A privacy rights group aims to tackle illegal cookie banners by issuing over 500 complaints, the largest number in GDPR’s three-year history.
The group, noyb, created a piece software to spot various types of unlawful cookie banners before automatically generating complaints. While the activists’ lawyers review each website, the system emails companies with an informal draft complaint, along with a guide to ensure compliance with GDPR.
However, the group added that it will give companies a one-month grace period to comply with EU laws before filing the formal complaint.
The initial 560 companies include major tech giants, including Google and Twitter.
Since GDPR came into force, cookie banners have become a common sight for internet users across Europe. These are the boxes that appear when a user first visits a website seeking express permission to track user data.
GDPR requires a user to provide informed, unambiguous consent that is given freely. This means that cookie banners cannot manipulate or force users into consenting, nor have pre-ticked checkboxes or interpret scrolling or browsing as consent.
According to noyb, most banners do not comply with GDPR requirements, with many making it complicated to click anything but the “accept” button. The group said that companies use techniques to get over 90% of users to “agree”, despite industry statistics showing that only 3% of users actually want to give consent.
Of the 560 pages that have received a complaint, noyb said that 81% did not offer a reject option on the initial page at all. Nearly three-quarters (73%) used deceptive colours to draw users to the accept button and 90% did not provide a way to easily withdraw consent.
By using the automatic complaint system, the group aims to ensure that up to 10,000 of the most visited websites in Europe are GDPR compliant.
If successful, users should see a decrease in illegal cookie banners, with more website offering a simple and clear “yes or no” option, the group said.
- What are the top cybersecurity tips for small businesses?
- CyberSprinters game getting kids interested in staying safe online
- Openreach to bring ultrafast broadband to 300,000 homes across Scotland
Privacy group noyb was co-founded by privacy activist Max Schrems, who filed the cases against Facebook that resulted in the Schrems I and II decisions, which overturned the tools used to transfer data between the EU and US, Safe Harbour and Privacy Shield.
Schrems: “A whole industry of consultants and designers develop crazy click labyrinths to ensure imaginary consent rates. Frustrating people into clicking ‘okay’ is a clear violation of the GDPR’s principles.
“Under the law, companies must facilitate users to express their choice and design systems fairly. Companies openly admit that only 3% of all users actually want to accept cookies, but more than 90% can be nudged into clicking the ‘agree’ button.”
He continued: “Some companies are clearly trying everything to make privacy a hassle for users, when they have a duty to make it as simple as possible.
“Almost all situations in which users are confronted with data protection are designed by companies. They often deliberately make the designs of privacy settings a nightmare, but at the same time blame the GDPR for it. This narrative is repeated on hundreds of pages, so users start to think that these crazy banners are required by law.”