Consent management platforms (CMPs) are a key part of many companies’ GDPR compliance efforts but according to a new study conducted by researchers at MIT, UCL and Aarhus University they are falling short.

Using a scraper, the researchers looked at the designs used by the five most widely-used CMPs on Alexa’s 10,000 websites in the UK and they found that “dark patterns and implied consent are ubiquitous”. Numerically, just 11.8% of the designs comply with European law based on the following criteria:

  1. Consent must be explicit and provided by an affirmative action, such as clicking on a button.
  2. Accepting all consent options must be as easy as rejecting all consent options.
  3. Consent must not be automatically selected for non-necessary purposes or vendors.

All told, on sites using the CMPs, nearly a third had implicit consent based on actions such as navigating within a site or refreshing the page, just over half lacked a “reject all” button and even more (56%) pre-checked checkboxes consenting to optional purposes and vendors.

In addition to evaluating CMPs based on scraped data, the researchers conducted an experiment involving 40 individuals that evaluated how eight different CMP designs performed. The most important finding was that the lack of a “reject all” button visible on the first page and the display of a list of bulk options before granular options made it more likely for users to give consent. This, according to the researchers, violates the GDPR principle requiring consent to be “freely given” and is problematic given that these design patterns are commonplace.

CMPs could become a GDPR enforcement target

Given that CMPs are supposed to help organizations comply with the GDPR, the fact that they are apparently woefully failing to do so raises an obvious question: why?

The researchers suggest it’s possible that sites might be configuring the CMPs in a non-compliant manner, sites might be failing to update their long-used CMPs in accordance with the GDPR, or the CMP vendors themselves might be turning a blind eye to or even encouraging non-compliance.

To date, enforcement of the GDPR has focused on a number of high-profile incidents. While enforcement actions like the ICO’s £183m British Airways fine make it clear that the the GDPR isn’t toothless, the MIT, UCL and Aarhus University study, along with other research it cites, also suggests that many of the practices the GDPR was supposed to put an end to are still common.

One likely reason for this is that regulators simply don’t have enough bandwidth to take action against every company that utilizes implied consent, automatically checks a checkbox non-necessary vendor, etc.

But because roughly 1,200 of the top 10,000 sites in the UK use one of five top CMPs, the MIT, UCL and Aarhus University researchers raise the possibility that regulators could target CMPs and force them to only use compliant designs. They state that “such enforcement may be possible as the Court of Justice indicates that plugin system designers can be ‘joint controllers’ along with websites…and the UK’s ICO indicates it may be willing to force advertising trade bodies to alter their standards.”

So what should organizations using CMPs do?

While they might find some relief in the knowledge that non-compliance appears to be widespread and CMPs might be an easier target for the agencies tasked with GDPR enforcement, they should also remember that their compliance responsibilities under the GDPR don’t simply disappear because they use a CMP that directly or indirectly facilitates or encourages non-compliance.

With this in mind, it behooves organizations to ensure that their collection and use of user data is legitimate and defensible even if their CMP isn’t up to snuff.