https://www.vice.com/en_us/article/g5xg74/companies-use-dark-patterns-to-mislead-users-about-privacy-law-study-shows

Passed in May of 2018, Europe’s General Data Protection Regulation (GDPR) was supposed to usher in a new age of consumer privacy transparency and protection across Europe. Instead, researchers say companies have been tap dancing around the law with little to no meaningful enforcement by European Union member countries and regulators.

A new joint study by researchers at MIT, UCL, and Aarhus University found that websites in the EU not only aren’t adhering to the law, many are using required privacy alerts to mislead users. Under the GDPR, websites operating in Europe must let users opt out of cookie tracking and other surveillance via very clear on-screen notifications. Those notifications are handled and remembered via CMPs (consent management platforms)—systems dominated by five companies: QuantCast, OneTrust, Cookiebot, TrustArc, and Crownpeak.