Authorization

Cookie consent tools are being used to undermine EU privacy rules, study suggests

Most cookie consent pop-ups served to internet users in the European Union ostensibly seeking permission to track peoples web activity are likely to be flouting regional privacy laws, a new study by researchers at MIT, UCL and Aarhus University suggests.
The results of our empirical survey of CMPs [consent management platforms] today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to or worse, incentivising clearly illegal configurations of their systems, the researchers argue, adding that: Enforcement in this area is sorely lacking.
Their findings, published in a paper entitled Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence, chime with another piece of research we covered back in August which also concluded a majority of the current implementations of cookie notices offer no meaningful choice to Europes Internet users even though EU law requires one.
When consent is being relied upon as the legal basis for processing web users personal data, the bar for valid (i.e. legal) consent thats set by the EUs General Data Protection Regulation (GDPR) is clear: It must be informed, specific and freely given.
Recent jurisprudence by the Court of Justice of the European Union also further crystalized the law around cookies, making it clear that consent must be actively signaled meaning a digital service cannot infer consent to tracking by indirect actions (such as the pop-up being closed by the user without a response or ignored in favor of interacting with the service).
Many websites use a so-called CMP to solicit consent to tracking cookies. But if its configured to contain pre-ticked boxes that opt users into sharing data by default requiring an affirmative user action to opt out any gathered consent also isnt legal.
Consent to tracking must also be obtained prior to a digital service dropping or accessing a cookie; only service-essential cookies can be deployed without asking first.
All of which means per EU law it should be equally easy for website visitors to choose not to be tracked as to agree to their personal data being processed.
However, the Dark Patterns after the GDPR study found thats very far from the case right now.
We found that dark patterns and implied consent are ubiquitous, the researchers write in summary, saying that only slightly more than one in 10 (11.8%) of the CMPs they looked at meet the minimal requirements that we set based on European law which they define as being if it has no optional boxes pre-ticked, if rejection is as easy as acceptance, and if consent is explicit.
For the study, the researchers scraped the top 10,000 U.K. websites, as ranked by Alexa, to gather data on the most prevalent CMPs in the market which are made by five companies: QuantCast, OneTrust, TrustArc, Cookiebot and Crownpeak and analyzed how the design and configurations of these tools affected internet users choices. (They obtained a data set of 680 CMP instances via their method a sample they calculate is representative of at least 57% of the total population of the top 10,000 sites that run a CMP, given prior research found only around a fifth do so.)
Implicit consent aka (illegally) inferring consent via non-affirmative user actions (such as the user visiting or scrolling on the website or a failure to respond to a consent pop-up or closing it without a response) was found to be common (32.5%) among the studied sites.
Popular CMP implementation wizards still allow their clients to choose implied consent, even when they have already indicated the CMP should check whether the visitors IP is within the geographical scope of the EU, which should be mutually exclusive, they note, arguing that: This raises significant questions over adherence with the concept of data protection by design in the GDPR.
They also found that the vast majority of CMPs make rejecting all tracking substantially more difficult than accepting it with a majority (50.1%) of studied sites not having a reject all button. While only a tiny minority (12.6%) of sites had a reject all button accessible with the same or fewer number of clicks as an accept all button.
Or, to put it another way, Ohhai dark pattern design
An accept all button was never buried in a second layer, the researchers go on to point out, also finding that 74.3% of reject all buttons were one layer deep, requiring two clicks to press; 0.9% of them were two layers away, requiring at minimum three.
Pre-ticked boxes were found to be widely deployed in the studied CMPs as well despite such a setting not being legally valid. (On this they found: 56.2% of sites pre-ticked optional vendors or purposes/categories, with 54.1% of sites pre-ticking optional purposes, 32.3% pre-ticking optional categories, and 30.3% pre-ticking both.)
They also point out that the high number of third-party trackers routinely being used by sites poses a major problem for the EU consent model given it requires a prohibitively long time for users to become clearly informed enough to be able to legally consent.
The exact number of third-party trackers they found being packed like sardines into CMPs varied with between tens and several hundreds in play depending on the site.
Fifty-eight was the lowest number they encountered. While the highest instance was 542 vendors on an implementation of QuantCasts CMP. (And, well, just imagine the friction involved in manually unticking all those, assuming that was one of the sites that also lacked a reject all button )
Sites relied on a large number of third party trackers, which would take a prohibitively long time for users to inform themselves about clearly. Out of the 85.4% of sites that did list vendors (e.g. third party trackers) within the CMP, there was a median number of 315 vendors (low. quartile 58, upp. quartile 542). Different CMP vendors have different average numbers of vendors, with the highest being QuantCast at 542 75% of sites had over 58 vendors. 76.47% of sites provide some descriptions of their vendors. The mean total length of these descriptions per site is 7,985 words: roughly 31.9 minutes of reading for the average 250 words-per-minute reader, not counting interaction time to e.g. unfold collapsed boxes or navigating to and reading specific privacy policies of a vendor.
A second part of the research involved a field experiment involving 40 participants to investigate how the eight most common CMP designs affect internet users consent choices.
We found that notification style (banner or barrier) has no effect [on consent choice]; removing the opt-out button from the first page increases consent by 22-23 percentage points; and providing more granular controls on the first page decreases consent by 8-20 percentage points, they write in summary on that.
They argue this portion of the study supports the notion that two of the most common consent interface designs not showing a reject all button on the first page; and showing bulk options before showing granular control make it more likely for users to provide consent, thereby violating the [GDPR] principle of freely given.
They also make reference to qualitative reflections of the participants in the paper which were obtained via survey after individuals consent choices had been registered during the field study suggesting these responses put into question the entire notice-and-consent model not because of specific design decisions but merely because an action is required before the user can accomplish their main task and because they appear too frequently if they are shown on a website-by-website basis.
So, in other words, just the fact of interrupting a web user to ask them to make a choice may itself apply substantial enough pressure that it might render any resulting consent invalid.
The studys finding of the prevalence of manipulative designs and configurations intended to nudge or even force consent suggests internet users in Europe are not actually benefiting from a legal framework thats supposed to protect their digital data from unwanted exploitation and are rather being subject to a lot of noisy, distracting and disingenuous consent theatre.
Cookie notices not only generate friction and frustration for the average internet user, as they try to go about their daily business online, but the current situation is creating a faux veneer of compliance atop what is actually a massive trampling of rights via what amounts to digital daylight robbery of peoples data at scale.
The problem here is that EU regulators have for years looked the other way where online tracking is concerned, failing entirely to enforce the on-paper standard.
Enforcement is indeed sorely lacking, as the researchers note. (Industry lobbying/political pressure, limited resources, risk aversion and regulatory capture, and a legacy of inaction around digital rights are all likely to blame.)
And while the GDPR only started being applied in May 2018, Europe has had regulations on data-gathering mechanisms like cookies for approaching two decades with the paper pointing out that an amendment to the ePrivacy Directive all the way back in 2002 made it a requirement that storing or accessing information on a users device not strictly necessary for providing an explicitly requested service requires both clear and comprehensive information and opt-in consent.
Asked about the research findings, lead author Midas Nouwens questioned why CMP vendors are selling so-called compliance tools that allow for non-compliant configurations in the first place.
Its sad, but I dont think anyone is surprised anymore by how few pop-ups comply with the GDPR, he told TechCrunch. What is shocking is how non-compliant interface designs are allowed by the companies that provide consent pop-ups. Why do they let their clients count scrolling as consent or bury the decline button somewhere on the third page?
Enforcement is really the next big challenge if we dont want the GDPR to go down the same path as the ePrivacy directive, he added. Since enforcement agencies have limited resources, focusing on the popular consent pop-up providers could be a much more effective strategy than targeting individual websites.
Unfortunately, while we wait for enforcement, the dark patterns in these pop-ups are still manipulating people into being tracked.
Another of the researchers behind the paper, Michael Veale, a lecturer in digital rights and regulation at UCL, also expressed shock that CMP vendors are allowing their tools to be configured in ways which are clearly intended to manipulate internet users thereby flouting the law.
In the paper the researchers urge regulators to take a smarter approach to tackling such widespread violation, such as by making use of automated tools to expedite discovery and enforcement of non-compliant cookie notices, and suggest they work further upstream such as by placing requirements on the vendors of CMPs to only allow compliant designs to be placed on the market.
Its shocking to see how many of the large providers of consent pop-ups allow their systems to be misconfigured, such as through implicit consent, in ways that clearly infringe data protection law, Veale told us, adding: I suspect data protection authorities see this widespread illegality and are not sure exactly where to start. Yet if they do not start enforcing these guidelines, its unclear when this widespread illegality will start to stop.
This study even overestimates compliance, as we dont focus on what actually happens to the tracking when you click on these buttons, which otherrecent studies have emphasised in many cases mislead individuals and do nothing at all, he also pointed out.
We reached out to the U.K.s data protection watchdog, the ICO, for a response to the research and a spokeswoman pointed us to this cookie advice blog post it published last year, saying the advice it contains still stands.
In the blog, Ali Shah, the ICOs head of technology policy, suggests there could be some (albeit limited) action from the regulator this year to clean up cookie consent, with Shah writing that: Cookie compliance will be an increasing regulatory priority for the ICO in the future. However, as is the case with all our powers, any future action would be proportionate and risk-based.
While European citizens wait for data protection regulators to take meaningful action over systematic breaches of the GDPR including those attached to consent-less tracking of web users there is one step European web users can take to shrink the pain of cookie consent pop-ups: The researchers behind the study have built an open source browser extension that can automatically answer pop-ups based on user-customizable preferences.
Its called Consent-o-Matic and there are versions available for Firefox and Chrome.


A holiday gift from us* at @AarhusUni: Consent-o-Matic! A browser extension that automatically answers consent pop-ups for you. Firefox: https://t.co/5PhAEN6eOd
Chrome: https://t.co/ob8xrLxhFW
Github: https://t.co/0Xe9xNwCEb
* @cklokmose; Janus Bager Kristensen; Rolf Bagge
1/8 pic.twitter.com/3ooV8ZFTH0
Midas Nouwens (@MidasNouwens) December 24, 2019
See also:
Leave a comment
News
  • Latest
  • Read
  • Commented
Calendar Content
«     2020    »
 12
3456789
10111213141516
17181920212223
24252627282930
31