When, in May 2018, the European Union (EU) introduced the General Data Protection Regulation (GDPR) with the express intention of enforcing strict rules regarding the gaining the consent of internet users for the collection and processing of their personal data by website operators, it hadn't necessarily envisioned a world where cookies were no longer around!
Here, at decentralize.today, we recently removed the GDPR prompt screen, the so-called 'cookie banner', because we do not collect any user data so, therefore, by the standard of our admittedly untested legal logic, we determined that we didn't need it.
However, it would seem that the best laid plans have, not unusually, gone astray with the majority of online forms that websites are using to gain this consent failing to meet the regulations, according to a recently released report.
The warnings allow users to either accept, modify their settings or go no further. But, in an attempt to address this failing, websites are increasingly turning to outsourced consent management platforms (CMPs) to manage compliance with cookie consent and third party tracking.
The report, complied by researchers at MIT CSAIL, Denmark's Aarhus University and University College London, has found that only around 12% of the most popular CMPs used on UK websites meet the requirements of the GDPR and the EU's eDirective regulations with regard to cookies and consent.
Additionally, the researchers believe some consent forms are evading detection simply because of lax enforcement on the part of the European authorities. That said, there has been some significant enforcement, albeit against some larger contraveners and not the 'small fry' who probably present as big a threat to individuals as the 'big boys'.
The researchers have suggested that the authorities should be employing the sorts of automated tools that they themselves had developed and deployed during their study for large scale analysis of GDPR non-compliance.
The researchers collected consent forms embedded by CMPs on the top 10,000 most popular websites in the UK to check on their compliance, not many met the standard and that is of huge concern.
Enforcement in this area is sorely lacking. Data-protection authorities should make use of automated tools like the one we have designed to expedite discovery and enforcement
Designers might help here to design tools for regulators, rather than just for users or for websites. Regulators should also work further upstream and consider placing requirements on the vendors of CMPs to only allow compliant designs to be placed on the market.
comments by research team looking at compliance across UK companies to the EU's GDPR
For a consent form to meet the GDPR and eDirective requirements the consent must be explicit, meaning that the user has to actively agree and not be allowed to go straight through to the website. Likewise, the form must show rejection as equally easy to trigger and that pre-ticked boxes are not permitted.
Only one third of the tested sites shad a form requesting implicit consent is present and just over half didn't even have a 'reject all' button and of those most didn't make that button as visible or accessible as the 'accept all' one, for example, by putting them on different pages or screen positions.
"Furthermore, when users went to amend specific consent settings rather than accept everything, they are often faced with pre-ticked boxes of the type specifically forbidden by the GDPR," the researchers wrote.
The researchers also found that CMPs make rejecting all tracking including cookies and browser/device fingerprinting problematic. Additionally, users have no assurance if toggling off from a specific tracker actually happens!
The net outcome from most of this confusion, deliberate or otherwise is that a lot of people just hit' accept all' for ease of use.
The results of our empirical survey of CMPs today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to – or worse, incentivizing – clearly illegal configurations of their systems
We, at decentralize.today, will continue to offer a cookie free environment but that isn't as simple as it might sounds as we scan daily for those sneaky little slugs working their way into the site via imported photos and the like. In the meantime, we are proud to be 'Cookie free since 2020!'
For additional information and guidance on ad & tracker blocking, check out the Privacy Cookbook here at decentralize.today, your recipe for digital anonymity!