Now that we've had the GDPR for a while, studies are starting to emerge around digital consent mechanisms used across the web.
This study takes a look at how consent is handled across 5 of the largest tech businesses, Amazon, Apple, Facebook, Google and Microsoft, taking a particular look at how they deploy assymetric and covert means to lull people into falsely consenting to intrusive tracking.
Two overall distinctions emerge from our empiric analysis: first, only four of the five analysed sites (Amazon, Facebook, Google and Microsoft) make it explicit that users are giving consent to the use of their data in form of a cookie consent banner or a pop-up. Apple required looking for a footer link titled ‘Use of cookies’ in order to access information about collected data and find further links to the opt-out process. Second, not all the sites provide an opt-out option for users that either do not have an account or are not signed in. Specifically, Apple does not offer these options and instead urges users to sign in or create an account in order to set privacy preferences. Of the remaining four, Microsoft and Google allow opting out of targeted advertising through their own consent forms, and Amazon and Facebook only provide a link to three consent intermediaries–the Digital Advertising Alliance5 (for the U.S.), Digital Advertising Alliance of Canada6 and the European Interactive Digital Advertising Alliance7–which provide cookie-based opt-out settings that should span multiple third party websites and data collectors.
I know that in my own work I have often had frustrating conversations with other digital marketers who frequently like to take their lead from what these companies are doing. From this study and observed behaviour in general, it's clear that that is not a good enough approach when wishing to comply with the GDPR.
Considering the empirical results, little evidence has surfaced that suggest the GAFAM web pages were designed with a human-centric perspective to empower users to give their informed consent. On the contrary, the nature of the techniques employed suggest that empowering users is not the main focus of these consent mechanisms. Patterns of coercion that nudge the user towards consenting, strategies of information hiding, covert and confusing interface behavior have been shown to exploit human cognitive weaknesses more than supporting the complex process of consenting to a multitude of data collection and utilization.
It remains to be seen whether the regulatory bodies who are supposed to be enforcing the GDPR will be able to do anything about these flagrant abuses of the law.