Most cookie consent requests don't comply with EU data collection regulations

According to new research, most consent requests for digital cookies to track users’ web activity do not comply with Europe’s data collection regulations. 

The EU law states that consent for data collection must be informed, specific, and freely given. Furthermore, consent must be active and not merely implied, for example, by closing a pop-up window without responding. Offering pre-ticked boxes that require a user to opt-out is not legal, the online publication Rude Baguette has cited the legislation.

The study was conducted by researchers from University College London, MIT, and Aarhus University and it is called ‘Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence’. The paper found that only about one in ten of the most prevalent Consent Management Platforms [CMPs] satisfied these requirements.

CMP implementation wizards still allow their clients to choose implied consent, with many of these platforms offering an ‘accept all’ option that’s much more visible and easily accessible than the corresponding ‘reject all’ button. ‘74.3% of reject all buttons were one layer deep, requiring two clicks to press; 0.9% of them were two layers away, requiring at minimum three’ the researchers wrote.

Moreover, the sheer number of third-party trackers used by sites means it can take a long time for users to become properly informed to give legal consent. One site used cookies from over 500 different third-party vendors.