According to EU law, consent for data collection must be informed, specific, and freely given. Consent cannot be passive or inferred; for example, closing a pop-up without interacting with it does not count as giving consent. Additionally, pre-ticked boxes that require users to opt-out are not compliant, according to the online publication Rude Baguette.

A study by researchers from University College London, MIT, and Aarhus University titled ‘Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence’ has found that only about one in ten of the most commonly used Consent Management Platforms (CMPs) meet these legal requirements.

Implementation wizards for CMPs still permit clients to opt for implied consent. Many platforms provide an ‘accept all’ option that is far more prominent and accessible than the corresponding ‘reject all’ button, making it difficult for users to decline. The study notes that ‘74.3% of reject all buttons were one layer deep, requiring two clicks; only 0.9% were two layers away, needing at least three clicks.’

Furthermore, the numerous third-party trackers employed by websites can make it challenging for users to become sufficiently informed to provide legal consent promptly. Some sites use cookies from over 500 different third-party vendors.