Privacy Group NOYB challenges businesses’ unlawful cookie banners

Blog
Oliver Fich
500 complaints already sent to businesses with non-GDPR compliant cookie banners. 10,000 new complaints in the making. Privacy organization NOYB is on a mission to end businesses’ deceptive and unlawful cookie banner practices. Here’s why you should care.
Table of Contents

Privacy organization NOYB (“None Of Your Business”) is quickly making the world of digital marketing quiver.

With lawyer and activist Max Schrems spearheading the group, NOYB is behind some of the most prolific privacy complaints in modern history.

The complaints have among others led to massive GDPR fines against Google (€50M euros) and to the invalidation of the EU-US data transfer agreement Privacy Shield.

Now, NOYB is targeting European businesses who use dark patterns in their website cookie banners. The allegation is that businesses nudge users into giving consent to cookies without an alternative to reject them.  

Here’s a quick overview of what you need to know and how you can prevent your business from receiving a complaint from NOYB.

Who is NOYB?

NOYB – European Center for Digital Rights (coined NOYB from “None Of Your Business”) is an activist privacy organization based in Vienna, Austria established in 2017.

The organization aims at launching court cases against businesses who do not comply with the General Data Protection Regulation (GDPR) or the ePrivacy Directive.

The quick overview of NOYB’s “end cookie banner terror” campaign

The first 560 draft complaints have already been sent to companies in 33 European countries in June 2021. 10,000 more complaints are being created as we speak.

Companies who have received the complaint now have a one-month grace period to comply with GDPR requirements for cookie banners or NOYB will send the complaint to local Data Protection Authorities.

Then it becomes the responsibility of the authorities to investigate and ultimately fine the businesses for not complying with European cookie laws.  

But why are cookie banners so important to NOYB? And why are they amassing the largest European cookie complaint to date?

Cookies require consent

By law, websites are required to obtain valid consent for collecting and processing personal data. This also includes cookies.

Users have to be given a clear YES or NO option in the cookie banner if the website uses cookies that collect personal data.

And as most websites do not comply with this requirement, NOYB has developed a tool that can easily identify non-complying practices in cookie banners and automatically send the website owner a draft complaint.

When formalized, the complaint may result in a fine of up to €20 million or 4% of the business’ global annual turnover.

We want to ensure compliance, ideally without filing cases. If a company however continues to violate the law, we are ready to enforce users’ rights.

Max Schrems - NOYB’s press release May 31, 2021

With the draft complaint, NOYB also sends a guide on how to bring the banner into compliance.

But what is a deceptive cookie banner? And what is NOYB looking for?

What is NOYB looking for when forming complaints?

According to NOYB, a deceptive cookie banner is a banner that tricks or nudges users into giving consent to cookies.

That is: a banner that makes it difficult for the user to reject cookies.

These banners are some of the most common on European websites.

Example of a deceptive and unlawful cookie banner according to NOYB and the GDPR

NOYB is looking specifically for banners that hide “reject-cookies” buttons; that assume users want cookies or use legitimate interest to justify using tracking cookies.

So, when looking at websites, NOYB’s tool will scan for:

  • A ‘reject-cookies’ button
  • Pre-ticked boxes
  • A link to an opt-out page instead of a button
  • Deceptive color design
  • Incorrect use of legitimate interest
  • Incorrect classification of non-essential cookies
  • Processes for withdrawing consent

The most recent scan reveals that a lot of websites are using deceptive designs and making it harder for visitors to reject cookies.

Results of NOYB's cookie banner analysis

  • No reject button
    • 81% of cookie banners have no reject button next to the accept button making it hard to opt-out of cookies.
  • Pre-ticked boxes
    • 15% of cookie banners have pre-ticked boxes making cookies an opt-out feature instead of the required opt-in.
  • Link instead of a button
    • 51% use links to other pages for users to opt-out of cookies making it difficult to reject cookies.
  • Deceptive color button
    • 73% use deceptive designs to nudge users into accepting cookies (green for accept vs transparent for other purposes).
  • Legitimate interest
    • 27% of cookie banners claim legitimate interest unlawfully instead of basing data collection and processing on consent.
  • Non-essential cookies
    • 21% categorize non-essential cookies incorrectly
  • Withdrawal of consent
    • 90% of all cookie banners are designed make it harder for the user to withdraw consent than it was to give.

How does NOYB craft complaints?

With its newly developed tool, NOYB will scan a range of websites. A draft complaint is automatically sent to those businesses who do not follow NOYB’s recommendations on cookies and consent.

Image showing the action NOYB takes when investigating unlawful cookie banners
How NOYB creates complaints for unlawful cookie banner use

Targeted businesses are then given a one-month grace period to comply before NOYB sends the formal complaint to the Data Protection Authorities.

Who is impacted by NOYB’s cookie banner terror complaints?

Companies who have received the first set of complaints range from tech leaders like Google and Twitter to local websites with a significant number of monthly visitors.

These are primarily businesses who use cookie banners that trick or nudge users into giving consent to cookies with no real alternatives to rejecting cookies and tracking.

We focus on popular pages in Europe. We estimate that this project can easily reach 10,000 complaints. As we are funded by donations, we provide companies a free and easy settlement option - contrary to many law firms.

We hope most complaints will quickly be settled and we can soon see banners become more and more privacy friendly.

Max Schrems - NOYB’s press release May 31, 2021

So, what can you do to prevent ending up on NOYB’s list of businesses with deceptive banners?

And ultimately receive a formal complaint?

How can you prevent ending up on NOYB’s complaint list?

Now, there can be various reasons to use the cookie banner you’re using now.

Maybe because you need the marketing insights to better track your visitors and ultimately sell your products.

Or simply because GPDR rules on cookies and consent are confusing. What are really the rules in your country?

So, here’s a very short – yet concise – guide to what a GDPR compliant cookie banner should include:

  • A reject button (on first layer)
  • No pre-ticked check boxes
  • No deceptive link or color design
  • No use of legitimate interest for tracking cookies (requires consent!)
  • Accurate cookie classification (we got that one for you!)
  • An easy way to withdraw consent

With Cookie Information, you don’t have to go through a long manual to change every item on this list.

We actually have a professional solution that will equip you with a GDPR compliant cookie banner.

So, if you’re looking for a compliant solution, you’ve come to the right place.

Not just because our cookie banner meets all the requirements set forth by NOYB, but also because we are Google CMP Partners.

That means you get Google Consent Mode as default. With that you get aggregated analytics for your Google Ads and Google Analytics even though your users say no to cookies!

Is your cookie banner at risk?

Get a free compliance check of your cookie banner. 

We’ll scan your website and tell you if it meets the demands by NOYB. 

Check your site now