noyb files 422 formal GDPR complaints on nerve-wrecking “Cookie Banners”

Aug 10, 2021

noyb files 422 formal GDPR complaints on nerve-wrecking “Cookie Banners”

As part of a one-year project on "deceptive designs" and "dark patterns", noyb aims to scan, warn and enforce the GDPR on up to 10.000 websites in Europe. After sending a written warning and a “draft complaint” to more than 500 companies on May 31st, 42% of all violations were remedied within 30 days. However, 82% of all companies have not fully stopped violating the GDPR. Accordingly, noyb filed 422 complaints with ten data protection authorities today.

42% of all violations in first batch of 516 websites fixed. In the first batch of complaints, companies remedied 42% of the violations that noyb identified in Spring 2021. Of the companies that previously violated the law in this respect, 42% added a “reject” option. 68% removed “pre-ticked” boxes. 46% solved issues around using different colors for “accept” and “reject” buttons. 22% gave up on claiming that they have a “legitimate interest” that would allow tracking without user consent. Overall, 1028 individual violations across more than 516 websites were removed by the companies. Among the companies that fully stopped using “dark patterns” to gain user consent, are global brands like Mastercard, Procter & Gamble, Forever 21, Seat or Nikon.

“Withdrawal” option biggest obstacle for compliance. The biggest resistance from websites concern the GDPR’s requirement to make withdrawing consent as easy as giving consent. Only 18% added such an option (a “withdrawal icon”) to their website.

Max Schrems, Chairperson of noyb: “We saw a lot of improvements on many websites and are very happy with the first results. Some major players like Seat, Mastercard or Nikon have instantly changed their practices. However, many other websites have only stopped the most problematic practices. For example, they may have added a ‘reject’ option, but still make it hard to read. The requirement to show a prominent withdrawal option clearly faced the biggest resistance from website owners.

422 cases filed with DPAs in ten countries. As many companies have only resolved certain violations, noyb still had to file complaints in 422 of the 516 cases, or in 82% of all initial draft complaints. It will therefore be up to Data Protection Authorities (DPAs) to review the complaints by noyb and enforce the law.

Max Schrems: “In informal feedback we heard that companies worried that competitors would not comply which would create unfair advantages. Others said that they want a clear ruling by the authorities, before they start complying. We therefore hope that the data protection authorities will issue decisions and sanctions soon.”

Additional 36 “major” pages fully resisted. Independent of scanning websites in the first batch, noyb also looked into larger global and national websites that use custom “cookie banners” and required manual review. This includes all major platforms like Amazon, Twitter, Google or Facebook. All of them have resisted settling fixing their banners. noyb will consequently file an additional 36 complaints concerning these websites. These pages are not included in the statistics above, as their violations were somewhat different than the automatically scanned pages.

Max Schrems: “There is a trend that larger players and pages that are very dependent on advertisement largely ignored our offer to settle cases. Some openly argue that it would be legal to manipulate users into clicking ‘okay’. We will obviously bring cases here as well.”

Need for European Harmonization. Many DPAs already issued non-binding guidelines on the use of “dark patterns” in cookie banners. While they all go in the same direction, they are often only discussing certain types of dark patterns and stay silent on others. noyb has based its complaints on the various guidelines, but businesses regularly rejected guidelines from other DPAs from another Member State.

Max Schrems: “We need clear pan-European rules. Right now, a German company feels that the French authorities’ interpretation of the GDPR only applies to France, even though they operate under the same law within the same European market.”

Special Role of Austrian DPA. noyb has tried to file directly with the local DPA of the website whenever possible. We have contacted the relevant DPAs beforehand. About 50% of all complaints will be filed with the Austrian DPA (“Datenschutzbehörde”) who will, in turn, have to relay these cases to other countries, as noyb is unable to file in the relevant languages. In about 100 cases there is no establishment in the EU which makes the Austrian DPA the sole authority as the complainants are based in Vienna. The fact that about half of the cases go through Austria, makes the small Austrian DPA a central player in this case which is rather demanding for an authority with limited budget and personnel.

Max Schrems: “We have done everything in our power to streamline these complaints. Nevertheless, we are fully aware that this first ‘mass complaint’ in the EU will be demanding for authorities.”

Next Steps. As the first test phase is now completed, noyb will aim at the current goal and scan, review, warn and enforce the law on up to 10,000 website within one year, so that users will have a real choice in the future.

Max Schrems: "We expect the first decisions by the end of the year. By then we should see most other websites switch to simple 'yes' or 'no' options."