Privacy advocacy group noyb, most famous for challenging Facebook in the EU and ultimately invalidating the agreements that underpin foreign data transfers, is back with a new campaign. This time the group is bringing GDPR complaints against a variety of companies that use “cookie banners” to collect consent for identification and tracking measures when websites are visited.
noyb argues that many of these cookie banners use confusing language, odd structures and other forms of pressure to railroad the end user into consenting to these measures. The General Data Protection Regulation (GDPR) stipulates that this process must be “clear” to the average internet user and present them with a simple yes/no decision.
GDPR complaints target 10,000 websites
GDPR rules govern how consent is collected from website users for the placement of tracking cookies that vacuum up web browsing information and use it for targeted advertising. A late 2019 ruling by the Court of Justice of the European Union (CJEU) has sharpened these rules. The CJEU case involved Planet49, a German online lottery service that was obtaining consent via a cookie banner that contained two pre-ticked boxes that the user had to manually un-tick. The Planet49 ruling found that pre-checked boxes are not adequate to meet the GDPR’s standard of consent, that the expiration date of cookies must be disclosed to the user, and that there must be a separate consent agreement for each individual use of data.
noyb contends that as many as 10,000 websites do not meet the requisite cookie banner standards. The group has filed over 500 draft GDPR complaints throughout the EU, the largest single action of this type since the digital privacy law went into effect. noyb says that it identified these sites via a piece of software it developed that automatically detects intentionally confusing “dark patterns” in cookie banners. The draft complaints do not ask for immediate action from regulators; noyb is giving the companies in question a one month “grace period” in which to voluntarily address the issues before formal complaints are filed.
The case will no doubt revive the discussion about dark patterns, a controversial practice that critics contend represent confusion and coercion by intentional design. One of the most common issues of this nature that the GDPR complaints cite is lack of an option to reject cookies on the first layer or page of the site, requiring users to go into a submenu or navigate to a different page to opt out of tracking. noyb also claims that 73% of the cookie banners it has targeted use deceptive button colors and contrast to attempt to sway users into giving consent to be tracked. A little over half of the sites have a link that goes to another page for those who opt to reject cookies, rather than a simple “reject” button comparable to the one used to accept the terms. And 15% of the cookie banners are still loading with pre-ticked boxes in spite of the decision in the Planet49 case.
noyb cites research that indicates only 3% of site users actually want to agree to be tracked by cookies, but 90% end up agreeing due in large part to dark patterns and other deceptive techniques. The privacy group calls these sites “crazy click labyrinths,” accusing them of burying opt-out information in such a way that most visitors are not aware that it is available to them.
Group claims cookie banners frequently violate GDPR rules
The issue, according to noyb, boils down to the fact that the GDPR requires a simple “yes” or “no” option for consent when cookie banners are used. Websites appear to be doing everything they can to avoid this simple presentation, even if they are courting GDPR complaints and potential fines.
However, as some expert legal observers have pointed out, there is daylight between how noyb interprets the rules in their GDPR complaints and how they can be interpreted by a court. One example is the common failing of having an immediate “reject” option in place as soon as the page is visited and the initial cookie banner is presented. Lawyers have noted that the GDPR does not actually specify that a “reject” button be immediately presented, nor does it have to be in the first layer. The GDPR also does not set clear boundaries as to how color and contrast can be used and what constitutes an intentional “nudge” of the visitor toward the opt-in button.
Though it is possible that noyb will not hit the legal mark on all of the elements of its GDPR complaints, the parts that are clearly valid and the sheer scope of the complaints (not to mention the organization’s reputation given the Schrems II decision) will undoubtedly engage the attention of regulators and provide organizations in the region with a prompt to review their cookie banner compliance.