Last updated on 27 August 2021 by William Blesch (Legal and data protection research writer at TermsFeed)
On May 31,2021, the European Center for Digital Rights, a pro-privacy group that goes by the acronym "noyb" (None of Your Business), began a campaign against well-known companies that allegedly used unlawful cookie banners.
The cookie banners used by these companies ostensibly employed practices that fell far outside guidelines dictated by the European General Data Protection Regulation (GDPR). Noyb sent out almost 600 draft complaints to companies throughout the European Union (EU) and European Economic Area (EEA), which they identified as having violated these GDPR regulations.
Max Schrems, an Austrian activist, author, and lawyer co-founded noyb. He became quite well-known following privacy complaints against Facebook. In 2011, Schrems filed complaints against the tech giant with the Irish Data Protection Commissioner (DPC), which to this day have never received a formal decision. Despite that fact, Facebook was forced to disable its facial recognition software and delete specific files after it was audited following Schrem's complaint.
Today, Schrem's organization declares on its website's homepage that "noyb aims to end cookie banner terror." According to the privacy watchdog, "by law, users must be given a clear yes/no option." However, most companies don't do that. They also do not provide any acceptable alternative.
Sometimes, they present all the correct options but then obscure the banner placement or engage in practices, such as the use of so-called "dark patterns," labyrinthine sub-menus, button contrast, and misleading color choices. All of these practices are designed to fool or otherwise frustrate website users into accepting all cookies.
All the companies to which noyb sent notices had one month to "cure" or otherwise rectify EU privacy law violations before formal complaints would be filed with relevant authorities.
It's worth noting that noyb's efforts have primarily been aided by proprietary software the organization developed in-house. The non-profit plans to scan Europe's top 10,000 most-visited websites to identify illegal cookie banner use. When noyb's software determines that a company violates the law, a human legal team then sends a draft complaint to the so-called offenders. The organization also sends the company step-by-step guidance on how to become legally compliant.
According to noyb, there are at least 15 different kinds of violations that break EU privacy laws. Its compliance guide lists each of them. We'll go over key abuses and provide a brief analysis below.
First, however, it's worth noting that similar consent and cookie banner issues came into focus recently. For instance, France's Commission Nationale de l'Informatique et des Libertés (CNIL) sent out formal notices to both companies and public organizations that didn't allow website users to reject cookies as easily as they could accept them.
As of June 29, 2021, all organizations contacted by CNIL adjusted their cookie practices to become compliant with EU law.
Before we dive into specifics, you should understand that even if your company or organization doesn't do business within the EU or EEA, similar laws within the United States, such as The California Consumer Privacy Act (CCPA), demand compliance on this issue as well. Penalties can often be steep. Therefore, it's in your interest as a business owner or executive to ensure your cookie practices meet compliance standards.
With that said, a best practice is to use a consent management platform (CMP), which is a tool used to collect user consent. Here's an example of a consent management platform in action from French bank, Credit Agricole. Note the cookie banner at the bottom. It contains clear buttons for accepting all cookies, denying all cookies, or managing cookies:
The EU's privacy regulation law currently in force is the GDPR, as noted above. You may already be familiar with it and its cookie requirements, especially if you do business anywhere within the EU. You should also have little excuse not to be compliant since the law has been in effect since 2018.
However, in the off chance that you may not be in full compliance with the law, here's a brief reminder of what is required:
When it comes to keeping website users informed, it's your responsibility to provide them with a privacy notice, which provides "fair processing information." The demand for transparency trumps how you use data.
In other words, your company might do all kinds of things with someone's personal information. The crucial point is that you must make users aware of what you do with that data and then provide them with a means to tell you "no."
As we've noted above, compliance with GDPR requirements concerning cookies means that you need to provide your website visitors with a consent banner. That consent banner is usually created through the use of a consent management platform.
Here are the components that you should include in a compliant cookie consent banner:
The truth is that even though the GDPR has been in effect since 2018, many businesses have sought ways to circumvent its regulations concerning cookie banners.
The law was intended to give website users more control over their private information and how businesses use it. Further, it was intentionally designed to provide users a way to deny that data to companies if they disagree with how those companies will use the data. However, people all over the EU and EEA have found themselves in a frustrating situation where businesses regularly ignore aspects of the law.
Alternatively, companies are throwing up cookie banners, saying they comply, but then using dark patterns to ensure that over 90 percent of all users click the accept button. According to industry statistics, that's a problem when only three percent of all users actually agree to accept all cookies.
That's where organizations like noyb come into the picture. They're bridging the gap and identifying thousands of offending businesses.
As Max Schrems, noyb's chairman, has noted:
"Frustrating people into clicking 'okay' is a clear violation of the GDPR's principles. Under the law, companies must facilitate users to express their choice and design systems fairly. Companies openly admit that only 3% of all users actually want to accept cookies, but more than 90% can be nudged into clicking the 'agree' button."
If you're engaging in the kind of shady cookie banner practices noyb outlines, be careful. Noyb's software could identify your business as an offender, and your business reported to the applicable authorities.
Noyb has identified the following kinds of violations:
If you don't feature a "reject" button for all cookies on your homepage (the initial page of your website), you've engaged in a "Type A" violation. According to noyb, Type A violations are the most common.
By neglecting to have a "reject" button, you're violating the GDPR's consent requirement.
Even if you use a consent management platform, if you also place a pre-ticked box within your settings section to acquire user consent, you're violating the GDPR. The law explicitly states that pre-ticked boxes do not represent consent.
Moreover, noyb isn't alone in pointing this out. The EU's highest court, the Court of Justice of the European Union (CJEU), has stated that consent isn't valid if it is provided where a box was pre-checked.
It's in your interest then, to ensure that when it comes to obtaining cookie consent, that you require users to take some kind of affirmative action like clicking a button or actively checking a box to indicate their clear consent.
If you use any link design or confusing hyperlinks to "nudge" users into clicking a button that accepts all cookies, you're engaging in a Type C violation.
While the law does not directly demand a specific format or design you must follow when obtaining user consent, it requires that any consent acquired must be informed, unambiguous, precise, and freely given.
The letter of the law actually gives you more leeway than noyb would like since the GDPR doesn't demand that the option to refuse is placed precisely beside the choice to accept. With that said, noyb's guidelines ensure GDPR compliance and should be considered a best practice in this regard.
Suppose you use misleading button colors and contrast. In that case, you're engaging in a violation that's quite similar to Type C. When you use deceptive colors for your "accept" and "reject" buttons, users tend to click the accept button more often than not, even when they really don't want to accept. For example, noyb points out that many companies use green as a color for the "accept" button. It's similar to a green light at a traffic stop. Green means "go."
On the other hand, these same companies often use the color gray on their "reject" buttons, which causes them to blend in with the CMP background in many cases. In keeping with colors that are regularly used to indicate "no," "stop," "do not proceed," etc., these companies ought to be using the color red for their "reject" buttons. Noyb considers the fact that they do not, deceptive.
In the same way that this sort of thing isn't a direct violation of the law, just as a Type C violation is not, it's still considered a violation of the spirit of the law. It's, therefore, a best practice to ensure the meaning of your button designs, colors, and contrasts are easy to understand and are obvious.
"Legitimate interest" isn't a valid reason to assume consent when it comes to your cookies. Some companies use the term' legitimate interest" within their cookie banner language and imply that they have the right to place cookies on a user's computer because they have "legitimate interests."
However, this is a violation of the EU ePrivacy Directive, which demands that you obtain valid, explicit consent from users to use all non-essential cookies.
Some companies flat out lie about the type of cookies they place on a user's computer. They intentionally misclassify non-essential cookies as "essential." This is also a clear violation of the ePrivacy Directive's consent requirements. Be exceedingly careful that you don't engage in practices like this because doing so could lead to a full cookie review by applicable authorities. If you're found in violation, remember that fines and penalties can be stiff.
A debate currently rages as to what cookies are non-essential, but noyb argues that advertising cookies and analytics should not be considered "essential."
The last violation type has to do with making it hard for a user to withdraw consent. If you don't include in your cookie banners an easy way for users to withdraw consent, then according to noyb, you're in violation of the law.
Be aware that neither the ePrivacy Directive nor the GDPR explicitly states such a thing, however. What these laws do demand is that you make it easy for a user to withdraw consent. How you do that is up to you, but noyb's guidelines are logical, ensuring compliance.
The image below is a cookie banner from the U.K.'s version of GQ Magazine. Notice that it satisfies the five main demands of the GDPR, which are:
The privacy-focused watchdog group, noyb, has made going after companies that violate GDPR cookie guidelines its mission. To date, the group has contacted almost 600 businesses to notify them of their non-compliance. There are more than 10,000 other organizations that noyb plans to investigate in the near future.
If you do business within the EU or EEA and engage in any one of eight different types of violations listed above (remember there are actually at least 15 types and we've merely gone over the most important), you run the risk of being called out and reported for those offenses. That's in addition to efforts at law enforcement by applicable authorities such as CNIL.
With that in mind, consider it a best practice to review your cookie notice, how you obtain cookie consent, and then make relevant updates as needed.