Implicit consent - aka (illegally) inferring consent via non-affirmative user actions (such as the user visiting or scrolling on the website or a failure to respond to a consent pop-up or closing it without a response) - was found to be common (32.5%) among the studied sites. (They obtained a data set of 680 CMP instances via their method - a sample they calculate is representative of at least 57% of the total population of the top 10,000 sites that run a CMP, given prior research found only around a fifth do so.) websites, as ranked by Alexa, to gather data on the most prevalent CMPs in the market - which are made by five companies: QuantCast, OneTrust, TrustArc, Cookiebot and Crownpeak - and analyzed how the design and configurations of these tools affected internet users’ choices. “We found that dark patterns and implied consent are ubiquitous,” the researchers write in summary, saying that only slightly more than one in 10 (11.8%) of the CMPs they looked at “meet the minimal requirements that we set based on European law” - which they define as being “if it has no optional boxes pre-ticked, if rejection is as easy as acceptance, and if consent is explicit.”įor the study, the researchers scraped the top 10,000 U.K.
However, the “Dark Patterns after the GDPR” study found that’s very far from the case right now. But if it’s configured to contain pre-ticked boxes that opt users into sharing data by default - requiring an affirmative user action to opt out - any gathered “consent” also isn’t legal.Ĭonsent to tracking must also be obtained prior to a digital service dropping or accessing a cookie only service-essential cookies can be deployed without asking first.Īll of which means - per EU law - it should be equally easy for website visitors to choose not to be tracked as to agree to their personal data being processed. Many websites use a so-called CMP to solicit consent to tracking cookies. Recent jurisprudence by the Court of Justice of the European Union also further crystalized the law around cookies, making it clear that consent must be actively signaled - meaning a digital service cannot infer consent to tracking by indirect actions (such as the pop-up being closed by the user without a response or ignored in favor of interacting with the service).
legal) consent that’s set by the EU’s General Data Protection Regulation (GDPR) is clear: It must be informed, specific and freely given.
When consent is being relied upon as the legal basis for processing web users’ personal data, the bar for valid (i.e. Their findings, published in a paper entitled “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence ,” chime with another piece of research we covered back in August - which also concluded a majority of the current implementations of cookie notices offer no meaningful choice to Europe’s Internet users - even though EU law requires one. “The results of our empirical survey of CMPs today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to - or worse, incentivising - clearly illegal configurations of their systems,” the researchers argue, adding that: “Enforcement in this area is sorely lacking.” Most cookie consent pop-ups served to internet users in the European Union - ostensibly seeking permission to track people’s web activity - are likely to be flouting regional privacy laws, a new study by researchers at MIT, UCL and Aarhus University suggests.
0 kommentar(er)
