noyb issues hundreds of complaints against non-compliant cookie banners

noyb’s complaints against cookie banners

Privacy advocate Max Schrems’ organization noyb issued more than 550 complaints against companies allegedly using cookie banners that are non-compliant with the requirements of the ePrivacy Directive and the General Data Protection Regulation (GDPR). The organization developed a software that is able to detect different kinds of non-compliant cookie banners. Once a non-compliant cookie banner has been detected, the system automatically generates a complaint against the respective company. noyb indicated that this will enable them to issue up to 10,000 complaints against the most visited websites.

noyb bases its complaints on the fact that most cookie banners do not provide for a simple yes or no option and therefore do not comply with the standard for obtaining valid consent set out in the GDPR. Instead, many website operators try to “nudge” users into accepting cookies, either by making it difficult to decline them or by using deceptive designs.

Complaints issued by noyb are first informally sent to the respective website operators, giving them a one-month grace period to comply with current regulation, before a formal complaint is filed with the data protection authorities.

noyb’s action has drawn more attention to the issue of non-compliant cookie banners, perhaps inspiring other organizations to join the fight. Therefore, companies should ensure that user consent is validly obtained through the cookie banners they use.

How can cookie consent be validly obtained?

The main rules for the use of cookies are laid down in the ePrivacy Directive that will be replaced by the proposed ePrivacy Regulation once the legislative process is completed. Art. 5 (3) stipulates that cookies or similar technologies may only be used with prior consent of the data subject. Exceptions exist only for cookies that are strictly necessary for the operation of the respective website, e.g. session cookies. For all other cookies, like advertising cookies or analysis cookies, website operators must obtain the informed consent of the users.

For consent to be valid, it has to be obtained in compliance with the standard set out in Art. 4 (11) GDPR. Hence, it must be “freely given, specific and informed”. Therefore, a number of requirements have to be met:

• Consent must be obtained prior to the collection of any data through cookies except for cookies that are strictly necessary;
• The user must be informed which data is tracked by each cookie and for what purpose prior to giving consent;
• The information must be easy to understand;
• If users refuse the use of cookies, they must not be excluded from using the website or suffer any other disadvantages;
• It must be possible for users to withdraw consent at any time and in a way that is as simple as the declaration of consent.

Regarding the question how consent can be validly obtained through cookie banners, the European Court of Justice (ECJ) specified in its landmark judgement Planet49 (ECJ, 01.10.2019, C-673/17) that consent must be actively and unambiguously expressed by users, for example by clicking on a consent button (“opt in”). Therefore, pre-ticked checkboxes which the user must uncheck to refuse cookies do not constitute valid consent.

To comply with these requirements cookie banners should at least have the following features:

• Indicative information on the purpose of the cookies and the possibility to withdraw consent;
• Separate consent and decline buttons;
• The possibility to choose between cookies depending on their purpose (checkboxes must not be pre-ticked);
• A link to the privacy policy (one click).

Deceptive designs: A grey area?

However, as a result of these requirements, a new practice emerged. Websites increasingly use cookie banners where the decline button is presented in light colours, typically grey and white, and the consent button in brighter colours, typically green, so that users are encouraged to click on the consent button. These deceptive designs are also called “dark pattern” designs. noyb especially mentioned these designs as a practice against which they want to take action.

Since users have the de facto possibility to reject cookies that are not necessary, these banners could be considered sufficient to obtain valid consent. However, a German Court indicated in September 2020 (LG Rostock, 15.09.2020 – 3 O 762/19) that these kinds of deceptive designs might also be problematic. It noted in the case that the respective grey and white designed “only use necessary cookies” button is not clearly recognizable as a clickable button. It stated:

“(…) it (…) fades into the background next to the ‘Allow cookies’ button, which is green and therefore appears to be preset. Many consumers will therefore not normally perceive this option as an equivalent consent option.”

Hence, in order to protect your company from (formal) complaints, cookie banners should present the accept and decline options equally on cookie banners in order to avoid misleading effects and to provide a sufficient basis for informed consent.

Recommendations for companies using cookies

In order to avoid (formal) complaints that may lead to fines and litigation costs, companies should ensure the compliant design of their cookie banners. Consent to using cookies must be obtained prior to the use of any cookies and users must be informed about the data tracked by and the purpose of the cookies. Additionally, information about any kind of processing of the collected (personal) data, including third country transfers and/or data usage by third parties, must be provided. Moreover, the possibility to withdraw consent must be clearly indicated and the withdrawal of consent must be as simple as the declaration of consent.

When consent is obtained, users must have the option to choose which cookies they want to accept depending on their purpose, and checkboxes must not be pre-ticked. Moreover, it is advisable to display accept and decline buttons with an equivalent design.