A new academic study into online consent management platforms has concluded many of them could be flouting GDPR rules.

The study was conducted by a consortium of universities and its findings published under the header: ‘Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence’. We’re all aware of the pop-ups that have, well, popped up since GDPR came into force, requiring us to click ‘I agree’ to cookies and that sort of thing when we first visit a website, and often continually afterwards. But what are we actually agreeing to?

The issue this study seems to have been conducted to address concerns how much information people are supplied with when asked for their consent, as well as the matter of presumed consent – i.e. opt-out as opposed to opt-in. In many cases this process is managed by third party consent management platforms (CMP), and that’s what the study focused on.

We scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK,” says the abstract to the report. We found that dark patterns and implied consent are ubiquitous; only 11.8% meet the minimal requirements that we set based on European law. Second, we conducted a field experiment with 40 participants to investigate how the eight most common designs affect consent choices.

“We found that notification style (banner or barrier) has no effect; removing the opt-out button from the first page increases consent by 22–23 percentage points; and providing more granular controls on the first page decreases consent by 8–20 percentage points. This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an effective way to increase compliance.

So, at its simplest, the study is saying the vast majority of CMPs flout European law and thus expose their users to enforcement action. You can download the full report through the abstract link above, but if you don’t feel like sifting through the typically opaque academic writing, Techcrunch has done a great job of decoding it here.

GDPR compliance was always a minefield and the only surprise is that enforcement action has been so muted so far. That could be set to change with studies like this, however, as such widespread transgression can surely not be allowed to go unchallenged. On the other hand the GDPR people could end up deciding the current rules are too strict and unworkable, but that’s not likely.