EU: Second wave of noyb complaints targets cookie banners

Authors: Heidi Waem and Simon Verschaeve

Recently, the European Center for Digital Rights (better known as noyb), founded by privacy activist Max Schrems, announced a new initiative that focuses on compliance of cookie banners in Europe. Alongside the launch of the campaign, noyb reported that it issued more than 500 draft complaints to the owners of websites that use – according to noyb – “unlawful” cookie banners. While the organizations’ first wave of 101 complaints on data transfers following the Schrems II judgement has not yet been fully digested (ie many cases are still pending before data protection authorities), this initiative could again become one of the drivers of enforcement activity across the EU in the coming months. Noyb plans to file up to 10,000 further complaints in 2021.

Which websites are targeted?

This first batch of draft cookie complaints is focused on websites that make use of the OneTrust consent management platform (CMP), which is a popular tool used by many EU websites. However, it appears likely that noyb will extend its review to other CMPs in the course of the project.

The draft complaints target websites of large international players and more local websites with “a relevant number of visitors”. The selection was made based on: (i) the jurisdiction; (ii) the number of visits of a website; (iii) the CMP used; and (iv) the detected violations.

Regarding the geographical scope of the complaints, noyb stated that websites in over 33 countries are covered. Except for Malta and Liechtenstein, complaints relate to cookie banners of websites in each of the European Economic Area jurisdictions.

Which type of practices are under scrutiny?

From the practices that are being monitored, it appears that noyb maintains an extensive interpretation of the applicable cookie rules and labels certain approaches as “unlawful” while some are strictly speaking not prohibited by law:

  • No “reject” option on the first layer (Type A) – In noyb’s opinion, a “reject” (or “reject all”) option should be available in the first layer when consent is sought. This interpretation boils down to the principle that refusing consent should be as easy as giving consent. However, the GDPR only prescribes such a requirement for withdrawal of consent, not for refusal and, therefore, it can be disputed whether such an option should be available.
  • Pre-ticked boxes on second layer (Type B) – A second type of violation that is targeted by the complaints consists of the use of pre-ticked boxes to obtain consent; for example, in the “manage settings” section of a cookie banner. It is clear from the GDPR that consent requires a clear affirmative act. The Planet 49 (C-673/17) and Orange Romania (C-61/19) judgments of the EU Court of Justice clarify that pre-ticked boxes cannot be used to obtain valid consent under the GDPR and this is reiterated explicitly in the GDPR’s recitals.
  • Deceptive link design, button colors and contrast (Type C, D and E) – Another interesting (and questionable) point of view relates to several subliminal techniques, so-called “nudging”, that can be used to lead users to provide their consent and divert attention from the other available option(s). In case of a deceptive link design, the “refuse” or “manage preferences” option is displayed as a link, as opposed to the “accept” option which appears as a button. Alternatively, colors and contrast may be used (eg grey for refusal vs. green for acceptance) to “deceive” users from refusing. This interpretation presumes that a requirement exists to give equal prominence to the options of accepting and declining for consent to be valid, which – also – relies on an extensive interpretation of the GDPR consent requirements.
  • Legitimate interest claimed (Type H) – Noyb also contests options in the cookie banner to rely on legitimate interest. Where ePrivacy legislation applies, the available legal bases for the use of non-essential cookies are restricted to consent only. However, ePrivacy rules only regulate “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user”. Outside of this scope, other legal bases than consent might be available.
  • Inaccurate classification of cookies (Type I) – Alleged violations of this type relate to possible errors in categorization of cookies into essential (or strictly necessary) cookies, exempted from the consent requirement under ePrivacy rules, and non-essential cookies.
  • Not as easy to withdraw as to give consent (Type K) – Noyb’s OneTrust guide claims that a “withdraw” option should be available on the cookie banner. The GDPR does state that withdrawal of consent must be as easy as giving consent, but is not prescriptive on the way in which such option must be implemented.

How does noyb’s assessment process work?

According to its own communication, noyb has developed software that scans websites and detects “violations” in cookie banners (and documents data to substantiate its findings such as screenshots, cookie data, HTML files). Noyb states that a person also visits the website to verify the analysis.

Where “violations” have been detected, the software generates a draft compliant and sends it via email to the respective controller of the website concerned. These controllers then have one month to implement changes to bring their website into compliance with the “violations” listed in the draft complaint.

If the settings are changed in time, controllers can – but noyb does not seem to oblige them to – report compliance with all elements of the draft complaint to noyb through a dedicated online platform called WeComply!

If not, noyb will file a formal complaint to the relevant supervisory authority (under the GDPR and/or ePrivacy legislation), which might then trigger enforcement action. A controller must accept and remedy all elements listed in the draft complaint to avoid further action from noyb.

Conclusion

While some “violation types” are likely to coincide with the view of most data protection authorities in the EU, others are based on a far-reaching interpretation of the GDPR and may give rise to significant discussion. Noyb thus expects controllers to adopt a best practice approach rather than to strictly comply with the law.

Moreover, the rules governing cookies go into little detail. In the absence of relevant case-law at EU level, this results in many grey areas that remain unclear. In addition, these rules are all but fully harmonized across the EU. Interpretation and guidance of supervisory authorities and courts differs significantly (see our European Law on Cookies Guide for a comparison). Therefore, contrary to what noyb seems to contend, full compliance with cookie regulations is for many organizations not always straightforward.

Taking into account the scale of this exercise, it might well cause enforcement on cookies to become tougher in the coming months. Organizations that do not wish to adopt a best practice approach should be prepared with a solid legal justification for choices made in the set-up of their cookie management.

It remains to be seen how EU supervisory authorities (and courts) will deal with the extraordinary number of complaints that could result from noyb’s actions and whether they will – as for previous noyb complaints – coordinate their approach at EU level to avoid discrepancies between authorities.

For further information and advice, please get in touch with dataprivacy@dlapiper.com or your usual DLA Piper contact.