Analysis of a Consent Management Specification and Prototype Under the GDPR

Consent requests for the processing of personal information are ubiquitous for users of web services across the European Union (EU). However, their form and contents differ greatly, and often include deceptive design patterns (so-called dark patterns) meant to influence users' choices. In this paper, we provide the results of a research project to define a new specification that can be used to handle consent requests based on cookies in a standardized and GDPR-compliant manner. We define and evaluate a set of requirements for consent management systems and we illustrate the advantage of our proposed specification to the state of the art based on a prototype implementation and evaluation. Based on a small usability study, we found our solution to reduce the necessary interactions with respect to consenting, consent withdrawal, and consent configuration by far.