Data Protection Commission, Ireland

In August 2019, the Data Protection Commission (DPC) commenced an examination of the use of cookies and similar technologies on a selection of websites across a range of sectors. They chose popular websites operated by some of the most well-known organisations across these sectors. They also included controllers whose use of cookies had come to the attention of the DPC through complaints from members of the public, or through their own observations of how information about cookies and tracking technologies was presented, or appeared to be lacking, on those sites. 97% were found to be non-compliant.

Aarhus University, Denmark, MIT CSAIL, USA, and UCL, UK

In January 2020, Aarhus, MIT & UCL published a report titled Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence. They surveyed the designs of the 5 most commonly used third-party CMPs by scraping their varied implementations on the top 10,000 most popular websites in the United Kingdom (UK) and evaluated them against European law and regulatory guidance. They considered that a site is minimally compliant if it has no optional boxes pre-ticked, if rejection is as easy as acceptance, and if consent is explicit. Only 11.8% of sites met these basic requirements.

Privacy Risk Auditor

The Privacy Risk Auditor (PRA) is the International standard for reporting impact from the use of non-consensual cookies. It allows you to check any website and get the results in 90 seconds or less. Hundreds of websites were checked between the months April-June 2020. 92% were found to be non-compliant with the most basic of compliance requirements, i.e., setting non-essential cookies ahead of gaining user consent.