Just 11.8% of the content management platforms (CMPs) deployed by United Kingdom websites to seek user consent and offer tracking controls meet minimum legal requirements under the General Data Protection Regulation (GDPR).
Many websites use CMP to request consent for cookie tracking.
To collect data for their "Dark Patterns after the GDPR" study, the researchers removed the top 10,000 United Kingdom websites ranked by Alexa in an effort to learn more about the most popular CMPs in the market.
Among the most widely-used CMPs, researchers with Cornell University found that implied consent is universal, as well as dark patterns that guide people into desired behaviour. We found that dark patterns and implied consent are ubiquitous; only 11.8% meet the minimal requirements that we set based on European law.
The study was conducted by researchers from University College London, MIT, and Aarhus University and it is called "Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence".
As part of the study, researchers scraped the designs of the five most popular CMPs across the top 10,000 websites in the UK.
"Enforcement in this area is sorely lacking".
The researchers said they intend their findings to be used as the basis for enforcement by European Union data protection authorities, which they argue is the only way CMPs can be made to comply with the law.
The EU law states that consent for data collection must be informed, specific, and freely given. The rules say consent must be explicit. Offering pre-ticked boxes that require a user to opt-out is not legal, the online publication Rude Baguette has cited the legislation.
The researchers also found that CMPs make rejecting all tracking - which includes cookies and other techniques like browser and device fingerprinting that Firefox-maker Mozilla is trying to block by default - "substantially more hard than accepting it".
Browser makers including Mozilla, Microsoft and Apple are working on tools that automatically block cookies from tracking users' activities across the web.
The new research found that in the median, websites shared data with 315 third-party vendors for tracking purposes.
Just over half of websites in the survey don't even offer a "reject all" button and only 12.6% of sites have a "reject all" button that is just as easy to access as the "accept all" button, for example, by placing both options on the same page.
"The results of our empirical survey of CMPs today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to - or worse, incentivising - clearly illegal configurations of their systems", the researchers concluded.