Most websites don't follow European cookie consent laws, study shows

Just over one in ten sites conform to EU laws, according to researchers.

Websites that operate in Europe are supposed to follow GDPR rules that let consumers to opt out of cookie-type tracking. However, most are making it "substantially more difficult" to reject all tracking than to accept it, according to a new study called Dark Patterns after the GDPR, by researchers from MIT, UCL and Aarhus University. In fact, only 11.8 percent of the 10,000 websites they checked "meet the minimal requirements that we set based on European law," the team wrote.

Websites are using a variety of means to bend EU rules and make it harder for consumers to opt out of tracking. They have been abetted by so-called consent management platforms (CMPs) like QuantCast, Cookiebot and TrustArc. Those companies make the pop-up windows for cookie consent that are supposed to appear when a site is accessed in the EU.

The most common way websites are reportedly bypassing EU laws is via implicit consent, used by around 32.5 percent of studied sites. That system presumes the user consents to cookies simply by visiting or scrolling a website or failing to respond to a pop-up consent window. "Popular CMP implementation wizards still allow their clients to choose implied consent ... within the geographical scope of the EU," according to the paper. "This raises significant questions over adherence with the concept of data protection by design in the GDPR."

We scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK. We found that dark patterns and implied consent are ubiquitous; only 11.8 percent meet the minimal requirements that we set based on European law.

The majority of sites also make it more difficult to reject tracking than accept it. That can be done by either not having a "reject all" button, or else making the user click several times to find it. Meanwhile, "an 'accept all' button was never buried in a second layer," the researchers said." (This "dark pattern design" is where the study got its name.)

Another issue is the large number of trackers used by sites that make it difficult for users to become informed enough to give clear consent. That number varied between 58 and 542 vendors, according to the team.

As you'd expect, the researchers found that these policies make it much more likely that users will opt in rather than out to tracking. For instance, not having an opt-out button on the first page increase cookie consent by up to 23 percent, while making it available decreased consent by eight to 20 percent. This, they say, violates GDPR rules that consent must be "freely given," because a dark pattern-style form can swing user consent by over 40 percent.

Enforcement actions by the EU are rare, so the researchers believe that it might be best to focus on CMP's like QuantCast. "Why do they let their clients count scrolling as consent or bury the 'decline' button somewhere on the third page?" lead author Midas Nouwens told TechCrunch. "Since enforcement agencies have limited resources, focusing on the popular consent pop-up providers could be a much more effective strategy than targeting individual website."