It’s been more than a year and a half since the European Union’s General Data Protection Regulation (GDPR) went into effect, but the internet’s still a long way from getting compliance right.
That’s the takeaway from “Dark Patterns after the GDPR,” a new report by researchers from MIT, UCL in the United Kingdom, and Denmark’s Aarhus University. After monitoring the data-collection “opt-in” popups of hundreds of UK websites, they found that only 11.8 percent of the 680 sites researchers analyzed met the “minimum requirements” that the researchers set forth for a site to be GDPR compliant—specifically, that consent for user data collection through cookies and other technologies must be freely and explicitly given, while at the same time being as easy to revoke as it is to give.
It turns out that one of the biggest culprits, when it comes to consent mismanagement, pop up as soon as someone opens a page. The popups asking for users to consent to web tracking (which, realistically, everyone likely clicks anyway), are often run by ad-tech middlemen known as Consent Management Platforms, or CMPs. It turns out that these CMPs often get tripped up when it comes to garnering “explicit” consent—often inferring consent by, say, a user ignoring the popup or closing it.
After scraping the Alexa-ranked top 10,000 websites in the UK, the researchers found the most prevalent CMPs on the market were made by just five companies: QuantCast, OneTrust, TrustArc, Cookiebot, and Crownpeak.
Among the sites displaying popups generated by these give actors, nearly a third—32.5 percent—were guilty of assuming that different user actions were just as good as clicking that “consent” button, despite the fact that this isn’t recognized by EU law, according to the researchers. Meanwhile, 9 percent of the sites accepted more than one form of these “implicit consent” variables, including: “just visiting the site, navigating within the site, revisiting/refreshing the page, scrolling or clicking on the page or closing the pop-up or banner.”
If that wasn’t bad enough, the paper’s authors go onto explain that the websites working with these CMPs are still able to choose from these implied consent options even after they indicate that the CMP should check whether a visitor’s IP is within the scope of the EU, which would make that visitor protected by GDPR.
Aside from assuming consent, these CMPs don’t make opting out of tracking easy, according to the study. More than half (50.1 percent) of the sites surveyed didn’t have an option to “reject all” of the cookies or trackers on a webpage. Even for the sites that did have one, researchers found, more than three-quarters of the sites made it as easy to “reject all” than to “accept all” of those trackers—which, at times, numbered in the hundreds for a given website.
It’s not surprising that the web still leaves a lot to be desired when it comes to consent-based compliance. As for collecting user data, there’s a ton of links in the digital supply chain all playing a certain role at any given time. The induction of GDPR into law makes one thing very clear: Those links need to play by these new rules, or risk a hefty fine.
Less clear are the responsibilities each link has when it comes to consent. For example, if a website is GDPR compliant, but their CMP isn’t, who should take the fall? If that same website is working with an outside vendor to give intel about a user’s data, and that vendor isn’t compliant, who should be held responsible?
This is the murkiness that ultimately led some of these ad-tech middlemen to pull out of the EU entirely when GDPR first passed—and now, more than a year later, it hasn’t gotten much better. While advertising powerhouses like Facebook and Google are able to overhaul massive infrastructure to ensure that any of that responsibility is absolved on their end compliance-wise, it makes sense that the smaller players—like the sites surveyed in this study—are still left with some holes.
Back in May, Laura Jehl, partner in the privacy and data protection practice at law firm BakerHostetler told CNBC, “In the beginning, a number of [EU] regulators informally said ‘we know you guys aren’t ready for GDPR, and to be honest, we’re not really ready either,’” implying that this of grace period would soon be coming to an end. But between puny fines being lobbed at the tech giants for their own GDPR misdeeds, and missing guidelines for the rest of us, it looks like we’re nowhere close to ready.
Correction: A previous version of this article incorrectly calculated the number of websites researchers found had failed to comply with GDPR consent requests. While the researchers scraped 10,000 websites, they only analyzed the 680 found to have used the top five CMPs. We regret the error.