Research by Dr Veale on UK websites breaching data protection law profiled in BBC News & TechCrunch
15 January 2020
The articles cover the study which shows ~88% of UK websites breach data protection law; and suggests that cookie consent tools are being used to undermine EU laws on privacy.
In new work, Dr Michael Veale (Lecturer in Digital Rights and Regulation at UCL Laws), alongside colleagues from Aarhus University (Midas Nouwens) and MIT (Ilaria Liccardi, David Karger, Lalana Kagal), built a web scraper to automatically analyse the 10,000 most popular websites in the United Kingdom for how their user interface complied with the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR). They found that among the largest providers of third-party consent management systems — so-called ‘cookie banner’ or ‘pop-ups’ — only 11.8% were configured in minimal compliance with existing statutory requirements and case law.
In a BBC News article published today ('Cookies crumbling as Google phases them out'), Dr Veale commented:
"Consent should always have been a clear positive action, laws on tracking have been unenforced for a decade and the result is regulators not knowing where to start to cope with the scale of the widespread illegality."
Their work has also been profiled in the technology magazine TechCrunch, where Dr Veale noted:
“It’s shocking to see how many of the large providers of consent pop-ups allow their systems to be misconfigured, such as through implicit consent, in ways that clearly infringe data protection law [..] I suspect data protection authorities see this widespread illegality and are not sure exactly where to start. Yet if they do not start enforcing these guidelines, it’s unclear when this widespread illegality will start to stop.”
He added in comments to the magazine that “This study even overestimates compliance, as we don’t focus on what actually happens to the tracking when you click on these buttons, which other recent studies have emphasised in many cases mislead individuals and do nothing at all”.
The research article is available now in pre-print form on arXiv and will appear in the Proceedings of ACM CHI 2020, the top publication in human-computer interaction, later in the year.