After GDPR came into force in 2018, many websites started showing cookie consent pop-ups, in which they notify the user that the website uses cookies to track certain visitor behaviour.
Some sites allow the visitors to choose whether or not to accept the cookies, but in many cases – these are just notifications.
But according to a new study by researchers at MIT, UCL and Aarhus University, these notifications’ only purpose is to work around GDPR and are, in many instances, illegal.
“The results of our empirical survey of CMPs [consent management platforms] today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to — or worse, incentivising — clearly illegal configurations of their systems,” the researchers argue, adding that: “Enforcement in this area is sorely lacking.”
The researchers scanned top 10,000 U.K. websites (Alexa ranking) and found that more than half (57 per cent) use CMPs made by five companies: QuantCast, OneTrust, TrustArc, Cookiebot and Crownpeak.
Implicit consent (basically when a user ignores the pop-up or just closes it without interacting) was found in 32.5 per cent of cases.
“Popular CMP implementation wizards still allow their clients to choose implied consent, even when they have already indicated the CMP should check whether the visitor’s IP is within the geographical scope of the EU, which should be mutually exclusive,” the report says
“This raises significant questions over adherence with the concept of data protection by design in the GDPR.”
Rejecting all tracking is made a lot more difficult, in comparison. The majority of the studied websites (50 per cent) did not have a “reject all” button.
