On May 31, 2021 privacy advocacy group, noyb, launched a new initiative to identify companies whose cookie banners they believe are not complying with the GDPR. Led by Austrian privacy campaigner Max Schrems, Noyb’s role in our ecosystem is to serve as a privacy enforcement NGO. On August 10, 2021, noyb. announced they had filed 422 formal GDPR complaints. A year later, they filed a second round of 226 formal GDPR complaints specifically against OneTrust customers who are not utilizing a “reject” button, but actions against other CMP providers are expected.
According to noyb, they are using an automated system to submit complaints in an effort to shine a light on what they view as widespread violations of the GDPR through the use of unlawful cookie banners. Noyb continues to work to identify the top 10,000 European websites they believe have non-compliant cookie banners. To date, they have identified the likes of Google, Twitter and more than 500 others.
At Sourcepoint, we know that compliance with the GDPR is critical, non-negotiable — and complex. While this is definitely something all companies should be digging into further on their own, read on for our perspective on noyb’s new initiative.
Who is noyb?
The European Center for Digital Rights, also known as noyb (None of Your Business), is a non-profit organization started in 2017 by Austrian privacy activist, lawyer, and author, Max Schrems.
In recent years, Schrems rose to prominence in the data privacy world for challenging tech giants like Facebook on their privacy practices, and for bringing a court case that aimed to change the way data is transferred from the European Economic Area to certain countries, such as the United States.
Since 2018, noyb has brought numerous cases through the European courts relating to privacy and advertising technology practices. They’ve pointed to the data minimization principle of GDPR to push back on companies that allegedly force visitors to create an account, and instances of what noyb referred to as “forced consent,” where users are required to consent to use of their personal data in full in order to continue using a service.
Why does noyb want to submit GDPR complaints about cookie banners?
The GDPR was meant to serve as a major turning point in the way businesses handle user data. In noyb’s view, however, instead of giving users full control of their personal data, there has been a pattern of unnecessarily complex cookie banners emerging across websites that utilize “dark patterns” to influence users to consent to the use of their personal data.
“A whole industry of consultants and designers develop crazy click labyrinths to ensure imaginary consent rates. Frustrating people into clicking ‘okay’ is a clear violation of the GDPR’s principles. Under the law, companies must facilitate users to express their choice and design systems fairly. Companies openly admit that only 3% of all users actually want to accept cookies, but more than 90% can be nudged into clicking the ‘agree’ button.”– Max Schrems, Chair of noyb
Noyb views some of the newly implemented cookie banners as a direct violation of GDPR rather than a user experience issue. To address what they view as problematic consent practices, the organization has created an automated system to review individual websites for potential violations and generate a draft GDPR complaint. The draft complaint is then sent via email to the company with a step-by-step guide that provides recommendations for companies to update their cookie banner so it is in compliance with the regulation. From there the company has 30 days to rectify the violations or noyb says they will officially file the complaint with the appropriate data protection authority. This may result in the company being fined up to €20 Million or 4% of their annual revenue (whichever is higher). The organization states that their goal is to facilitate compliance, but will formally submit a complaint if a company continues to violate the GDPR.
Who is impacted by noyb’s cookie banner complaints?
In the initial 500 complaints submitted by noyb, the companies include tech giants like Google and Twitter and even local websites with proportionately high website traffic. Companies in this group include 560 websites in 33 companies including every EU/EEA member state—with the exception of Malta and Liechtenstein. A full list has not been published at this time.
Currently, noyb is focused on popular pages in Europe. However, it’s important to note that any company that receives visitor traffic from users located in the EU/EEA must adhere to the GDPR with respect to any personal data collected from such users that falls within the scope of the law. Noyb plans to use their automated system to generate an additional 10,000 complaints with the support of donations from thousands of supporting members.
It’s clear that GDPR enforcement is going to continue to be a key area of focus for companies and individual users alike, and the European courts, along with regional data protection authorities, will continue to evolve their application of the law.
Why should publishers care?
Publishers that collect user consent via cookie banners are on the hook for adhering to the guidelines issued by their local Data Protection Authority (DPA). To adhere to evolving privacy regulations and guidance issued by their DPAs and challenges by organizations like noyb, publishers need to be able to respond quickly and adapt their consent experiences accordingly.
In August 2021, noyb announced that they had filed an additional set of GDPR complaints against publishers implementing compensation choice experiences based on the PUR model, which offers an “ad-light” subscription offering. As regulations and legal challenges emerge, a customizable and flexible CMP solution only becomes more crucial for publishers to be able to update and optimize cookie banners without disrupting the customer experience, and ensure that they’re able to support their work while still offering clear choices to consumers.
What do publishers need to do?
The best thing publishers can do is consult the guidelines of their supervisory authority to determine the requirements that are applicable to their company. Not all of noyb’s requirements have been made available yet, but so far the list includes (listed here using noyb’s taxonomy):
- Type A: No Reject option in first layer message
- noyb asserts that the consumer should be able to reject all processing purposes from the first-layer message, as opposed to having to click into a second-layer message.
- Type B: Pre-ticked consent options in the second layer
- Type C: Deceptive link design
- Example: the button that leads to the option of rejecting relevant processing purposes utilizes a text link while the “accept” call-to-action uses a typical button design.
- Type D: Deceptive button colors
- Example: the “more details” button has the same background color as the banner, causing it to blend in, while the “accept” button has a different color, causing it to appear highlighted.
- Type E: Deceptive button contrast
- Example: the contrast ratio for the “more details” and “accept” button is below W3C’s minimum standards for web content accessibility (WCAG 2.0), which requires a minimum of 4.5:1 for text.
- Type H: Legitimate interest claimed
- The controller relied on legitimate interest for advertising purposes, and the only way to object to those purposes was in the second-layer message.
- Type I: Inaccurate classification of cookies
- Type K: Not as easy to withdraw as to give consent
- There is no visible option to withdraw consent visible in the banner or elsewhere on the page.
Resources for Sourcepoint customers
If you believe you aren’t meeting noyb’s requirements as outlined above and would like to update your CMP implementation, please refer to the following Help Center articles for instructions. As always, if you have any additional questions, please reach out to your Technical Account Manager.
- Type A: How to add Reject button in first layer message
- Type B: How to update your message UI elements
- Type H: How to change the legal basis of vendor purposes from legitimate interest to consent
- Type K: How to add a link to the Privacy Manager in your footer to allow users to withdraw consent as easily as it was given
Again, it’s important to check in with your local DPA regarding more specific guidelines for adhering to the GDPR and local privacy laws and regulations.
As a consent management service provider, we want to ensure our software products always keep you current and ahead of the evolving regulations. This includes keeping you informed of software updates and improved consent management feature capabilities. If you’d like to learn how Sourcepoint’s platform can help you quickly adapt to ever-changing GDPR practices, schedule a demo!
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.