European privacy advocacy group noyb has fired off a second batch of cookie consent complaints (270 in total) targeting websites in the region that it says are failing to properly request users’ consent to be tracked for ad targeting.
The problem is consent popups that don’t contain a clear choice and/or use illegal dark patterns to trick consumers into “agreeing” to being tracked and profiled so the publisher can make money by selling their attention.
The advocacy group’s counter-message is simple: Reform your deceptive cookie pop-ups — or face the threat of formal enforcement.
If the websites receiving noyb’s draft complaints do not fix the non-compliant cookie banners, it says it will file formal complaints with EU data protection authorities — at which point violating publishers risk fines of up to €20 million under regional data protection law (i.e., if DPAs subsequently confirm a breach and decide a fine is merited).
This latest move from noyb on manipulative cookie banners follows a first wave of 560 complaints it sent to sites last year focused on users of the OneTrust consent management platform, an action it says yielded substantial change, with close to half (42%) of all violations it identified being remedied within 30 days (noyb gives sites 60 days to make recommended changes before it files a formal complaint).
Given the rampant scale of cookie consent violations across the EU, that looks like an impressive success rate. But, clearly, there are still far too many bogus cookie banners out there. So noyb is not ending the campaign yet.
The group’s founder, Max Schrems, explained that this batch is a second-step action related to the original list of 5,000 websites it identified last year.
“We got a list of about 5,000 websites. We went through the first roughly 500 last time; this is the rest that was large enough to be relevant that uses OneTrust as a CMP [Consent Management Platform],” he told TechCrunch. “Next we will move on to other CMPs.”
The “WeComply” campaign, a tool developed by noyb that uses automation to automatically parse consent flows, identifies compliance problems with how choices are presented to users, such as no opt-out being offered at the top layer, confusing button coloring, bogus “legitimate interest” opt-ins, etc. Its platform then automatically creates a draft report that can be emailed to an offending site after it’s been reviewed by a member of noyb’s legal staff.
This smart approach has enabled a tiny not-for-profit to envisage filing up to 10,000 cookie consent complaints — and, through this mass action, to grapple with systematic rule-breaking by the tracking-ads sector, which even some of the largest regional data protection authorities still haven’t touched (hi, ICO!).
While noyb’s strategy here, of tackling systemic law-breaking at the publishers’ end of the adtech chain, has led to a first surge of cookie banner reforms, its action has also highlighted systemic intransigence: It says the vast majority of companies (82%) it contacted in the first wave did not fully comply, which is why it went on to file 456 complaints with 20 different data protection authorities around the EU.
And it’s also why it’s filing another batch of complaints now.
“Despite having seen some improvements in banner design, more work will be necessary to also turn the persistently non-compliant companies around,” Ala Krinickytė, a data protection lawyer at noyb, said in a statement.
In addition to noyb’s direct action to nudge publisher compliance, the European Data Protection Board subsequently announced a special task force to coordinate responses to the formal complaints — and noyb says that now “most” DPAs have confirmed receipt of those complaints.
And while decisions on the complaints are generally still yet to flow, it’s clear that on the cookie consent issues, the enforcement train is getting going. Hence our warning last year that Europe’s cookie consent reckoning is coming.
In recent months, we have already seen some major decisions on cookies, too — such as France’s CNIL fining Google and Facebook over dark pattern design baked into their cookie banners this January, as well as the European Data Protection Supervisor’s ruling slapping the European Parliament for confusing and deceptive cookie consent.
France also hit Google and Amazon with hefty fines in December 2020 for dropping tracking cookies automatically.
(And even the outgoing U.K. information commissioner warned the adtech industry that the end of tracking is nigh as she departed for the private sector last fall.)
While enforcement of the EU’s General Data Protection Regulation (GDPR) has led to many cross-border complaints being funneled through Ireland’s DPA, creating a notorious bottleneck that’s impeded GDPR enforcement, France has been able to take the initiative against tech giants on this particular issue since cookie consent falls under the older ePrivacy Directive, which does not require complaints against cross-border operators to be passed to a “lead” data supervisor.
The ePrivacy Directive also allows for complaints on cookies to be filed against publishers in relation to their activities in Member States across the EU — so noyb’s hundreds of cookie consent complaints are spread across multiple data protection authorities, not backed up on the desk of one or two.
Such strategic action — by noyb and France’s CNIL — gives a flavor of what functional (i.e., active) decentralized enforcement of EU data protection can look like. That includes major fines for tech giants and mandatory reform orders for systemic rule-breaking, as well as what that can deliver for people and the wider web — fewer dark patterns, less tedious clicking, better protection for information, and an impetus for reform that is forcing adtech giants like Google to grapple with how to rethink the whole business of targeting.
This gallery of before-and-after screenshots shows some of the cookie banners noyb’s campaign successfully targeted so far. Many sites lacked a clear “reject all” option at the top level (equivalent to the “accept all” button). Following its campaign, this subset of publishers switched to offering their users a clear choice to opt-out of tracking.
See — that wasn’t so hard was it?
The advocacy group also highlights what it dubs a “spillover” effect, saying it noticed that some websites that it hadn’t targeted in the first wave of complaints nonetheless improved their cookie banners — likely as a result of rising industry awareness on the issue.
“Many websites we have not yet contacted quickly improved their settings once we started filing complaints. This means that our approach was ensuring compliance beyond the individual cases,” added Krinickytė.
That observation suggests active enforcement of data protection can have a galvanizing effect — at least on customer-facing entities like publishers — which could help spark wider reform of dysfunctional adtech industry norms.
After all, publishers have reputational risk to consider — if enough sites switch away from harmful defaults, it could create momentum for a mass break with the tracking industry’s countervailing push to grab people’s data regardless of what they say when signaling their “privacy choices.”
It is also abundantly clear that a historical lack of enforcement around data protection has had the opposite effect — enabling rampant consentless tracking of web users and a whole murky industry of data brokers, “enrichers” and traders. It’s only now, years after the EU’s long-standing data protection powers were dialed up by the GDPR (and, crucially, enforcement potential got beefed up by empowering civil society groups like noyb) that we’re starting to see the first green shoots of genuine privacy reform.
Consent management platforms (CMPs) have for far too long been appropriated as a strategic tool by the adtech industry to systemically steal consent — underlined by the recent Belgian DPA finding that the IAB Europe’s “Transparency and Consent Framework” breaches the GDPR.
It’s also interesting to consider how many individual publishers may have felt nudged and/or shielded to configure illegal defaults in their cookie banners exactly because of the systemic lawlessness of the tracking industry going unpunished for so long.
Many may simply have set the kind of “consent” defaults they saw all around them online — aligning with an adtech-shaped “norm” without realizing quite how dysfunctional and, er, illegal it was.
That’s what makes noyb’s cookie campaign so potent: If it generates enough momentum, the whole industry could flip into a new alignment — where quality of service, not manipulative dark patterns, is the secret sauce you need to win consumers’ trust to provide their information.
In the meanwhile, noyb will be further expanding its WeComply campaign to purge the web of deceptive cookie banners, continuing to file more complaints (up to its 10,000 goal) including, as Schrems notes, by extending the scope of the campaign to pages that use other CMPs that its software isn’t currently configured to detect, such as TrustArc, Cookiebot, Usercentrics and Quantcast.
And if you still think having to click a “reject all” or “accept all” button on every website you visit is far too tedious, noyb has previously suggested a techie fix for that: an advanced browser level control to express user-configured choices. It just needs EU lawmakers to pick up the baton and make such signals clearly legally binding. (GDPR does already allow for automated signals from the browser expressing consent choices, but reform of ePrivacy, where such a mechanism could be explicitly set out, remains stalled.)
That again makes broad industry reform key; lawmakers are always more comfortable pushing pro-consumer changes if they don’t have thousands of businesses screaming at them to do the polar opposite.