Widely-used cookie walls are flouting GDPR rules

Only 12% of third-party consent-seeking banners and notifications meet minimum requirements

The majority of third-party cookie walls used by UK organisations to obtain consent from users contravene strict data protection laws, researchers claim.

Just 11.8% of the content management platforms (CMPs) deployed by UK websites to seek user consent and offer tracking controls meet minimum legal requirements under the General Data Protection Regulation (GDPR).

CMPs, including banners and pop-up windows, are automatically displayed when users visit a website and give a number of options pertaining to consent as well as advanced controls over elements like tracking.

These are designed and distributed by a handful of developers, including Cookiebot, Crownpeak, OneTrust, QuantCast and TrustArc, and used by organisations who prefer this to building their own. Approximately 20% of the top 10,000 UK websites use such a service.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Among the most widely-used CMPs, researchers with Cornell University found that implied consent is universal, as well as dark patterns that guide people into desired behaviour.

“The results of our empirical survey of CMPs today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to - or worse, incentivising - clearly illegal configurations of their systems,” the researchers concluded.

“Enforcement in this area is sorely lacking.

“Designers might help here to design tools for regulators, rather than just for users or for websites. Regulators should also work further upstream and consider placing requirements on the vendors of CMPs to only allow compliant designs to be placed on the market.”

Researchers scraped designs of the five most popular consent-seeking interfaces deployed by the top 10,000 websites in the UK, finding that explicit consent was rare.

The extent of the scale of non-compliance is so broad that even the Information Commissioner's Office (ICO) admitted last year that its cookie wall was non-compliant.

Advertisement - Article continues below

To be fully GDPR-compliant, the researchers stated, cookie walls must offer explicit consent that’s clear and positive, and allow users to reject all options just as easy as it is to accept all options. These notifications must also contain no pre-ticked boxes.

Related Resource

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

A further in-depth study conducted with 40 participants, moreover, showed how tweaking CMP designs may significantly change the rates of consent.

Organisations, for example, that remove opt-out buttons from the first page of their cookie walls raised consent levels by 22 to 23%. Inversely, offering more granular controls on the first page decreased consent by 8 to 20%.

The key takeaway from the study, according to those involved, was that placing information or controls before the very first layer is almost pointless given it’s largely ignored by users.

Advertisement
Advertisement - Article continues below

Offering genuine controls, therefore, would require organisations to place everything on the first page of any cookie wall.

Alternatively, the design patterns of consent banners could be overhauled to allow for richer and more durable ways to set privacy settings. These would have to be legally binding, however, rather than self-regulatory.

Advertisement - Article continues below

This is difficult because intense lobbying around the EU’s draft ePrivacy Regulation has predominately involved adtech firms campaigning to prevent browsers from having legally-binding elements.

Mozilla is one example of a developer that’s taken action into its own hands, introducing a set of top-level privacy and anti-tracking controls for its Firefox browser last year. Microsoft’s renewed Edge browser, similarly, is packaged with default anti-tracking and baseline cookie blocking.

  • compliance
  • General Data Protection Regulation (GDPR)
Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354577/data-protection-fines-hit-ps100m
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020