A new study by researchers from MIT, UCL and the University of Aarhus suggests that most cookie approval pop-ups offered to European internet users are likely to violate regional privacy laws such as GDPR.
The researchers published their findings in a paper entitled “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstration their Influence” stating that sellers of consent management platforms (CMPs) practice illegal practices and say:
“The results of our empirical research on CMPs [consent management platforms] today illustrates the extent to which illegal practices prevail, with suppliers of CMPs turning a blind eye to – or worse, stimulating – clearly illegal configurations of their systems. Enforcement in this area is very lacking. “
- EU rules active consent is required for tracking cookies
- GDPR sees cookies crumbling on EU news sites
- Most companies still do not comply with the AVG
Web users process & apos; Personal data must be informed under GDPR permission, provided specifically and freely. The Court of Justice of the European Union has also recently made it clear that consent must be actively signaled and not derived.
Permission Management Platforms
Many websites use CMPs to request permission to track cookies. However, many consent forms are configured to contain pre-checked boxes that allow users to share their data by default, and any consent collected in this way is not legal.
Before a digital service drops or has access to a cookie, permission to track must first be obtained and only essential service cookies may be used without first asking. According to EU law, it should be just as easy for website visitors to choose not to be followed as for their consent to have their personal data processed.
To collect data for their “Dark Patterns after GDPR” study, the researchers scraped the top 10,000 UK websites as ranked by Alexa in an effort to learn more about the most popular CMPs on the market.
Study lead author, Midas Nowens spoke with TechCrunch on the investigation and pointed out that enforcement authorities should focus on CMPs rather than on individual websites, saying:
“Enforcement is really the next big challenge if we don’t want the GDPR to go the same way as the ePrivacy directive. As enforcement agencies have limited resources, the focus on popular pop-up providers for consent can be a much more effective strategy than targeting individual websites. Unfortunately, while we wait for enforcement, the dark patterns in these pop-ups still manipulate people to be followed. “
GDPR is still less than two years old and preventing users of unwanted tracking online is likely to remain a difficult problem to tackle in the future.
- Also view our complete list of the best VPN services