Max Schrems’ noyb Files 226 Fresh Cookie Banner GDPR Complaints

Tim Cross 10 August, 2022 

Online privacy activist group noyb (none of your business), founded by well known campaigner Max Schrems, has filed 226 fresh complaints against websites which it claims are using “deceptive cookie banners”, and not complying with requirements outlined in the EU’s General Data Protection Regulation (GDPR).

The alleged offenders are accused of using dark patterns – techniques in user interface design which attempt to trick, or at least nudge, users into taking actions which they wouldn’t otherwise choose – within their cookie banners. These dark patterns increase the number of users who accept placement of cookies on their web browsers, but critics say that opt-ins which are solicited through dark patterns don’t represent true consent, thus violating GDPR.

“Deceptive cookie banner designs try to force a user’s agreement by making it insanely burdensome to decline cookies,” said Ala KrinickytÄ—, data protection lawyer at noyb. “The GDPR actually requires a fair yes/no choice, not crazy click-marathons.”

All of those identified by noyb use OneTrust, a popular cookie banner provider. That’s due to the nature of noyb’s investigation – the privacy group uses software to automatically scan websites and identify those which aren’t compliant, but so far the software only works with OneTrust.

noyb lists a number of common dark patterns which emerge in OneTrust cookie banners. These include the absence of a ‘Reject’ option on the first layer of a consent mechanism (with visitors usually given options to ‘Accept’ or ‘More Options’), pre-ticked boxes on the second layer of a consent mechanism, and deceptive design elements which make the ‘Accept’ option more visible, or obscure the meaning of different options. Historically OneTrust has been partly to blame thanks to its default settings, though noyb says OneTrust has changed these settings to be more GDPR compliant.

Schrems says that noyb initially sends offending websites draft complaints, and then gives them sixty days to update their settings, after which noyb files a formal complaint if no changes are made.

Thus, those websites which are the target of noyb’s complaints will presumably have been aware of what was coming. Not all agree with noyb’s interpretation of GDPR, so some of those targeted by noyb may be hoping to be vindicated by data protection authority’s decisions. Currently noyb is still waiting on decisions for its first batch of complaints filed last August – once those decisions come through, we’ll have a better sense of which way the regulators lean.

“Hopeless cases” remain non-compliant

On a more positive note, noyb says publishers’ attitudes are changing, and it’s seeing much higher levels of compliance across Europe.

The non-profit group says that many of those it has contacted over the last year have adapted their cookie banners, with some even choosing to scrap use of relevant cookies altogether.

“We mainly saw positive feedback from websites, but also noticed a large spill-over effect,” said Schrems. “Many websites we have not contacted yet have adapted their settings once they heard about these complaints. This shows that enforcement ensures compliance beyond the individual case. We were also contacted by users who noticed an increasing amount of ‘reject’ buttons appear on websites in the last year.”

But that means that for those which still fall short, it’s more of a case of belligerence rather than a lack of awareness. In this most recent round of complaints, 80 percent of companies failed to fully comply after the 60 day grace period, and just 24 percent of violations were remedied. In the previous round, 42 percent of all remedied within 30 days.

“After one year, we got to the hopeless cases that hardly react to any invitation or guidance,” said Schrems. “These cases will now have to go to the relevant authorities.”

Again, some of those targeted may believe they’re on firm grounding, and that they don’t need to change their cookie banners in order to comply with GDPR.

They are, however, likely living on borrowed time. The EU’s Digital Services Act, which is likely to come into force at the start of 2024, explicitly bans dark patterns – which should take any ambiguity out of the equation. The only question then will be how quick regulators will be to enforce the ban.

Follow VideoWeek on Twitter and LinkedIn.

2022-08-10T14:58:40+01:00

About the Author:

Tim Cross is Assistant Editor at VideoWeek.
Go to Top