Guess What? Even the GDPR Is Getting Circumvented

It is as we had always expected, internet users don’t really care about their data privacy and as a result even the best thought out plans to keep them secure fail

 

A new study suggests that the well-thought out cookie consent pop-ups that seek permission to track users’ web activity could be flouting regional privacy laws and probably doing just the opposite of what they were intended to do. Researchers at the MIT, UCL and Arhus University have come out with an extensive paper on how the system is getting subverted.

 

Their conclusion is that the empirical study of consent management platforms suggests the extent to which illegal practices prevail with vendors of such platforms turning a blind eye to and sometimes incentivizing illegal configurations of their systems. They harp on the fact that enforcement is what is completely missing from the process.

 

In a paper titled “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence” is in sync with another study published in August last year titled (Un)informed Consent: Studying GDPR Consent Notices in the Field conducted researchers from the Ruhr-University Bochum, Germany and the University of Michigan.

 

It said that post May 2018 when the GDPR came into force, consumers were suffering a degree of confusion about how cookies function and that there was a general mistrust around the word itself. If consent were being collected in a way that’s compliant with the EU’s existing privacy laws only a tiny fraction of consumers would agree to tracking, it concluded.

 

The latest study builds on the earlier one and concludes that a majority of the cookie notices implemented now offer no meaningful choice to Europe’s internet users despite the fact that under the present EU law one is required. The Court of Justice of the EU clarified that consent must be actively signaled and that indirect actions cannot be construed as one. For e.g. if a user merely shuts the pop-up, it cannot be deemed as consent to be tracked.

 

The researchers found that several websites use a consent platform that is configured to contain pre-ticked boxes that make users opt for sharing data by default. In other words, if one wants to opt out of tracking, one needs to uncheck the boxes that appear on a pop-up, which is actually illegal as per EU norms but seems to be the default practice.

 

“We found that dark patterns and implied consent are ubiquitous,” the researchers said adding that only 11.8% of the consent platforms they looked at “meet the minimal requirements that we set based on European law” which suggests that “if it has no optional boxes pre-ticked, if rejection is as easy as acceptance, and if consent is explicit.”

 

The research, which used the top 10K websites from the UK, suggested that “Popular CMP implementation wizards still allow their clients to choose implied consent, even when they have already indicated the CMP should check whether the visitor’s IP is within the geographical scope of the EU, which should be mutually exclusive.”

 

“This raises significant questions over adherence with the concept of data protection by design in the GDPR,” the researchers say claiming that a vast majority of consent platforms make rejecting all tracking substantially more difficult than accepting it, thus circumventing the very purpose behind the law.

 

(Tags: Cookies, Consent, GDPR, Data Privacy, MIT, UCL) 


TAGS: Cookies, Consent, GDPR, Data Privacy, MIT, UCL