Pop-ups asking us for our consent to website cookies have increased since GDPR came into force. However, a new study shows that many of these pop-ups could actually still be in breach of GDPR.

The study, titled: “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence”, focuses on the requirement for informed consent. According to an article from Telecoms.com:

The issue this study seems to have been conducted to address concerns how much information people are supplied with when asked for their consent, as well as the matter of presumed consent – i.e. opt-out as opposed to opt-in. In many cases this process is managed by third party consent management platforms (CMP), and that’s what the study focused on.


We scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK,” says the abstract to the report. We found that dark patterns and implied consent are ubiquitous; only 11.8% meet the minimal requirements that we set based on European law. Second, we conducted a field experiment with 40 participants to investigate how the eight most common designs affect consent choices.


“We found that notification style (banner or barrier) has no effect; removing the opt-out button from the first page increases consent by 22–23 percentage points; and providing more granular controls on the first page decreases consent by 8–20 percentage points. This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an effective way to increase compliance.

You can read the full article from Telecoms.com by clicking here.

The study has basically found that people are not being supplied with enough information to give their consent in the majority of cases. If consent is not sufficiently informed, then it is not up to the standards of GDPR.

In fact, GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Because pop-ups relating to website cookies and other elements do not meet these criteria, they are not GDPR compliant – putting these websites and companies at risk of being penalised.

Unsure of how consent or other lawful bases for storing and processing data under GDPR work? Want to improve your compliance programme? Contact us today; our GDPR consultants can provide expert advice.