On 31 May 2020, Max Schrems' organization, NOYB, launched a new campaign aimed at ending what they dramatically refer to as the "cookie banner terror." The campaign was spearheaded by sending over 560 draft complaints to companies who, in their view, use "unlawful" cookie banners. NOYB has provided such companies with a one-month grace period to rectify issues or face formal complaints to regulators.
NOYB has created a software that automatically identifies what they call "violation types." It notes that this system has the capability of generating up to 10,000 complaints over the course of 2021, and has indicated it will be focusing their attention on the most visited websites in Europe. Companies are provided with an informal draft complaint via email along with a step-by-step guide on how to change software settings when using OneTrust as a consent management platform.
Here is an initial analysis of the key "violation types":
Violation Type A (No "Reject" Option)
According to NOYB, users are legally required to be given a clear yes/no option in providing their consent. In terms of cookies, NOYB takes the view that cookie banners that do not have a "Reject" option on the first layer are therefore considered non-compliant. In other words, NOYB seems to argue that valid consent is only achieved in the context of cookies if users are provided with a clear option to reject cookies in the first layer of the banner.
The GDPR, however, does not prescribe a "Reject" option as such to be provided at the time consent is being obtained and, in any event it is arguable whether a reject option is required to be implemented in the first layer cookie banner, as long as there is a way to provide consent.
Violation Type B (Pre-Ticked Boxes on Second Layer)
NOYB contests the use of pre-ticked boxes to obtain consent, and makes the point that pre-ticked boxes found in cookie consent platforms, for example in the settings section, should be removed so that the default option for users is to take an active choice to opt-in to cookies.
Indeed, the GDPR provides that consent should be given by a clear affirmative act, and the recitals outline that pre-ticked boxes should not constitute consent. This view is shared by supervisory authorities in several EU Member States. However, this would not apply to cookies that are exempt from the consent requirement.
Violation Type C (Deceptive Link Design)
NOYB challenges the use of a hyperlink, instead of a button, in terms of the functionality for rejecting cookies. In its view, users are likely to perceive this hyperlink as not being an actual option and, therefore, only being able to accept all cookies. In other words, NOYB considers that users have no genuine choice and are essentially forced into clicking "accept all," and, therefore, that they are misled in giving their consent.
Whilst NOYB raises an interesting point on whether links can "nudge" users towards accepting cookies, whether the design of such a link results in a breach of the GDPR is questionable. On one level, the GDPR does not provide a format of how consent should be obtained, or how and when the option to refuse should be offered. Companies are free to choose the appropriate format and design for and provision of a link, and for some users this may be a way to allow them to effectively give control over which cookies and processing activities they wish to accept or refuse. In addition, the notion here of encouraging users to accept cookies is a subjective one, and leaves room for a wide degree of interpretation by the courts. The accompanying language in the banner is also a factor that should be considered as part of any assessment made, and may help to mitigate against any potential risks of nudging.
Violation Type D and E (Deceptive Button Colors and Button Contrast)
NOYB claims that contrasts between button colors on cookie banners results in invalid consent and a violation of the principles of fairness and transparency, as website users may be encouraged to give consent if the "Accept" button has, for example, been clearly highlighted in a certain color over the other options.
Design features, such as use of color and color contrast, are debated more and more in light of nudging techniques which lead or encourage users to choose certain options. It remains to be seen whether the use of color and color contrast in and of itself results in a violation of the GDPR. Not all users will experience a website or app, including user interfaces and colored buttons or banners, in the same way or be (significantly) influenced by color or contrast use. In any event, as mentioned above, the principle of nudging users is subjective and leaves scope for a variety of viewpoints.
Violation Type H (Legitimate Interest Claimed)
Another key violation raised by NOYB concerns legitimate interests in the context of cookies. NOYB indicates that any option in which users can opt to rely on legitimate interests should be removed from the cookie banner.
Under the ePrivacy Directive, consent (as opposed to legitimate interests) is required for the storage of/access to non-essential cookies, and as such reference should not be made to legitimate interests in the banner. NOYB does not, however, appear to have addressed subsequent processing of data gained via cookies, including the most appropriate lawful grounds to rely on in this context. Crucially, such rules are separate from the ePrivacy Directive, and seem to fall outside of NOYB's scope of review.
Violation Type I (Inaccurate Classification of Cookies)
NOYB seems to argue that some companies have incorrectly classified cookies, and points out that, for example, cookies relating to statistics/advertising are not "strictly necessary" as defined under the ePrivacy Directive.
NOYB rightly notes that non-essential cookies should be correctly categorized as such, although the broader question relates to the level of granularity required with respect to how non-essential cookies are classified. Moreover, supervisory authorities across the EU adopt somewhat diverging views on what constitutes "essential cookies," with some adopting a broader interpretation of what can be deemed "essential" (which may, for example, in certain cases include non-personalized analytics cookies).
Violation Type K (Not as easy to withdraw as to give consent)
NOYB claims that users need to be provided with an easily accessible option to withdraw their consent, which in their view is achieved by a prominent "withdraw banner" or similar option on the cookie banner. They argue that a failure to present this to users is a breach of the GDPR.
Whilst the GDPR does state that it must be as easy to withdraw as to give consent in the first place, the law is silent on whether, in practice, withdrawal must always be done through the same action or in the same format as used for obtaining consent. In addition, the right to withdrawal is not required to be presented at the same time as obtaining consent. Companies have flexibility to determine how they allow website users to withdraw their consent on their website and explain the process in their privacy/cookie notice.
What next?
The notice and consent requirements for the use of cookies have been the subject of a heated legal debate for well over a decade. Over the past year, regulators have become increasingly active on this front and NOYB's campaign will no doubt contribute to intensify the current debate. This move may even lead some to question the practical viability of cookie consent from a public policy perspective, which is still an open legislative issue in the context of the forthcoming EU ePrivacy Regulation. However, in the short term, it presents a useful opportunity for companies to review their strategy for cookie consent compliance by assessing the merits of the arguments made by NOYB and making any necessary changes in light of the business and legal imperatives.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
