When the General Data Protection Regulation (GDPR) came into force in May 2018, it's not an over-exaggeration to say that it caused chaos for large parts of the online world during the first days. The new rules were meant to give consumers more control over data protection and privacy, but has it worked? A new study suggests not.
We're now more than 18 months into life with GDPR. I was initially, and still am in principle, fully behind the move. Giving online web surfers the ability to opt-out of cookie tracking, and the power to fight back against those that abuse the treasure trove of data we create as we move from website to website, from click to click, felt like a step in the right direction. However, a new study from MIT, UCL and Aarhus University, has found that only 11.8 percent of websites "meet the minimal requirements that we set based on European law". Basically, we are still getting tracked online and sold to advertisers.
Are Europeans just too lazy to care?
Browsing the internet is certainly different since GDPR. Landing on a webpage you've never visited before results in a barrage of pop-ups and messages about what that site can do with your data. The problem is, sites have worked out that making it more difficult to reject the tracking than to simply accept it is a successful way to gain permission from the more lazy and disinterested of us. Often, rejecting cookies takes four clicks, whilst accepting them takes a single click on that nice big, easy-to-see button right there in the middle of the screen. How many times have you just clicked it because you were in a hurry?
The numbers back it up too. Having your opt-out button buried at the second layer or lower increases consent by 23 percent. Having a dark/hard-to-see pop-up box can increase user consent by as much as 40 percent. There is a lot to play with here for UX and UI designers, and they are getting creative.
Then there's the issue of implicit consent. According to the study, this is a method used by 32.5 percent of the websites it studied. Implicit consent assumes you want to sign up for cookies if you scroll and ignore the pop-up consent window. Combine this assumption with a tiny, well-placed pop-up box and you can get a lot of users to "consent" without them even noticing. The report stated that this practice "raises significant questions over adherence with the concept of data protection by design in the GDPR." No shit. Consent is supposed to be "freely given" under GDPR law. Are we really satisfied that is what is happening? I'm not.
So are websites being punished?
What do you think? The EU stepping in to enforce action for not meeting the minimum requirements on cookie consent is rare. The maximum fine for not complying with GDPR is set at €20 million or 4 percent of turnover, whichever is the greater. Vera Jourova, the EU commissioner for justice, said at the time that the European Union had handed a "loaded gun" to regulators in its member states, but how many have pulled the trigger? In the UK, around 36,000 data breaches were reported to authorities under GDPR, but most of these are for the mishandling of data, not the tricks used to gain consent to collect it in the first place.
Even if you get reported, there's a good chance you'll get off with a slap on the wrist. Between May 2018 and March 2019 in the UK, 11,468 data-breach cases were settled, but only 29 of these resulted in a fine. There have been a few headline cases. British Airways was threatened with $230 million fine in the summer for a data breach in 2018, but it still hasn't been issued. Just this week the UK Information Commissioner's Office extended the regulatory process until March 31. What good is a loaded gun if it only fires blanks?
There is also some finger-pointing and blame sharing going here too. A lot of sites use consent management platforms (CMPs) to handle the GDPR stuff. These are third-party companies that make the pop-ups that are supposed to give users the opportunity to opt-out. QuantCast, Cookiebot, and TrustArc are three of the biggest names in this game.
The researchers at MIT, UCL and Aarhus University believe it's these CMPs that should be the focus of an investigation. "Why do they let their clients count scrolling as consent or bury the 'decline' button somewhere on the third page?" Midas Nouwens, the lead author, told TechCrunch. "Since enforcement agencies have limited resources, focusing on the popular consent pop-up providers could be a much more effective strategy than targeting individual websites."
How do you feel about GDPR? Has it changed your browsing habits? How many of you willingly give consent to cookies and data tracking online? Share your stories with us.