Two Worlds Apart! Closing the Gap Between Regulating EU Consent and User Studies

Nataliia Bielova, Cristiana Santos, Colin M. Gray

In May 2018 the EU General Data Protection Regulation (GDPR) came in force and provided a number of requirements for online systems that process personal data of its users. To control online tracking, the EU ePrivacy Directive requires a valid consent before reading or writing cookies or other tracking technologies in users’ Web browsers. GDPR has set high-level requirements for such consent to be valid, thus leaving a lot of space for various interpretations of the law in practice. Translation from high-level legal requirements into concrete low-level technical requirements is far from straightforward, especially in case of valid consent for Web applications and requires multidisciplinary effort of law and computer science experts (Santos et al. 2020). Moreover, since the law gave space for interpretation, the design space for cookie banners interfaces became enormous. This situation gave rise to the use of manipulative tactics in UX/UI commonly known as “dark patterns” (Gray et al. 2018, Nouwens et al. 2020, Gray et al. 2021) that influence users’ decision making and may violate the GDPR requirement of free and unambiguous consent.

In this paper, we provide an analysis of the gap between law and technology in the usage of dark patterns in cookie banners. We start with the discussion of the latest interpretations of the law by surveying the official guidelines of the EU Data Protection Board (EDPB) and EU Data Protection Authorities (DPAs) and how they enforce the law in practice on the example of cookie banners and usage of dark patterns. Then, we explore latest research results on informing the policy makers in the area of online tracking and cookie banners. In particular, we survey numerous user studies that should enlighten the enforcement agencies about the impact of dark patters on the user’s decision making and how such patterns potentially violate the EU Data Protection Law. We further discuss how computer science, social science, design and law research could help enforcement agencies to close the gap between law and technology and what type of research studies are further needed.