Companies Use 'Dark Patterns' to Mislead Users About Privacy Law, Study Shows

A shiny new privacy law is only worth something if lawmakers and regulators are willing to actually enforce it.
Image: Getty Images

Passed in May of 2018, Europe’s General Data Protection Regulation (GDPR) was supposed to usher in a new age of consumer privacy transparency and protection across Europe. Instead, researchers say companies have been tap dancing around the law with little to no meaningful enforcement by European Union member countries and regulators.

A new joint study by researchers at MIT, UCL, and Aarhus University found that websites in the EU not only aren’t adhering to the law, many are using required privacy alerts to mislead users. Under the GDPR, websites operating in Europe must let users opt out of cookie tracking and other surveillance via very clear on-screen notifications. Those notifications are handled and remembered via CMPs (consent management platforms)—systems dominated by five companies: QuantCast, OneTrust, Cookiebot, TrustArc, and Crownpeak.


But the new study, dubbed “Dark Patterns after the GDPR,” found that very few companies are actually adhering to the law. Worse, they’re designing their notification systems in such a way as to intentionally trick users into more data surveillance.

Researchers found that 32.5 percent of the EU websites studied in the survey use something called “implied consent”—which assumes you agree to being tracked if you don’t take a specific action (like click on an opt out banner within a certain time frame). Such practices are generally forbidden under the law, which requires clear, opt-in consent to data tracking. The researchers also found that numerous companies use “dark pattern” GUI designs in their privacy notification systems, which are specifically intended to trick users into signing up for more data tracking than they might otherwise want (there’s some examples of this here).

“We scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK,” the researchers said. “We found that dark patterns and implied consent are ubiquitous; only 11.8 percent meet the minimal requirements that we set based on European law.” A lack of meaningful GDPR enforcement by regulators had already been fairly well established. Eighteen months after the GDPR’s passage, numerous regulators have said they’re frustrated by the lack of meaningful punishment for violators. Outside of a recent €50 million fine against Google, no US companies have been punished for privacy violations under the law. Neither companies, ad partners, nor CMPs seem keen on shoring up that pathetic 12 percent compliance rate. “The results of our empirical survey of CMPs today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to — or worse, incentivising—clearly illegal configurations of their systems,” the researchers said, adding that “enforcement in this area is sorely lacking.” Last summer, another international study showcased the same problem. Researchers examined 5,000 privacy notifications from an array of companies doing business in Europe—as well as how more than 80,000 consumers interacted with them. They found that time after time, such
notifications either don’t work to stop data collection, or misled the end user. “Given the legal requirements for explicit, informed consent, it is obvious that the vast majority of cookie consent notices are not compliant with European privacy law,” researchers said. This latest study upped the ante, finding that CMP companies often aid efforts to mislead consumers by designing privacy notification wizards that make rejecting all data tracking “substantially more difficult than accepting it.”

The study found that just 12.6 percent of websites studied had a CMP that easily allowed for opting out of all data tracking, and most CMPs still allow for “implied” consent despite it now being illegal under EU law.

“Popular CMP implementation wizards still allow their clients to choose implied consent, even when they have already indicated the CMP should check whether the visitor’s IP is within the geographical scope of the EU, which should be mutually exclusive,” the study said.

Both last summer’s study and this latest research highlight how a shiny new privacy law is only worth something if it’s consistently enforced, something to keep in mind as the United States ponders what its first meaningful privacy law for the internet era should look like.