Clicking away consent

Have you ever wondered how that new shirt you’ve been eyeing online suddenly appears as an advertisement on Instagram or Facebook? The answer is simple: cookies.

Chances are if you’ve used the internet recently, whether that be to catch up on the news, look up a recipe, or shop online, you’ve come across a cookie pop-up box. These pop-up boxes that many internet users often routinely accept without second thought, help websites track user activity and personalize their experience. By consenting to cookies, you are giving a website permission to place small text files on your computer or browser that store information about your activity online. Cookies help websites remember your login details, items in your shopping cart, and even tailor ad content based on your browsing history.

But with all of their benefits in enhancing the user experience, cookies can pose several drawbacks when it comes to user privacy and security. Digital privacy is a growing issue globally, as more users are becoming increasingly aware and concerned about how their data is used and protected online. Generally, collecting personal data without a user’s permission is considered a violation of privacy rights. Unlike Europe’s strict cookie regulations, such as the EU’s General Data Protection Regulation, most cookie consent laws in Africa don’t legally require websites to ask permission before tracking users.

In a new study, researchers at Carnegie Mellon University Africa aimed to investigate digital privacy concerns in Africa by analyzing 1,793 popular African websites in 49 countries and reviewing the data protection laws of 37 countries. Their paper was presented at the 2025 ACM COMPASS conference, which focuses on the application of computing for social impact, sustainability, and global development.

Researchers found that 78 percent of the websites they analyzed used cookies and more than half included third-party cookies, which track user data with the use of external advertising or analytics services. Despite the prevalent use of cookies, only 17 percent of these websites included any cookie consent banner or pop-up, with many sites only including an “accept” button but not a “reject” option.

We hope that this study will raise awareness among African lawmakers about how citizens are being deceived to accept terms without proper understanding of the potential implications.

Assane Gueye, Co-Director, The Upanzi Network

Additionally, researchers found that none of the 37 existing African data protection laws contain any website requirements regarding cookie opt-ins; rather, these laws only broadly talk about consent, thereby contributing to tracking practices that are often nonconsensual.

“It’s important to note that cookies are not bad, but it is essential to provide users with clear information regarding the nature of data collected, the purposes for which it is shared, and to obtain their informed consent in accordance with applicable privacy laws,” said first author Joel Musiime, Upanzi Network research associate.

A lack of clear-cut guidance in African data protection legislation creates loopholes regarding consent, making enforcement of the already vague standards even more difficult. For example, how can users assert their privacy rights when there is no legal mandate holding websites to a specific standard? This question is one of many that researchers say point to gaps in Africa’s privacy laws.

Another growing concern the authors note is the use of dark patterns in cookie consent interfaces. Dark patterns are deceptive design elements with the goal of getting as many users to consent to cookies as possible. For example, making the “accept all” button stand out while the “reject all” button is more discrete or hidden is an intentional design choice that takes advantage of a user’s inattention or desire to quickly view content. These deliberate design styles ultimately undermine the principle of informed consent and autonomy when it comes to personal information.

To address these growing concerns, the authors propose multiple recommendations to improve data protection policies. Banning dark patterns, enforcing accountability, strengthening current data protection laws, enhancing transparency, and raising public awareness are steps that need to be taken to build a more privacy-conscious web environment.

“We hope that this study will raise awareness among African lawmakers about how citizens are being deceived to accept terms without proper understanding of the potential implications,” said Assane Gueye, co-director of the Upanzi Network and one of the study’s co-authors. “We wish that African data protection laws will soon be updated to better address the issue of consent with cookies.”

Other CMU-Africa collaborators on the ACM paper include Nana Ama Atombo-Sackey, Upanzi Network research associate; Lenah Chacha, Upanzi Network lab manager; and Trevor Chiboora, Upanzi Network research engineer.