European privacy advocacy group, noyb, has fired off a second batch of cookie consent complaints (270 in total) — targeting websites in the region which it says are failing to properly request users’ consent to be tracked for ad targeting.
The problem is consent popups that don’t contain a clear choice and/or use illegal dark patterns to trick consumers into ‘agreeing’ to being tracked and profiled so the publisher can make money by selling their attention.
noyb’s counter message is simple: Reform your deceptive cookie pop-ups — or face the threat of formal enforcement.
If the websites receiving noyb’s draft complaints do not fix the non-compliant cookie banners being flagged to them it says it will file formal complaints with EU data protection authorities — at which point violating publishers are risking fines of up to €20 million under regional data protection law (i.e. if DPAs subsequently confirm a breach and decide a fine is merited).
noyb’s latest move on manipulative cookie banners follows a first wave of 560 complaints it sent to sites last year — focused on users of the OneTrust consent management platform — an action it says yielded substantial change, with close to half (42%) of all violations it identified being remedied within 30 days (noyb gives sites 60 days to make recommended changes before it files a formal complaint).
Given the rampant scale of cookie consent violations across the EU that looks like an impressive success rate. But, clearly, there are still far too many bogus cookie banners out there. So noyb is not ending the campaign yet.
noyb founder Max Schrems explained that this batch is a second-step action related to the original list of 5,000 websites it identified last year.
“We got a list of about 5,000 websites. We went through the first roughly 500 last time, this is the rest that was large enough to be relevant that uses OneTrust as a CMP [Consent Management Platform],” he told TechCrunch. “Next we will move on to other CMPs.”
noyb has used automation to scale this “WeComply” campaign — developing a tool which automatically parses consent flows to identify compliance problems with how choices are presented to users (such as no opt-out being offered at the top layer; or confusing button coloring; bogus “legitimate interest” opt-ins etc). Its platform then automatically creates a draft report which can be emailed to an offending site after it’s been reviewed by a member of noyb’s legal staff.
This smart approach has enabled a tiny not-for-profit to envisage filing up to 10,000 cookie consent complaints — and, through this mass action, to grapple with systematic rule breaking by the tracking-ads sector which even some of the largest regional data protection authorities still haven’t touched (hi ICO!).
While noyb’s strategy here, of tackling systemic law breaking at the publishers end of the adtech chain, has led to a first surge of cookie banner reforms, its action has also highlighted systemic intransigence: It says the vast majority of companies (82%) it contacted in the first wave did not fully comply — hence it went on to file 456 complaints with 20 different data protection authorities around the EU.
And hence it’s also filing another batch of complaints now.
“Despite having seen some improvements in banner design, more work will be necessary to also turn the persistently non-compliant companies around,” said Ala Krinickytė, data protection lwyer at noyb, in a statement.
In addition to noyb’s direct action to nudge publisher compliance, the European Data Protection Board (EDPB) subsequently announced a special taskforce to coordinate responses to the formal complaints — and noyb says that now “most” DPAs have confirmed receipt of those complaints.
And while decisions on the complaints are generally still yet to flow, it’s clear that on the cookie consent issues the enforcement train is getting going. Hence our warning last year that Europe’s cookie consent reckoning is coming.
In recent months we have already seen some major decision on cookies, too — such as France’s CNIL fining Google and Facebook over dark pattern design baked into their cookie banners this January; and the European Data Protection Supervisor’s ruling, also at the start of the year, slapping the European Parliament for confusing and deceptive cookie consent.
France also hit Google and Amazon with hefty fines in December 2020 for dropping tracking cookies automatically — i.e. without even a pantomime fig-leaf of consent.
(And even the outgoing UK information commissioner warned the adtech industry that the end of tracking is nigh last fall, as she departed for the private sector.)
While enforcement of the EU’s General Data Protection Regulation (GDPR) has led to many cross-border complaints being funnelled through Ireland’s DPA, creating a notorious bottleneck that’s impeded GDPR enforcement — France has been able to take the initiative against tech giants on this particular issue since cookie consent falls under the older ePrivacy Directive, which does not require complaints against cross-border operators to be passed to a ‘lead’ data supervisor.
ePrivacy also means complaints on cookies can be filed against publishers in relation to their activities in Member States across the EU — so noyb’s hundreds of cookie consent complaints are spread across multiple data protection authorities, not backed up on the desk of one or two.
Such strategic action — by noyb and France’s CNIL — gives a flavor of what functional (i.e. active) decentralized enforcement of EU data protection can look like (literally: major fines for tech giants and mandatory reform orders for systemic rule breaking); and what that in turn can deliver for people and the wider web (fewer dark patterns, less tedious clicking, better protection for information… and an impetus for reform that is forcing adtech giants like Google to grapple with how to rethink the whole business of targeting).
noyb has collated a gallery of before and after screenshots of some of the cookie banners its campaign successfully targeted so far — which mostly shows sites had lacked a clear ‘reject all’ option at the top level (i.e. equivalent to the ‘accept all’ button); and that, following its campaign, this subset of publishers switched to offering their users a clear choice to opt out of tracking.
See — that wasn’t so hard was it?
noyb also highlights what it dubs a “spill over” effect, saying it noticed that some websites which it hadn’t targeted in the first wave of complaints nonetheless improved their cookie banners — likely as a result of rising industry awareness on the issue.
“Many websites we have not yet contacted quickly improved their settings, once we started filing complaints. This means that our approach was ensuring compliance beyond the individual cases,” added Krinickytė.
noyb’s observation suggests active enforcement of data protection can have a galvanizing effect — at least on customer-facing entities like publishers — which could help spark wider reform of dysfunctional adtech industry ‘norms’.
After all, publishers have reputational risk to consider — so if enough sites switch away from harmful defaults it could create momentum for a mass break with the tracking industry’s countervailing push to grab people’s data regardless of what they say when signalling their ‘privacy choices’.
It is also abundantly clear that a historical lack of enforcement around data protection has had the opposite effect — enabling rampant consentless tracking of web users, and a whole murky industry of data brokers, ‘enrichers’ and traders to grow up in the shadows like a weed — and it’s only now, years after the EU’s long standing data protection powers were dialled up by the GDPR (and crucially enforcement potential got beefed up by empowering civil society groups like noyb to help defend individuals’ rights), that we’re starting to see the first green shoots of genuine privacy reform.
Consent management platforms (CMPs) have for far too long been appropriated as a strategic tool by the adtech industry to systemically steal consent — as the recent Belgian DPA finding that the IAB Europe’s “Transparency and Consent Framework” breaches the GDPR underlines.
It’s also interesting to consider how many individual publishers may have felt nudged and/or shielded to configure illegal defaults in their cookie banners exactly because of the systemic lawlessness of the tracking industry going unpunished for so long.
Many may simple have set the kind of ‘consent’ defaults they saw all around them online — aligning with an adtech-shaped ‘norm’ without realizing quite how dysfunctional and, er, illegal it was.
That’s what makes noyb’s cookie campaign so potent: If it generates enough momentum the whole industry could flip into a new alignment — where quality of service, not manipulative dark patterns, is the secret sauce you need to win consumers’ trust to provide their information.
In the meanwhile, noyb will be further expanding its WeComply campaign to purge the web of deceptive cookie banners — continuing to file more complaints (up to its 10,000 goal); including, as Schrems notes, by extending the scope of the campaign to pages that use other CMPs which its software isn’t currently configured to detect (such as TrustArc, Cookiebot, Usercentrics, Quantcast etc).
And if you still think having to click a ‘reject all’ or ‘accept all’ button on every website you visit is far too tedious, noyb has previously suggested a techie fix for that: An advanced browser level control to express user-configured choices. It just needs EU lawmakers to pick up the baton and make such signals clearly legally binding (GDPR does already allow for automated signals from the browser expressing consent choices; but reform of ePrivacy, where such a mechanism could be explicitly set out, remains stalled).
That again makes broad industry reform key; lawmakers are always more comfortable pushing pro-consumer changes if they don’t have thousands of businesses screaming at them to do the polar opposite.