Final round of “One Trust” cookie banners: 226 complaints lodged against deceptive cookie banners that are still not complying with GDPR requirements
Today, noyb lodged 226 GDPR complaints with 18 authorities against websites that use the popular cookie banner software (“OneTrust”) with deceptive settings. Following a first batch of complaints in May 2021 many websites using OneTrust have adapted their settings and added “reject” buttons. OneTrust also changed the standard settings to be more GDPR compliant. However, there are still many websites that do not comply.
Internet users suffer from deceptive designs. The GDPR was meant to ensure a users full control over their own data, but being online has become a frustrating experience for people in Europe. Annoying banners designed to make rejecting cookies extremely complicated are all over the web. In their banner designs, companies use so-called “dark-patterns” to get users to click the “accept” button because it is too burdensome to decline.
“Deceptive cookie banner designs try to force a user’s agreement by making it insanely burdensome to decline cookies. The GDPR actually requires a fair yes/no choice, not crazy click-marathons.” – Ala Krinickytė, Data Protection Lawyer at noyb
noyb aims for cooperation. noyb scanned thousands of websites that use the most common cookie banner software, called “One Trust”. The noyb legal team reviews each relevant website and generates a GDPR complaint. Companies are then served with an informal draft complaint, a step-by-step guide (PDF) on how to adapt their software settings and a 60 day grace period to comply. Only if they choose to not fully comply, does noyb file a complaint with the relevant authority. Further details can be found in the FAQs on our WeComply platform.
“We want to ensure compliance, ideally without filing cases. However, if a company continues to violate the law, we are ready to enforce users’ rights.” – Max Schrems, Chairman at noyb
High compliance rate. Many of the websites that have been contacted by noyb have adapted their design to a fair "yes/no" approach, some even went “cookie-free” and got rid of the banner altogether. OneTrust has also alerted websites to adapt settings and even adapted the standard settings of the software to comply with the noyb complaints.
“We mainly saw positive feedback from websites, but also noticed a large spill-over effect. Many websites we have not contacted yet have adapted their settings once they heard about these complaints. This shows that enforcement ensures compliance beyond the individual case. We were also contacted by users who noticed an increasing amount of "reject" buttons appear on websites in the last year.” – Max Schrems, Chairman at noyb
noyb is now gathering more data and statistics to see how these effects have materialized in practice. More details will be presented in the next months.
Helpless cases left. In the last round, only 24% of all violations were remedied within grace period of 60 days. Unfortunately, 80% of companies failed to fully comply and we had to file a total of 226 complaints with 18 DPAs. In the first round, 42% of all violations were remedied within 30 days.
“After one year, we got to the hopeless cases that hardly react to any invitation or guidance. These cases will now have to go to the relevant authorities.” – Max Schrems, Chairman at noyb
Next steps. In the coming months, noyb will continue following its goal to get rid of deceptive cookie banners and scan, review, warn and enforce the law on thousands of websites. noyb will also extend its scope to pages that use other Consent Management Platforms (CMPs) than OneTrust, such as TrustArc, Cookiebot, Usercentrics, Quantcast etc. The European Data Protection Board (EDPB) launched a special taskforce to coordinate the responses of the DPA. Currently noyb is still waiting for first decisions in the complaints which have been filed in August 2021, even though many of the cases have seen considerable progress.