When, in May 2018, the European Union (EU) introduced the General Data Protection Regulation (GDPR) with the express intention of enforcing strict rules regarding the  gaining the consent of internet users for the collection and processing  of their personal data by website operators, it hadn't necessarily envisioned a world where cookies were no longer around!

Here,  at decentralize.today, we recently removed the GDPR prompt screen, the so-called 'cookie banner', because we do not collect any user data so,  therefore, by the standard of our admittedly untested legal logic, we  determined that we didn't need it.

However, it  would seem that the best laid plans have, not unusually, gone astray with the majority of online forms that websites are using to gain this  consent failing to meet the regulations, according to a recently  released report.

The warnings allow users to  either accept, modify their settings or go no further. But, in an  attempt to address this failing, websites are increasingly turning to outsourced consent management platforms (CMPs) to manage compliance with cookie consent and third party tracking.

The report,  complied by researchers at MIT CSAIL, Denmark's Aarhus University and  University College London, has found that only around 12% of the most popular CMPs used on UK websites meet the requirements of the GDPR and  the EU's eDirective regulations with regard to cookies and consent.

Additionally,  the researchers believe some consent forms are evading detection simply  because of lax enforcement on the part of the European authorities.  That said, there has been some significant enforcement, albeit against  some larger contraveners and not the 'small fry' who probably present as  big a threat to individuals as the 'big boys'.

Data privacy: Germans dish out one of the biggest GDPR fines yet over lax call centers | ZDNet
GDPR came into force over a year ago but many organisations are still struggling to comply with data privacy legislation - despite the prospect of fines.

The researchers have suggested that the authorities should be  employing the sorts of automated tools that they themselves had  developed and deployed during their study for large scale analysis of  GDPR non-compliance.

The researchers collected consent  forms embedded by CMPs on the top 10,000 most popular websites in the UK  to check on their compliance, not many met the standard and that is of  huge concern.

Enforcement in this area is sorely lacking. Data-protection  authorities should make use of automated tools like the one we have  designed to expedite discovery and enforcement
Designers might help here to design tools for regulators, rather  than just for users or for websites. Regulators should also work further  upstream and consider placing requirements on the vendors of CMPs to  only allow compliant designs to be placed on the market.
comments by research team looking at compliance across UK companies to the EU's GDPR

For a consent form to meet the GDPR and eDirective requirements  the consent must be explicit, meaning that the user has to actively  agree and not be allowed to go straight through to the website.  Likewise, the form must show rejection as equally easy to trigger and  that pre-ticked boxes are not permitted.

Only one third of  the tested sites shad a form requesting implicit consent is present and  just over half didn't even have a 'reject all' button and of those most didn't make that button as visible or accessible as the 'accept all'  one, for example, by putting them on different pages or screen positions.

"Furthermore, when users went to amend specific  consent settings rather than accept everything, they are often faced  with pre-ticked boxes of the type specifically forbidden by the GDPR," the researchers wrote.

The researchers also found that CMPs make  rejecting all tracking including cookies and browser/device  fingerprinting problematic. Additionally, users have no assurance if toggling off from a specific tracker actually happens!

The net outcome from most of this confusion, deliberate or otherwise is  that a lot of people just hit' accept all' for ease of use.

The results of our empirical survey of CMPs today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to – or worse, incentivizing – clearly illegal configurations of their systems

We, at decentralize.today, will continue to offer a cookie free  environment but that isn't as simple as it might sounds as we scan  daily for those sneaky little slugs working their way into the site via  imported photos and the like. In the meantime, we are proud to be  'Cookie free since 2020!'

For additional information and guidance on ad & tracker blocking, check out the Privacy Cookbook here at decentralize.today, your recipe for digital anonymity!

Share this post