and Aarhus University suggests.

"The results of our empirical survey of CMPs [consent management platforms] today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to — or worse, incentivising — clearly illegal configurations of their systems," the researchers argue, adding that: "Enforcement in this area is sorely lacking."

Their findings, published in a paper entitled Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence, chime with another piece of research we covered back in August -- which also concluded a majority of the current implementations of cookie notices offer no meaningful choice to Europe's Internet users -- even though EU law requires one.

When consent is being relied upon as the legal basis for processing web users' personal data, the bar for valid (i.e. legal) consent that's set by the EU's General Data Protection Regulation (GDPR) is clear: It must be informed, specific and freely given.

Recent jurisprudence by the Court of Justice of the European Union also further crystalized the law around cookies, making it clear that consent must be actively signalled -- meaning a digital service cannot infer consent to tracking by indirect actions (such as the pop-up being closed by the user without a response or ignored in favor of interacting with the service).

Many websites use a so-called CMP to solicit consent to tracking cookies. But if it's configured to contain pre-ticked boxes that opt users into sharing data by default -- requiring an affirmative user action to opt out -- any gathered 'consent' also isn't legal.

Consent to tracking must also be obtained prior to a digital service dropping or accessing a cookie; Only service-essential cookies can be deployed without asking first.

All of which means -- per EU law -- it should be equally easy for website visitors to choose not to be tracked as to agree to their personal data being processed.

However the Dark Patterns after the GDPR study found that's very far from the case right now.

"We found that dark patterns and implied consent are ubiquitous," the researchers write in summary, saying that only slightly more than one in ten (11.8%) of the CMPs they looked at "meet the minimal requirements that we set based on European law" -- which they define as being "if it has no optional boxes pre-ticked, if rejection is as easy as acceptance, and if consent is explicit".

For the study, the researchers scraped the top 10,000 UK websites, as ranked by Alexa, to gather data on the most prevalent CMPs in the market -- which are made by five companies: QuantCast, OneTrust, TrustArc, Cookiebot, and Crownpeak -- and analyzed how the design and configurations of these tools affected Internet users' choices. (They obtained a data set of 680 CMP instances via their method -- a sample they calculate is representative of at least 57% of the total population of the top 10k sites that run a CMP, given prior research found only around a fifth do so.)

Implicit consent -- aka (illegally) inferring consent via non-affirmative user actions (such as the user visiting or scrolling on the website or a failure to respond to a consent pop-up or closing it without a response) -- was found to be common (32.5%) among the studied sites.

"Popular CMP implementation wizards still allow their clients to choose implied consent, even when they have already indicated the CMP should check whether the visitor’s IP is within the geographical scope of the EU, which should be mutually exclusive," they note, arguing that: "This raises significant questions over adherence with the concept of data protection by design in the GDPR."

They also found that the vast majority of CMPs make rejecting all tracking "substantially more difficult than accepting it" -- with a majority (50.1%) of studied sites not having a ‘reject all’ button. While only a tiny minority (12.6%) of sites had a ‘reject all’ button accessible with the same or fewer number of clicks as an ‘accept all’ button.

