• by Ray Schultz , Columnist, January 14, 2020

There has been a rash of news about GDPR in recent days, and some of it is contradictory. 

For instance, data authorities in the European Economic Area (EEA) imposed 190 fines with a combined penalty of €410,000,000, the Italian organization Federprivacy reports.

In sheer number of actions, Italy was first with 30. But the UK doled out the biggest financial sanctions — €312,000,000 or 76% of the total.      

Yet two massive fines meted out by the UK Information Commissioner's Office for data breaches -- £183 million against British Airway sand £99 million against Marriott — have “been kicked into the long grass,” The Register writes.

What accounts for this failure to collect? The regulatory process has been extended to March.

”When the ICO announces a "notice of intent" to fine companies, this is not the same thing as actually handing out the penalty,” The Register wryly notes.

Meanwhile, Ireland and Luxembourg — home to the head offices of most foreign corporations processing data on the mass scale — have imposed no penalties, according to Federprivacy.

In perhaps the most disturbing piece of news, a study from scholars at MIT reveals that cookie consent management platforms (CMPs) are letting down the public.

Only 11.8% meet even the minimal requirements of European law, according to the authors. Instead, “dark patterns and implied consent are ubiquitous,” they say.

The researchers scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK.

They state that “a site is minimally compliant if it has no optional boxes pre-ticked, if rejection is as easy as acceptance, and if consent is explicit.”

But only 12.6% of sites studied had a 'reject all' button requiring the same or fewer number of clicks as an 'accept all' button.”

The “accept all” buttons were never buried in a second layer, but 74.3% of reject all buttons were one layer deep, meaning that the person had to click twice. And almost 10% were two layers away.

This renders them “effectively ignored,” the paper argues. Worse, over half of the sites had no “reject all” button at all.

Another issue is the use of “cookie walls,” where the consumer must consent to cookies to even access a website. 

Many authorities say the practice is illegal, but “the issue remains unclear and the final conclusion will regardless be subject to the “glacial flow” of the draft ePrivacy Regulation through the EU’s legislative process

The authors conclude that consent can only be valid “if a compact but representative and rich description can be placed on the first layer.” But that option is probably not be popular with many companies.

An alternative would be to “overhaul the design pattern of the consent banner or barrier, and have richer, more durable ways to set preferences, potentially within the browser.”

These browser settings would be “legally binding, rather than weak and self-regulatory in nature,” they add. 

Maybe so. But it’s a sad commentary that the foundation of the GDPR — consent — is still not being observed by all parties almost two years in.