Companies Use ‘Dark Patterns’ to Mislead Users About Privacy Law, Study Shows

Passed in May of 2018, Europe’s General Data Protection Regulation (GDPR) was supposed to usher in a new age of consumer privacy transparency and protection across Europe. Instead, researchers say companies have been tap dancing around the law with little to no meaningful enforcement by European Union member countries and regulators.

A new joint study by researchers at MIT, UCL, and Aarhus University found that websites in the EU not only aren’t adhering to the law, many are using required privacy alerts to mislead users.

Under the GDPR, websites operating in Europe must let users opt out of cookie tracking and other surveillance via very clear on-screen notifications. Those notifications are handled and remembered via CMPs (consent management platforms)—systems dominated by five companies: QuantCast, OneTrust, Cookiebot, TrustArc, and Crownpeak.

But the new study, dubbed “Dark Patterns after the GDPR,” found that very few companies are actually adhering to the law. Worse, they’re designing their notification systems in such a way as to intentionally trick users into more data surveillance.

Researchers found that 32.5 percent of the EU websites studied in the survey use something called “implied consent”—which assumes you agree to being tracked if you don’t take a specific action (like click on an opt out banner within a certain time frame). Such practices are generally forbidden under the law, which requires clear, opt-in consent to data tracking.

The researchers also found that numerous companies use “dark pattern” GUI designs in their privacy notification systems, which are specifically intended to trick users into signing up for more data tracking than they might otherwise want (there’s some examples of this here).

“We scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK,” the researchers said. “We found that dark patterns and implied consent are ubiquitous; only 11.8 percent meet the minimal requirements that we set based on European law.”

A lack of meaningful GDPR enforcement by regulators had already been fairly well established. Eighteen months after the GDPR’s passage, numerous regulators have said they’re frustrated by the lack of meaningful punishment for violators. Outside of a recent €50 million fine against Google, no US companies have been punished for privacy violations under the law.

Neither companies, ad partners, nor CMPs seem keen on shoring up that pathetic 12 percent compliance rate.

“The results of our empirical survey of CMPs today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to — or worse, incentivising—clearly illegal configurations of their systems,” the researchers said, adding that “enforcement in this area is sorely lacking.”

Last summer, another international study showcased the same problem. Researchers examined 5,000 privacy notifications from an array of companies doing business in Europe—as well as how more than 80,000 consumers interacted with them. They found that time after time, such
notifications either don’t work to stop data collection, or misled the end user.

“Given the legal requirements for explicit, informed consent, it is obvious that the vast majority of cookie consent notices are not compliant with European privacy law,” researchers said.

This latest study upped the ante, finding that CMP companies often aid efforts to mislead consumers by designing privacy notification wizards that make rejecting all data tracking “substantially more difficult than accepting it.”

The study found that just 12.6 percent of websites studied had a CMP that easily allowed for opting out of all data tracking, and most CMPs still allow for “implied” consent despite it now being illegal under EU law.

“Popular CMP implementation wizards still allow their clients to choose implied consent, even when they have already indicated the CMP should check whether the visitor’s IP is within the geographical scope of the EU, which should be mutually exclusive,” the study said.

Both last summer’s study and this latest research highlight how a shiny new privacy law is only worth something if it’s consistently enforced, something to keep in mind as the United States ponders what its first meaningful privacy law for the internet era should look like.

Companies Use ‘Dark Patterns’ to Mislead Users About Privacy Law, Study Shows syndicated from https://triviaqaweb.wordpress.com/feed/

Author: shirlleycoyle

Each individual have right to build their career as the way they need and we help them in this procedure. We began our career building process in 2001 since from that point we have helped lakh's of students to achieved their goal. We give them chance to concentrate on specific specializations and research on ranges which may not be accessible in their own particular nations. It allows them to sharpen their minds and form themselves into worldwide subjects. The idea of worldwide training is an across the board marvel today. Tail us and build your career, read all of the articles we publish our sites which will help you reach your goal.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s