Manipulative Design Patterns in Cookie Consent Notices

The concept of consent within the realm of data privacy is murky at best. Manipulative design patterns and other deceptive practices such as dense, lengthy privacy policies prevent users from truly understanding what their choices and trade-offs are with regards to their data privacy.

Cookie consent notices are just one piece of the data privacy puzzle. But at the same time, they represent “low-hanging fruit” when it comes to privacy reform measures. Browsers like Safari and Firefox have already limited or banned the use of third-party cookies, and Google has claimed it will be following suit for Chrome (though the timeline for this has been delayed several times).

With the introduction of the General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA), and subsequent data privacy laws in states like Colorado, Connecticut, Utah, and others, there is potential for more comprehensive consumer privacy protections. As policymakers and other stakeholders attempt to influence state and federal approaches to this issue, a deeper understanding and analysis of these dark patterns is critical.

In this project, I examine the cookie consent workflows of 10 news/media websites. I identify manipulative patterns used in these consent workflows and analyze their implications for user autonomy. I also evaluate these consent workflows for legal compliance.