Google is to restrict the number of advertising cookies on websites accessed via its Chrome browser, in response to calls for greater privacy controls.
It said that it would phase out third-party cookies within the next two years,
Cookies are small text files that are used to track users across the web.
Justin Schuh, Google's director of Chrome engineering, said in a blogpost: "Users are demanding greater privacy - including transparency, choice and control over how their data is used - and it's clear the web ecosystem needs to evolve to meet these increasing demands."
Third-party cookies, which follow users from site to site tracing their browsing habits, have also been banned by Apple, Microsoft and Mozilla.
Websites will still be able to use their own first-party cookies to track users.
The move comes as Ireland's data protection authority investigates Google's online advertising business and the practice of real-time bidding for online ads.
'Dark design' tricks
They analysed five companies which offer consent management platforms (CMP) for cookies used by the UK's top 10,000 websites.
Despite EU privacy laws stating that consent for cookies must be informed, specific and freely given, the research suggests that only 11.8% of the sites met the minimal requirements of GDPR (General Data Protection Regulation) law.
Instead they were found to blanket data consent options in complicated site design, such as:
- pre-ticked boxes
- "burying" decline buttons on later pages
- multiple clicks
- tracking users before consent and after pressing "reject"
Just over half the sites studied did not have "rejecting all" tracking as an option.
Of the sites which did, only 12.6% made it accessible through the same or fewer clicks as the option to "accept all".
Quantcast, the largest company analysed, typically asks for permission to share data with 542 different companies, explains study co-author Michael Veale, from UCL.
In response, the firm told the BBC: "Our default recommended settings grant equal prominence to the "I Accept" and "I Do Not Accept" buttons, and do not pre-select choices for any data processing purposes. While we strongly encourage that these defaults are used, website owners ultimately retain control over the customisation and presentation of their properties.
Crownpeak, another CMP provider, said that its default configuration was also set up to enforce prior consent.
The researchers estimate it would take, on average, more than half an hour to read through what the third-party companies are doing with your data, and even longer to read all their privacy policies.
"It's a joke and there's no actual way you could do this realistically," said Dr Veale.
"Consent should always have been a clear positive action, laws on tracking have been unenforced for a decade and the result is regulators not knowing where to start to cope with the scale of the widespread illegality."
When the GDPR came into force in 2018, it "hugely upped enforcement powers and clarified what 'consent' meant, leading many to expect industry to pay close attention", explains Newcastle University law professor Lilian Edwards.
Prof Edwards said there has been "limited effort to enforce the cookie rules" over the last decade and no post-GDPR fines have been made in the UK or Ireland, even though regulators can fine companies up to 4% of their global turnover.
"The problem is that getting large fines through post-GDPR is proving a very long process," she added.
Tracker blockers can be downloaded to protect web users.
Browser extensions such as Privacy Badger, created by digital rights group the Electronic Frontier Foundation, entirely block data trackers.
Part of the study's research team also created Consent-o-matic - a tool which users can programme to remember their consent rejections and apply them to new sites.
But Dr Veale says: "I want to see a web where users don't need to distrust sites in the way they need to now, for personal privacy and computer security."