EU law mandates that consent for data collection must be informed, specific, and freely given. Consent should also be active; merely closing a pop-up window without any response does not suffice. The online publication Rude Baguette reported on this legislation.

A study by researchers from University College London, MIT, and Aarhus University titled “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence” revealed that only about one in ten of the most common Consent Management Platforms [CMPs] meet these requirements.

CMP wizards still permit users to opt-in by default, with many platforms providing an ‘accept all’ option that is far more prominent and easier to access than the corresponding ‘reject all’ button. The researchers noted that “74.3% of reject all buttons were one layer deep, requiring two clicks to press; 0.9% of them were two layers away, requiring at minimum three.”

Additionally, the extensive use of third-party trackers on websites can make it challenging for users to become properly informed and provide legal consent. Some sites employ cookies from more than 500 different third-party vendors.