Considering that for most banners the "consent" is the easy option I assume a lot. People want to get rid of the banners.
However I claim the point of the bad UX is to make users angry and then have them complain about EU etc. "demanding" those. In order to weaken the regulation of tracking. If they are successful (and they are making progress) "no more cookie banners" is a lot better headlines than "more tracking"
The failure of the EU was to not write into (an updated version of the law) that setting a specific HTTP header means "no", and "no" means "no" not "show me a popup to ask" (i.e. showing a popup in such cases would not be allowed).
It wouldn't matter because most of the consent flows you see are already not compliant. The problem is a perpetual lack of enforcement even for the blatant breaches. An HTTP header wouldn't change the situation, websites would still ignore it and still get away with it.
The consent flows are good enough that the companies selling them can claim that they're compliant, and enforcement is slow, partly because there are so many things that are not 100% clear.
The header would be a relatively clear cut situation, also opening the path to private enforcement via NOYB & Co.
A mandatory header would get implemented on sites that even halfway try to comply, and it would be extra easy to enforce on fully malicious sites. I think it would be useful.
No, they're directly in violation. This is fully settled; it's just that some companies are counting on it not being "the thing that gets an enforcement action".
How is ease of opt out versus opt in objectively measured?
Most of the time both options are presented clearly and within a few pixels from each other, but opt-in is usually slightly more eye catching and/or more appealing. But the effort in terms of distance for mouse movement or number of clicks is the same. While that’s a design trick that will improve % of opt-in, how can it be argued that the opt-out was not as “easy”?
It is very common for there to be "accept all" and "more options" buttons where rejecting all requires multiple clicks via the latter. The sites which havea "Reject all" button right next to the "Accept all" one that's the same size and such aren't flagrantly violating the law.
> If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
> ... It shall be as easy to withdraw as to give consent.
Your example does appear muddy, but I also doubt any enforcement targetting such sites.
What however is extremely common is an "Accept all" vs "Manage settings" which opens up another panel, where there is still no "Reject all" option, and only various settings where you can "Save choices" which might or might not default to what you want. Such cases are obviously blatant rule violations, both in amount of clicks and obfuscation of consent.
In recent pop-ups, you are technically opted out by default(or at least that is how it is presented, I have not actually checked their cookie activity).
It is two clicks to confirm that choice and dismiss the pop-up versus one to accept all cookies but if you choose to interact with the site and ignore the pop-up instead, you are supposedly non-essential cookie free by default.
I have been on a call with a CMP where they got mad at me for not resetting our user's preferences and because our 'do not accept' was high due to the fact i refused to de-promote it via a dark pattern. I kid you not.
fwiw; looking at our stats for the past year:
No consent: 40.8%
Full Consent: 31%
Just closed the damn window: 28.1%
Went through the nightmare selector: 0.07%
Most of the sites use dark patterns in the banners, from not presenting decline option to hiding and renaming it to be unrecognizable. For example I make an effort in always picking Decline All option if available and the practice shows that I click on Allow All in about 20-30% of all banners, because it was impossible to avoid. So I safely assume that general population clicks Allow All even more.
Exactly, it is defined in the GDPR law that declining should be as easy and accessible as accepting. So all of those companies with dark patterns are breaking the law.
It's always those awful websites with a million popups, adverts, sites that reflow after 10 seconds, etc. They would be horrible to use even without the cookie banners.
I know some sites use dark patterns in their cookie banners, which I consider to be a helpful hint that the company doesn't respect the users.