The Rise of Consent Rate Optimization, a New Discipline in Website Optimization

Dennis van der Heijden
May 25, 2020 ·

Have you ever got tricked into agreeing to sneaky clauses in online legal agreements just because you don’t read the small print on the internet?

Me too.

I feel pressured into clicking buttons like “Accept all” when there’s an article I want to read and the user interface of the consent option is so poorly designed it leaves me no other choice.

This has been the reality of consent pop-ups since May 2018 when the GDPR was enforced in Europe. Since then, the rest of the world has been doing their best (or their worst) to get cookies on all my devices that have internet connectivity.

Such resistance from users is becoming more and more common and new laws are created to fight it.

This is why I’m proposing a new set of standards and designs, complementary to existing Consent Management Platforms, to help legislators and website owners bring trust and fair business practices back to the web.

Right now users pick short-term benefits over long-term privacy issues, because dark pattern designs influence their decisions. I think a granular consent optimization management system, where consent is gained in time, would be a better alternative to the “all or nothing” approach tools offer now.

(By the way, if you’re more of a visual person, make sure you check out the video I recorded for you — it’s at the end of this post.)

Dark Consent Patterns in the Post GDPR Era

A recent study called “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence” analyzes five of the most popular Consent Management Platforms (CMPs) that account for ~58% of the market share: QuantCast, OneTrust, TrustArc, Cookiebot, and Crownpeak.

The researchers scraped the top 10,000 websites in the UK and found that dark patterns and implied consent are ubiquitous. Only 11.8% of them meet the minimal requirements set by European laws.

Study shows adherence to the three core conditions of the EU law regarding privacy
UpSet diagram of sites by adherence to the three core conditions of the EU law. Sites meeting all three conditions are in green.

This study brings forward an interesting idea. Providing standards and designs to authorities to disseminate at national levels can increase the use of the more granular opt-in controls.

Even though users are likely checking “Accept all” boxes willingly, it does not mean they don’t want to improve and respect privacy issues. While being hunted all over the web by intent ads based on online activities can be useful, it can also be quite a harrowing experience.

The ePrivacy Directive — the law applied in Europe — a document dealing with cookies, placement of information (LocalStorage), and fingerprinting is moving towards consent.

With GDPR, “granular consent” is defined as follows:

any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

I think it’s time the rest of the world followed the lead.

Such all encompassing consent is not required for essential functions, such as remembering a login status, a shopping cart action, or collecting cookies for data security required by law.

With the upcoming ePrivacy Regulations, it seems this will extend to analytics and optimization exclusions (at least according to the latest draft from Nov 8, 2019).

Evil Brands or Optimization to the Extreme?

The same study I mentioned above also found that notification style banners (or barriers) have no effect.

Removing the opt-out button from the first page increases consent by 22–23 percentage points. Providing more granular controls on the first page decreases consent by 8–20 percentage points.

Example of the three components of the QuantCast CMP
The three components of the QuantCast CMP on

Here’s an example from The consent box shows a very obvious “Accept all” option.

Many websites use these types of designs that make accepting their privacy & security notices easy. Using green for accepting the terms and grey links or ghost buttons for the other options is a very common practice.

This is the type of Consent Rate Optimization that, in my opinion, uses dark patterns.

It takes advantage of the visitors’ “difficulty understanding how to make meaningful decisions about their privacy preferences”. Even in situations where they realize the implications of their decisions, they prefer short-term benefits over long-term privacy as the study rightly points out.

I’m frustrated with the industry taking privacy so lightly. I’m disappointed in myself for accepting conditions in bulk. I think we can all do better.

A solid CMP should work like a drip campaign, like the ones used before GDPR in cold email outreach or trial nurturing campaigns. It’s a way of building trust and asking for something in return. For example, download my PDF and I’ll send you an email with it attached. It is something you expect from me and that I deliver. In the email, I might also invite you to take one more step, like getting another piece of content. It’s imperative though that each new step is consensual on both sides and neither party breaks the mutual trust that is established over time.

I fully believe this is what we should focus on in 2020 and beyond, and not on how to hack browsers ITP/ETP or use dark patterns for consent.

I believe the future belongs to new privacy formats like the ones below.

1. This Privacy “Nutrition Label” or standardized table proposed by Gage Kelley et al.

2. This simplified version of the privacy label, from the same study.

3. This “Privacy Policy Options” pattern for Modifiable Privacy Policy Statements and Capturing End-User’s Preferences from a study on “Pattern-based incorporation of privacy preferences into privacy policies: negotiating the conflicting needs of service providers and end-users”.

4. Privee: An Architecture for Automatically Analyzing Web Privacy Policies by Sebastian Zimmeck and Steven M. Bellovin.


5. Robert W. Reeder’s interactive matrix visualization called Expandable Grid which shows a color-coded overview of a policy that can be expanded for more details.

6. The Platform for Privacy Preferences (P3P)’s automated efforts in presenting a readable overview.

I’ll Fund You

Got through this entire post?

Good, it means we’re on the same page.

If you didn’t, how about checking this video I recorded for you yesterday?

If you’d like to continue this conversation, let’s connect on LinkedIn (let me know you’re coming from this post to discuss consent rate optimization practices).

If you’re someone who researches the best design principles for consent, I want to hear from you. To show my commitment and full support, I will fund your project.

I’m particularly interested in open source projects that are proposing layers of consent design and standards. I’m willing to fund these initiatives if they are proven to increase consent percentages and the understanding of the users’ choices.

For the benefit of the users, we should focus on allowing businesses to build trust and validate consent in time, and stop dark patterns once and for all.

Send me your articles based on recent papers on our blog (I’ll even pay for those) and overviews of proper design principles of consent forms.

We can make the world more privacy conscious. Convert will help. I will help.

GDPR - CRO Toolbox
GDPR - CRO Toolbox
Originally published May 25, 2020 - Updated July 17, 2024
Mobile reading? Scan this QR code and take this blog with you, wherever you go.
Dennis van der Heijden
Dennis van der Heijden Co-founder & CEO of Convert, passionate community builder and out-of-the-box thinker. 
Carmen Apostu
Carmen Apostu In her role as Head of Content at Convert, Carmen is dedicated to delivering top-notch content that people can’t help but read through. Connect with Carmen on LinkedIn for any inquiries or requests.

Start Your 15-Day Free Trial Right Now.
No Credit Card Required

You can always change your preferences later.
You're Almost Done.
I manage a marketing team
I manage a tech team
I research and/or hypothesize experiments
I code & QA experiments
Convert is committed to protecting your privacy.

Important. Please Read.

  • Check your inbox for the password to Convert’s trial account.
  • Log in using the link provided in that email.

This sign up flow is built for maximum security. You’re worth it!