noyb has filed 422 GDPR complaints against companies using misleading cookie banners. It is the first batch of a campaign to force 10,000 websites in Europe to meet EU law. It follows an earlier warning to 516 websites over their use of deceptive practices and dark patterns to trick visitors into agreeing to cookies.
The websites were warned that unless they corrected this, a formal GDPR complaint would be made. Although 42% made changes, it often wasn’t enough. 82% of those companies have had formal complaints against them with 10 different data protection authorities.
Max Schrems, Chairperson of noyb, said: “We saw a lot of improvements on many websites and are very happy with the first results. Some major players like Seat, Mastercard or Nikon have instantly changed their practices. However, many other websites have only stopped the most problematic practices. For example, they may have added a ‘reject’ option, but still make it hard to read. The requirement to show a prominent withdrawal option clearly faced the biggest resistance from website owners.”
What is the problem with cookie banners?
noyb identified a wide range of problems with the way websites across Europe presented cookie banners to visitors. It results in visitors being confused as to what they have agreed with. It is done through the use of misleading colours, options and by claiming things like legitimate interest when there is none.
The image below shows what has changed as companies moved to remediate their cookie banners. According to noyb, “42% added a “reject” option. 68% removed “pre-ticked” boxes. 46% solved issues around using different colors for “accept” and “reject” buttons. 22% gave up on claiming that they have a “legitimate interest” that would allow tracking without user consent.”
The one area where companies resisted was allowing visitors to withdraw consent. noyb reports that only 18% added this feature. What is not clear is why this is the case. It could be that many of those organisations have no processes to deal with withdrawal and the need to stop using visitor data.
Interestingly Schrems also said: “In informal feedback we heard that companies worried that competitors would not comply which would create unfair advantages. Others said that they want a clear ruling by the authorities, before they start complying. We therefore hope that the data protection authorities will issue decisions and sanctions soon.”
Big Internet companies refusing to engage
It will come as no surprise to many that noyb reports that large Internet companies did not respond well to its complaint. Amazon, Twitter, Google and Facebook have made no changes to their cookie banners. The business practices of all four rely on the amount of data that they can acquire from visitors to their sites. In response, noyb says that it will file no less than 36 complaints about those websites.
A case brought by Schrems against Facebook over its data practices has recently been referred to the European Court of Justice. In that case, Facebook argues that it can use contracts to circumvent GDPR. That case is now waiting to be adjudicated, and it will be closely watched. If Facebook prevails, then it has the potential to make GDPR toothless when it comes to protecting user data.
GDPR is still not being interpreted the same across Europe
This case also highlights a major problem for the EU of getting consistency across Data Protection Authorities (DPAs) in different countries. Without this, businesses can choose where to base themselves and whom to choose as their governing DPA. It allows them to ignore judgements from DPAs in other countries unless their local DPA chooses to adopt that decision.
In the case of the dark patterns used in cookie banners, noyb says there is no standard approach to dealing with these. Different DPAs pick and choose which patterns they want to deal with. It makes it difficult to get companies to take this seriously.
To deal with this, Schrems says: “We need clear pan-European rules. Right now, a German company feels that the French authorities’ interpretation of the GDPR only applies to France, even though they operate under the same law within the same European market.”
Enterprise Times: What does this mean?
This latest push by noyb to deal with cookie banners was always going to result in complaints to DPAs. At present, just 422 complaints have been filed. However, noyb has identified 10,000 companies across Europe who have problems with their cookie banners. It will be sending them all a warning letter and giving them time to address their problems. It could see a small tsunami of complaints hitting DPAs across Europe.
There is a risk with this strategy. Smaller DPAs are likely to be swamped and unable to deal with the level of complaints. Larger DPAs may choose to help out, but the most important move would be the EU issuing unifying rules to all DPAs. That would mean that any judgement in any EU country would impact all businesses no matter where they were based. It would certainly create a level playing field and, just as importantly, show that GDPR can work as promised.
For now, all eyes will be on those first 422 cases and the additional 36 complaints against Facebook, Twitter, Google and Amazon.