GDPR: Here’s why firms are still struggling to comply Watch Now

Europe's General Data Protection Regulation (GDPR) introduced strict rules for gaining the explicit consent of users when companies collect and process users' personal data. But most of the online forms that websites are using to gain that consent fail to meet the rules, according to a new study.

As GDPR took effect in May 2018, websites began displaying so-called 'cookie banners' where visitors can accept cookies or go into a settings page to adjust them.

Along with GDPR, websites have increasingly adopted outsourced consent-management platforms (CMPs) to handle compliance with cookie consent and third-party tracking.

SEE: IT pro's guide to GDPR compliance (free PDF)

But a new study by researchers at MIT CSAIL, Denmark's Aarhus University, and University College London, has found only 11.8% of the most popular CMPs used on UK websites meet the minimal requirements under GDPR and Europe's eDirective regulations regarding cookies and consent.

Additionally, the researchers believe website cookie consent forms are flying under the radar of European data-protection authorities (DPA), who aren't paying attention to enforcement.

The researchers argue that European DPAs should be using the type of automated tools the researchers developed for large-scale analysis of GDPR compliance.

The researchers scraped numerous consent forms from CMPs implemented on the top 10,000 most popular websites in the UK and checked whether they comply with European law. As mentioned, not many CMP templates did, but it's up to regulators to ensure these forms and their providers do conform.

"Enforcement in this area is sorely lacking. Data-protection authorities should make use of automated tools like the one we have designed to expedite discovery and enforcement," the researchers argue.

"Designers might help here to design tools for regulators, rather than just for users or for websites. Regulators should also work further upstream and consider placing requirements on the vendors of CMPs to only allow compliant designs to be placed on the market."

The researchers' scraper was used to determine whether a consent form met GDPR and eDirective requirements. The rules say consent must be explicit. So, for example, users must click a button rather than just hop straight through to the website; all aspects of consent must be equally easy to reject as to accept; and pre-ticked boxes are not allowed.

Of the 10,000 websites scraped that used a CMP form, the researchers found that implicit consent is present on a third of websites.

The researchers also found that CMPs make rejecting all tracking – which includes cookies and other techniques like browser and device fingerprinting that Firefox-maker Mozilla is trying to block by default – "substantially more difficult than accepting it".

Microsoft and Apple are also trying to tackle third-party tracking in their respective Edge and Safari browsers.

Just over half of websites in the survey don't even offer a 'reject all' button and only 12.6% of sites have a 'reject all' button that is just as easy to access as the 'accept all' button, for example, by placing both options on the same page.

"Furthermore, when users went to amend specific consent settings rather than accept everything, they are often faced with pre-ticked boxes of the type specifically forbidden by the GDPR," the researchers wrote.

SEE: Data privacy: Germans dish out one of the biggest GDPR fines yet over lax call centres

On top of all this, the researchers – and users too – have no idea whether toggling on or off a specific category of tracking actually produces the intended result for the user. The median number of third-party trackers that data is shared with on sites is a whopping 315 vendors.

The end result of hiding the 'reject all' option is that people overwhelmingly choose to 'accept all'.

"The results of our empirical survey of CMPs today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to – or worse, incentivizing – clearly illegal configurations of their systems," the researchers conclude.

More on privacy and GDPR