Privacy group noyb has issued 500 draft complaints to companies who use deliberately misleading cookie banners. It is the first salvo in a campaign that could see more than 10,000 complaints filed across Europe. Its goal is to simplify the acceptance of cookies to a simple Yes or No box on all websites.
Max Schrems, Chair of noyb, said: “A whole industry of consultants and designers develop crazy click labyrinths to ensure imaginary consent rates. Frustrating people into clicking ‘okay’ is a clear violation of the GDPR’s principles. Under the law, companies must facilitate users to express their choice and design systems fairly. Companies openly admit that only 3% of all users actually want to accept cookies, but more than 90% can be nudged into clicking the ‘agree’ button.”
Why is this still a problem?
That’s a good question. Cookie consent on websites should be simple, and sites could give users a simple option to block all cookies. However, many sites break cookies down into different groups forcing users to go through long and complicated processes to opt-out multiple times.
Some sites don’t provide any option for users to reject cookies. Instead, they provide a link to their cookie policy page where they list the cookies they will push onto visitors devices.
When it comes to advertising cookies, an increasing number of sites redirect users to industry bodies. The four major sites are Network Advertising Initiative’s Website, the Digital Advertising Alliance AdChoices Website, the European DAA Website (for the EU/UK), the AppChoices Website (for mobile app opt-out). None of these sites allows a user to opt-out of marketing cookies. Why should they? They have a vested interest in pushing cookies into users machines.
Another approach is to create a legitimate interest tag where hundreds of companies are listed. By default, they are set to opt-in rather than opt-out. While some sites provide a simple reject all button, many require users to opt-out of each cookie separately. As almost all of these are advertisers is raising the question of what legitimate interest means.
noyb has an automated process to create complaints
noyb has created its own software to visit sites and look for different types of violations. Once found, the system will autogenerate a GDPR complaint. The noyb legal team will also review each violation. It will send offending sites an informal draft complaint and a step-by-step guide listing all the different types of violations and how to correct them.
If sites do not respond within a month, noyb says it will escalate the complaint to the relevant authority. The relevant authority will then have to decide how to proceed, which may include fines.
Enterprise Times: What does this mean?
The problems with cookies and how websites deal with them is a long-standing issue. Many sites claim that they need cookies to track users visiting their sites so that they can track returning visitors. There is nothing wrong with this, and that is not what this move is intended to address.
The problem here is the sleight of hand used by too many websites to trick users into giving consent. In the press release, noyb states: “Companies use so-called “dark patterns” to get more than 90% of users to “agree” when industry statistics show that only 3% of users actually want to agree.”
It will be interesting to see how many companies change how they work and the wider impact of this move. The one thing that EU ICOs will not want to see is a mass of new complaints being filed by noyb. Most ICOs are barely able to handle their existing workload. It could push many to their limits. However, if the move forces many companies to clean up their websites without intervention from the ICOs, they will undoubtedly welcome this move.