Many more Cookie Banners to go: Second Wave of Complaints underway
This week, noyb launched the second round of its action against deceptive cookie banners, following a first batch in May 2021. Another 270 draft complaints were sent to website operators whose banners don’t comply with the GPDR. noyb offers guidelines for companies on how to comply and only files formal GDPR complaints against those who remain non-compliant after a 60-day grace period. The first wave has already proven to be successful: As a reaction to our first batch in 2021, more and more websites have implemented compliant banners. In an obvious "spill over" effect, even websites that were not targeted by noyb have changed for the better.
Internet users suffer from deceptive designs. The GDPR was meant to ensure that users have full control over their data, but being online has become a frustrating experience for people in Europe. Annoying banners, designed to make rejecting cookies extremely complicated, appear all over the web. In their banner designs, companies use so-called “dark-patterns” to get more than 90% of users to click the “accept” button while industry statistics show that only 3% actually want to agree.
Many internet users mistake this annoying situation as a direct outcome of the GDPR, when in fact companies use deceptive designs that violate the law. The GDPR demands a simple “yes” or “no”, that’s it. – Ala Krinickytė, Data Protection Lawyer at noyb
noyb aims for cooperation. The noyb legal team reviews each website, while the system automatically generates a GDPR complaint. Companies then get an informal draft complaint, a step-by-step guide (PDF) on how to adapt their software settings and 60 days to comply. Only if they choose not to fully comply, noyb will file a complaint with the relevant authority, which may issue a fine of up to € 20 Million. Further details can be found in the FAQs on our platform.
“We want to ensure compliance, ideally without filing cases. If a company however continues to violate the law, we are ready to enforce users’ rights.” – Max Schrems, Chairman at noyb
Less violations after the first round. In the first round, 42% of all violations were remedied within 30 days. However, 82% of all companies did not fully comply and noyb had to file a total of 456 complaints with 20 different data protection authorities (DPAs). The European Data Protection Board (EDPB) subsequently launched a special taskforce to coordinate their responses and by now, most DPAs have confirmed the receipt of complaints. Some companies have been improving their banners in the course of the procedures and noyb even withdrew three complaints in cases where banners were brought into full compliance after the filing.
"Despite having seen some improvements in banner design, more work will be necessary to also turn the persistently non-compliant companies around." – Ala Krinickytė, Data Protection Lawyer at noyb
Many websites changed their design. Many of the websites that have been contacted by noyb have already adapted their design to a "yes/no" approach. This includes Nikon, Domino's Pizza and Unilever. You can see some before/after examples below.
"Spill Over" effect to other websites. When working on the second round of complaints, noyb realised that previously scanned websites have improved their GDPR compliance, once the first round of compliants was filed - even when they were not contacted by noyb. The move was so immense, that noyb had to scan all websites again to find remaining violations. This may have been based on information campaigns by the providers of cookie banner software, that informed businesses about ongoing enforcement. In legal theory, enforcement should not just lead to change of behavior of an individual, but also to general "deterrence". This is exactly what happened here.
"We saw a clear 'spill over' effect. Many websites we have not yet contacted quickly improved their settings, once we started filing complaints. This means that our approach was ensuring compliance beyond the individual cases." – Ala Krinickytė, Data Protection Lawyer at noyb
Further rounds in preparation. In the coming months, noyb will continue following its goal to get rid of deceptive cookie banners and scan, review, warn and enforce the law on up to 10,000 websites. noyb will also extend its scope to pages that use other Consent Management Platforms (CMPs) than OneTrust, such as TrustArc, Cookiebot, Usercentrics, Quantcast etc. which currently can’t be detected by the software.