Despite the introduction of GDPR, the majority of websites have dark designs on your personal data. Whether it is outright failure to recognise your explicit consent for data collection or tricky interfaces that nudge you towards choices you are not comfortable with, this is an internet-wide problem.
There are Buzzfeed quizzes on everything from "what Disney princess are you?" to "pick your pizza toppings and we'll guess your age"; there really should be one on "choose your online consent strategy and we'll tell you what Friends character you are". Apparently, we all fall into one of four types when faced with a pop-up asking us to choose how our personal data is collected and processed.
Think back on recent consent management pop-ups you have navigated, and you will most likely have come across several offenders
Are you a Joey: “always accept” (goodbye pop-ups, hello sandwiches), a Monica: “always reject” (rules control the fun!), a Ross: “mostly reject” (you have to be able to pivot), or a Chandler: “mixed response” (could there be any more pop-ups)?
Since GDPR – the General Data Protection Regulation – came into effect on May 25th, 2018, we have all experienced the Consent Management Platform (CMP) pop-up, which is required by law within the EU if a website plans to use your personal data for anything other than what is strictly necessary to provide its service, ie, sharing with third parties such as adtech companies.
Worryingly, new research from the Massachusetts Institute of Technology (MIT), University College London (UCL), and Aarhus University in Denmark (Nouwens et al. 2020) has found that only 11.8 per cent of websites are meeting the minimal requirements for collecting user consent as set out by European law.
These minimal requirements are threefold: consent must be explicit, eg requiring the user to click on a button; accepting all choices should be as easy as rejecting all choices; the boxes shouldn’t be pre-ticked because it’s tipping the odds in the company’s favour. All the Joeys out there will leave them ticked for an easier life.
Illusion
Think back on recent consent management pop-ups you have navigated, and you will most likely have come across several offenders. While they offer the illusion of consent, it isn’t consent as defined by the GDPR. The study found that one third of all websites were implementing implicit consent, meaning that the act of merely visiting a website or navigating within it is a proxy for consent.
Similarly, refreshing the webpage or revisiting a website was taken for consent by over 7 per cent of companies. And if you thought closing a pop-up or banner would make all this GDPR stuff go away, think again, because a small percentage of companies are using this interaction as an indication of consent.
And if, like me, you aspire to being a Monica and reject all third-party tracking, this is something the vast majority of CMPs make significantly more difficult than accepting all tracking. In fact, half of all the sites analysed in the study didn’t even have a “‘reject all” button and only 12.6 per cent had a “reject all” button that is as accessible as the “accept all” alternative.
When we talk about lack of accessibility, we mean the process of encouraging consent by design – or what is known as “dark design”: when these pop-ups and banners make “accept all” buttons significantly larger than “reject all” or force you to click through to another pop-up or even open another window to reject all tracking, this forces the end user to jump through hoops to access a website on their terms.
Imagine you are patient enough to click through these layers to provide consent but you are curious about what third parties are working with the website. Beyond the usual suspects – Google and Facebook – you might want to see who is collecting and processing your data and for what purposes. The majority of websites do list these third parties and provide descriptions of what they may do with your personal data, but good luck to anyone who wants to familiarise themselves with this.
The study authors explain: “The mean total length of these descriptions per site is 7,985 words: roughly 31.9 minutes of reading for the average 250 words-per-minute reader, not counting interaction time to, for example, unfold collapsed boxes or navigating to and reading specific privacy policies of a vendor.”
Realistically no-one is going to read through these. So, how is an individual expected to give truly informed consent in the face of such dark designs that nudge the end user towards preferred behaviours of the website owner or third-party advertisers?
If websites cannot or will not adhere to the GDPR consent requirements around collection and processing of users’ personal data, perhaps they should be forced to by way of EU approved and regulated third-party CMP services.
Until then we must resist the Chandler mindset of consent fatigue and pivot when necessary.