Hold-outs targeted in fresh batch of noyb GDPR cookie consent complaints

Just over a year after launching a major project targeting thousands of sites blatantly flouting cookie tracking rules in Europe, regional privacy campaign group noyb has fired off another batch of complaints targeting a hardcore of website operators that it says have ignored or not fully acted upon earlier warnings to bring their cookie consent banners into compliance with the EU’s legal standard for consent, such as the General Data Protection Regulation (GDPR).

Noyb says the latest batch of 226 complaints have been lodged with 18 data protection authorities (DPAs) around the bloc.

As with earlier actions by noyb, all the complaints relate to the most widely used cookie banner software, made by OneTrust. But it’s not the software itself that’s the issue — rather the complaints target deceptive settings it found being applied. Or even no choice at all being offered to site users to deny tracking in a clear breach of the law around consent.

Deceptive cookie pop-ups have had a corrosive impact not only on the privacy rights of web users in the region, systemically stripping people of their right to protect their information, but they have also been very damaging for the reputation of EU data protection rules like the GDPR — enabling critics to blame the regulation for spawning a tsunami of annoying cookie banners despite the fact the law clearly outlaws consent theft via cynical tactics like injecting one-way friction or offering users zero opt-out “choice.”

The vast scale of cookie consent violations has, nonetheless, posed a major enforcement challenge for the bloc’s network of underresourced data protection authorities — hence noyb stepping in with a smart and strategic approach to help clean up the “cookie banner terror” scourge, as its campaign couches it.

Given noyb’s focus on impact, and the extremely widespread nature of cookie consent problems, the campaign group has sought to minimize how many formal complaints it’s filing with regulators — so its partially automated compliance campaign entails sending initial complaints to the offending sites in question, offering help to rectify whatever dark patterns (or other bogus consent issues) noyb has identified.

It’s only sites that have repeatedly ignored these nudges and step-by-step compliance guidance that are being targeted for formal complaints with the relevant oversight body now.

“We want to ensure compliance, ideally without filing cases. If a company however continues to violate the law, we are ready to enforce users’ rights,” said Max Schrems, chairman at noyb, in a statement.

“After one year, we got to the hopeless cases that hardly react to any invitation or guidance. These cases will now have to go to the relevant authorities,” he added.

Thus far, noyb credits its cookie consent campaign with generating what it couches as a “large spill-over effect” — with, not only directly targeted violating consent banners being amended but some non-targeted sites also adapting their settings after they heard about the complaints. “This shows that enforcement ensures compliance beyond the individual case,” argues Schrems. “I guess many users have realized that, for example, more and more ‘reject’ buttons gradually appeared on many websites in the last year.”

Discussing progress to date, a spokeswoman for noyb also told us: “We have seen an increasing compliance rate in our regular scans (where we scan several thousand websites in Europe using the CMP OneTrust after our first round of warnings last May. This is probably due to an increased awareness due to our complaints, the ‘fear’ that this law might actually be enforced and because OneTrust proactively informed their customers about our complaints and adjusted their standard settings to be ‘noyb compliant.’

“Therefore we consider those websites that still violate the GDPR despite all warnings as ‘hopeless’ cases. All of them are new cases, so none of the companies targeted already last year are in that batch.”

The so-called “hopeless” cases include a mix of (smaller) media sites, popular retailers and local pages, per noyb’s spokeswoman.

Asked for examples of pages which still violate “almost everything” (i.e., where cookie consent rules are concerned) more than a year after the group’s compliance campaign kicked off, she pointed to media sites including https://www.elle.com/ and https://www.menshealth.com/; recipe site www.delish.com; online travel agency booking.com; and fashion retailer aboutyou (in various EU countries).

Other high-profile sites that are being targeted for formal complaints now — and which have remedied “at least some violations” (though not others), in noyb’s assessment — include football site fifa.com; cosmetics retailers rituals.com and clinique.at/de; and streaming giant hbo.com.

While noyb says “most” of the sites it’s formally complaining about now don’t provide users with an option to withdraw their consent to tracking, its spokeswoman noted: “Others have implemented a reject button (30% of all warned websites) but are still ignoring other aspects like deceptive designs.”

Noyb’s cookie complaints have already led to some regulatory action, with the European Data Protection Board (EDPB) establishing a special task force last year to coordinate responses to what the group suggests could end up as as many as 10,000 cookie consent complaints being filed — although the first DPA decisions related to complaints it lodged last year are still pending.

“We hope for the coordinated approach by the EDPB task force,” said its spokeswoman, adding: “The Austrian DPA so far has been the most active one in processing the complaints followed by some of the German DPAs. We hope to receive the first decisions by the end of this year.”

Now that this final round of OneTrust complaints has been filed, the not-for-profit group says it will move onto sites using other so-called consent management platforms (CMPs) — expanding the scope of its automated complaint-cum-compliance platform to cover rival CMPs, such as TrustArc, Cookiebot, Usercentrics and Quantcast.

So scores more sites that haven’t been caught up in noyb’s sweeps yet, despite operating blatantly bogus consent banners, will be on the receiving end of a pointed letter vis-a-vis their cookie compliance in the near future.

In parallel with firing off lots of these letters over the past year+, noyb has also been gathering data on the impact of the cookie complaint project — and plans to issue a report on what it’s learned later this year.

Separately, France’s DPA, the CNIL, has been pretty active on cookie consent enforcement — taking some tough action against a number of tech giants (Amazon, Facebook and Google), under the ePrivacy Directive, that has enabled it to issue some major fines over abusive cookie tracking practices — and which appears to have forced (some) reform.

The ePrivacy legal route has allowed the CNIL to circumvent the GDPR’s one-stop-shop mechanism, which critics blame for undermining enforcement of the bloc’s flagship data protection regulation, especially against Big Tech, by funnelling (and bottlenecking) complaints through a handful of so-called lead DPAs (Ireland being the biggest) on account of a handful of markets having large numbers of tech giants regionally located on their soil.

noyb’s approach of filing large batches of thematic GDPR complaints is another strategy to push back against enforcement delays by simultaneously looping in DPAs across the bloc to tackle an issue, encouraging coordination, joint working and (it hopes) a pipeline of decisions that defend European citizens’ rights.