Max Schrems’ NGO, noyb, submits mass cookie law compliance complaints

Introduction

Max Schrems’ privacy NGO, noyb, has sent hundreds of draft complaints to companies across Europe that it claims use unlawful cookie banners along with a guide of how to comply.  noyb is giving these companies one month to make the changes to their cookie banners and consent management solutions before filing formal complaints with data protection authorities.

noyb’s stated aim is to move to a world where users are presented with simple and clear “accept”/”reject” options and companies do not design their cookie banners to try to “frustrate” users into accepting cookies or design their privacy settings to make it difficult to opt out.

The impact of not collecting consent for cookies will be significant for many companies. Therefore, whilst many companies are likely to change their practices upon receiving a complaint from noyb, others may continue to take a more bullish approach and decide to defend the position that they have taken with the relevant data protection authorities.

Noyb’s methodology and issued raised

Companies without fully compliant cookie consent platforms who have not received a letter from noyb, should not get too comfortable. noyb’s announcement indicated that it has developed a tool that recognises unlawful cookies banners and automatically generates complaints. noyb will use this tool to “ensure compliance of up to 10,000 of the most visited websites in Europe” during the course of 2021.

From the 560 websites assessed so far, noyb has identified the following issues, which it considers to be evidence of non-compliance, with its headline position being that companies are “manipulating” users into consenting:

• No reject option on first layer
• Pre-ticked boxes
• A link (we assume to a website such as allaboutcookies.com) instead of a button to reject
• Deceptive button colour and contrast
• “Legitimate interest”, which we assume means that noyb believes that some companies are seeking to rely on legitimate interests to collect cookies instead of consent
• Placing non-essential cookies without consent
• It being more difficult to withdraw consent than to give it

Our take

This action comes a week after the French data protection authority started enforcing its strict cookie rules, sending approximately 20 organisations in the “digital economy” formal notices ordering them to comply with the cookie rules. This investigation and the action taken by noyb signify ever-increasing pressure on companies to implement compliant cookie consent solutions.

However, achieving a commercially compliant solution in this area is not easy.  Guidance by data protection authorities across the European Union and the UK is divergent, particularly in relation to the important question of whether analytic cookies may be considered “essential”.  This means that it may not be possible for companies to apply a uniform approach across the board.  Some organisations which rely heavily on cookie technology may prefer to stand their ground and argue their position with data protection authorities and privacy activists like noyb.  However, this approach is not without risk since some data protection authorities (e.g. the French data protection authority) have not shied away from imposing significant fines in this area. It is also an area where we are increasingly seeing data subjects bring damages claims, which would be of concern were allegations or findings of non-compliance made public.