Study Reveals Shortcomings in Website Consent Revocation Practices
/ 3 min read
Quick take - A recent study found that many major websites fail to adequately comply with GDPR requirements for consent revocation, revealing significant issues such as complicated revocation processes, retention of cookies after consent is revoked, and lack of communication with third parties regarding consent changes.
Fast Facts
- A study found that many major websites fail to comply with GDPR requirements for consent revocation, with nearly 20% complicating the process.
- 20.5% of sites require more effort to revoke consent than to give it, and 2.48% do not offer any option for revocation, violating GDPR mandates.
- 57.5% of websites do not delete cookies after consent is revoked, allowing ongoing data processing without legal basis.
- The analysis revealed that 74.5% of websites provide revocation options in the same interface as consent, but 19.8% require navigation to a different interface.
- The study recommends unifying EU requirements for consent revocation and standardizing procedures for consent storage and communication to third parties.
Study Reveals Shortcomings in Consent Revocation on Major Websites
A recent study has highlighted significant shortcomings in how major websites handle consent revocation, a crucial aspect of user data protection under the General Data Protection Regulation (GDPR). The GDPR mandates that websites must allow users to revoke their consent for data processing. The study reveals that many prominent sites fail to meet these legal requirements.
Key Findings
The analysis focused on the top 200 websites and uncovered that nearly 20% (19.87%) complicate the process of revoking consent. Furthermore, 20.5% of these sites require users to exert more effort to revoke consent than to initially provide it. Alarmingly, 2.48% of the websites do not offer any option for consent revocation, constituting a direct violation of GDPR mandates.
The findings indicate that a substantial number of websites (57.5%) do not delete cookies after consent is revoked, allowing ongoing data processing without a legal basis. In a separate analysis of 281 websites utilizing the IAB Europe Transparency and Consent Framework (TCF), 22 websites continued to store positive consent even after users had revoked it. Additionally, on 101 websites, third-party entities that had received consent upon acceptance were not informed of revocation, raising concerns over potential illegal data processing.
Compliance Issues
The research aimed to address four key questions related to compliance of revocation interfaces, deletion of cookies, storage of consent, and communication of revocation to third parties. A semi-automated crawler was developed to gather data on user interface elements associated with consent revocation. The analysis showed that 74.5% of the websites provided revocation options within the same interface where consent was initially granted. However, 19.8% required users to navigate to a different interface. Only 5.6% offered a persistent icon or button for revocation that could be accessed with zero steps, while 20.5% necessitated two or more steps, which is deemed non-compliant.
The study also found that websites equipped with Consent Management Platforms (CMPs) exhibited higher compliance rates than those that lacked such systems. However, the prevalence of issues persisted, with 57.5% of websites retaining cookies post-revocation, contravening GDPR stipulations. Moreover, consent strings were frequently not updated after revocation, resulting in discrepancies in consent storage. The study revealed that 74.2% of websites did not communicate consent revocation to third parties through HTTP requests.
Recommendations
To address these compliance issues, the research recommends unifying EU requirements for consent revocation interfaces. It also suggests standardizing consent storage procedures and regulating methods for communicating consent changes to third parties. The study emphasizes the critical need for effective communication of consent revocation to prevent unlawful data processing practices.
Original Source: Read the Full Article Here
