On May 31, 2021, Max Schrems’ privacy organization, noyb (or “none of your business”), made over 500 complaints to companies related to what the organization called their “unlawful cookie banners.” Using automated scanning programs, nyob searched commonly used European websites and analyzed the cookie options provided on certain of these websites. nyob claims that it identified “more than fifteen common abuses” of cookie consent management, with some of the most prevalent “violations” identified as follows:
- No reject option on the first layer;
- Link instead of button to reject;
- Deceptive button contrast;
- Deceptive button color;
- Pre-ticked choices;
- Reliance on legitimate interest; and
- Inappropriate categorization of cookies as “essential.”
nyob noted that the most prevalent “violation” was websites not making it as easy to withdraw consent as it was to provide consent.
nyob issued draft complaints on behalf of as-yet-unidentified users to companies with demands for them to address the identified “violations” in the draft complaint within a one month “grace period”, or it will file a formal complaint with the relevant data protection authority(ies) for investigation. Overall, nyob appears to be utilizing the complaints to provoke companies to change what it deems to be coercive or deceptive cookie banners and choices on the basis that color schemes or presentations that might lead to more users clicking “accept”, and noyb’s position is that such practices should be viewed as a violation of the GDPR.
nyob has stated that it is seeking to expand this effort to run analyses on, and prepare complaints against, the 10,000 most visited websites in Europe over the course of the year. With this in mind, companies with websites aimed at European users should take steps now to review their cookie management solutions and any risk-based decisions made in the rollout of such solutions to prepare for complaints from nyob.
The draft complaints include details of what actions (in noyb’s view) should be taken by the receiving company in order to comply with the requirements of the GDPR and the ePrivacy Directive (Directive 2002/58/EC). However, if companies decide to take action and modify their current cookie management solutions in response to these draft complaints, they should carefully consider any such changes. . In relation to cookies and similar technologies, the compliance requirements are generally set out at a national level and are the result of national implementation of the ePrivacy Directive, but also importantly guidance and opinions of national data protection authorities, rather than a harmonized directly applicable EU-wide regulation. This is the position at least for the time being since the ePrivacy Regulation intended to replace the ePrivacy Directive has not yet been finalized. Therefore, this is an area where a one size fits all approach can be difficult to apply in practice. National EU data protection authorities have different approaches on the measures necessary to obtain/deny consent for cookies, while ecommerce or other business activities performed through a website are intrinsically open to data subjects in all of EU member states. Companies should therefore identify the solution which best fits their organization and at the same time addresses compliance requirements.
