All Blog Posts

NOYB cookie banner complaints

Privacy group NOYB led by Max Schrems has filed 422 complaints on unlawful cookie banners to EU data protection authorities in a large-scale push to simplify cookie consent to a clear yes/no answer in compliance with the EU’s GDPR.

Updated January 17, 2022.

Using a new tool that can determine the GDPR compliance of a website’s consent flow, NOYB aims to file up to 10,000 complaints by the end of 2021.

Cookiebot consent management platform (CMP) comes with strict standard settings that automatically provides your website with a fully GDPR compliant cookie banner.

Does your website’s cookie banner live up to the GDPR’s requirements? See our comprehensive guide for making your cookie banner GDPR compliant and scan your website for free to find and control all cookies.

Illustration of a person on a ladder trimming a hedge into the shape of a notice - Cookiebot

The non-profit privacy group NOYB (None of Your Business) has announced a campaign to “end cookie banner terror” on the Internet by forcing websites to trim deliberately complicated and unlawful cookie banners in order to become compliant with the EU’s General Data Protection Regulation (GDPR).

On May 31, NOYB filed over 500 draft complaints to companies in 33 EU countries who use cookie banners on their websites in ways that violate the GDPR’s requirements for protection of end-users’ personal data, e.g. by nudging end-user behavior or simply by being overly complex in their design (also known as “dark patterns”).

Using a newly developed technology that can map out a website’s consent flow and determine whether it’s in violation of the GDPR, NOYB plans to send up to 10,000 such draft complaints to websites before the end of 2021.

On August 17, NOYB then filed 422 complaints to data protection authorities in ten EU countries, making good of their threat to pursue legal action on the companies that didn’t fix their non-compliant cookie banners within a month. Even though 42% of the violations originally flagged in the May draft complaints had been fixed, according to NOYB, 82% of companies were still non-compliant with the EU’s GDPR.

Cross and tick icons cut into a Hedge - Cookiebot
NOYB is forcing websites in the EU to trim deliberately unlawful cookie banners to clear yes/no choice.

According to the EU’s GDPR and the European Data Protection Board (EDPB), consent to cookies on website must be freely given, specific, informed, and unambiguous to be valid.

That’s why cookie banners must give end-users a clear yes/no choice between accepting or rejecting cookies.

The websites in NOYB’s cookie banner complaints violate this basic requirement in different ways, including –

  • Cookie banners have no “reject” option next to “accept”, meaning that users cannot opt out of cookies as easily as they can opt in
  • Cookie banners have pre-ticked boxes, giving a false sense of a “freely given” consent
  • Cookie banners will have deceptive designs and color schemes that nudge users towards accepting cookies
  • Cookie banners make it harder for end-users to withdraw their consent than it was to give it
  • Cookie banners will have inaccurate classifications of cookies
  • Cookie banners will claim legitimate interest wrongfully.

Do you use cookies in compliance with the EU’s GDPR?
Scan your website and become compliant for free with Cookiebot CMP

Guide on how to ensure that your cookie banners are GDPR compliant

Led by the famous and fierce data privacy activist Max Schrems, NOYB has fought several major data privacy battles in recent years.

Most famous is their win in the CJEU case that brought down the EU-US data transfer scheme known as the Privacy Shield.

With NOYB’s cookie banner campaign, renewed focus and intensified scrutiny is being put on clearing out and trimming down the many deceptively complex and non-compliant consent schemes that leave end-users frustrated, and their personal data ill protected.

  1. NOYB has developed a tool that automatically maps a website’s cookie consent flow and is able to determine whether a cookie banner lives up to the GDPR’s requirements or not
  2. NOYB sends a draft complaint to the non-compliant website, including a detailed guidance on how to correct the cookie banner implementation to meet GDPR standards
  3. NOYB gives the website in violation one month to change their cookie banner
  4. If the website in violation does not change their non-compliant cookie banner, NOYB files a formal complaint with the data protection authority in the EU member country where the website/company is located

Scan your website for free to see all cookies and trackers in use

Try Cookiebot CMP free for 14 days – or forever if you have a small website.

Ensure GDPR compliance with Cookiebot CMP

Cookiebot CMP comes with strict standard settings that automatically provides your website with a GDPR compliant cookie banner.

This means that if you implement Cookiebot CMP on your website and don’t change any settings, your cookie banner configuration will be in compliance with the GDPR by default.

If you change standard settings and are unsure whether your cookie banner still lives up to the GDPR’s requirements, check out our easy-to-follow guide here.

Illustration of gardening tools and a phone - Cookiebot
End-user consent is a simple, but powerful tool to ensure data privacy on the Internet.

At Usercentrics, the parent-company of Cookiebot CMP, we work to protect end-user privacy by delivering easy-to-use and automatic compliance solutions to websites all over the world.

We believe that our solution can help foster a thriving, sustainable internet economy by balancing data privacy and data-driven business around end-user consent.

Cookiebot CMP is highly customizable so that websites anywhere can configure their cookie banners to fit the local and relevant data protection requirements, and to make sure they fit with website designs.

Cookiebot CMP’s world-leading scanner automatically detects all cookies and trackers on your website and controls them in an easy-to-use cookie banner that lives up to all requirements by the EU’s GDPR.

Cookiebot CMP offers compliance solutions for all major data privacy laws – not just EU’s GDPR, but also California’s CCPA/CPRABrazil’s LGPDSouth Africa’s POPIACanada’s PIPEDAThailand’s PDPAMalaysia’s PDPA and many others.

Following NOYB’s cookie banner campaign, we have created an overview of possible GDPR violations and a step-by-step guide for how you can ensure that your cookie banner is configured in GDPR compliance.

Our step-by-step guide takes you through the Cookiebot CMP manager and points out all the places where a GDPR violation could occur if settings are changed.

See our guide to make your Cookiebot CMP banner fully GDPR compliant

Scan your website for free to find and control all cookies in use

Try Cookiebot CMP free for 14 days – or forever if you have a small website

Under the EU’s General Data Protection Regulation (GDPR), it is the legal responsibility of website owners and operators to ensure that personal data from individuals inside the EU is only collected and processed if end-users have given their prior, explicit consent.

Illustration of laptop with greenery around it - Cookiebot
GDPR compliant cookie banners empower end-users to easily protect themselves and their data.

Summarized, the GDPR makes the following requirements for how your website must collect end-user consents (via cookie banners) –

  • Prior and explicit consent must be obtained before any activation of cookies (apart from whitelisted, necessary cookies)
  • Users must have an equally easy choice between “rejecting” or “accepting” cookies, i.e. the “reject” option is not allowed to be hidden away in a cookie banner’s second layer. The “reject” option is also not allowed to be obscured by way of different color or design schemes
  • Consent must be freely given, i.e. no pre-checked boxes on the cookie banner
  • Consent must be granular, i.e. users must be able to activate some cookies rather than others and not be forced to consent to either all or none • Consent must be as easily withdrawn as they are given
  • Consent must be informed on the part of the end-users, i.e. all your cookies must be classified and correctly assigned
  • Consent must be securely stored as legal documentation
  • Consent must be renewed at least once per year. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance.

If you’re in doubt whether your website’s cookie banner meets all the above GDPR requirements, check out our easy guide here.

Guide to ensure GDPR compliance with Cookiebot CMP

Learn more about the GDPR and cookies

Scan your website for free to see all cookies in use

Learn more about Cookiebot CMP and the IAB Transparency and Consent Framework

FAQ

What is NOYB’s cookie banner complaints about?

NOYB’s cookie banner complaints is a campaign pushing for websites in the EU to obey by the rules set down by the GDPR, which states that end-users must be offered a clear yes/no choice between cookies online. Many websites today fail to live up to the GDPR’s requirements, and NOYB is taking action by threatening formal legal complaints.

Learn more about NOYB’s cookie banner campaign

How can I know if my cookie banner is GDPR compliant?

Your website’s cookie banner must give end-users a clear choice to say “yes” or “no” to cookies, and not be nudging, deceptive or overly complex. Scan your website with Cookiebot consent management platform to see whether your domain is in compliance with the GDPR.

Try Cookiebot CMP free for 14 days – or forever if you have a small website

Is my cookie banner allowed to just say “accept”?

No, your cookie banner must leave the end-user with a genuine choice of accepting and rejecting the cookies in use on your website. NOYB’s cookie banner complaints are centered around exactly this issue. End-users must be able to say “yes” or “no” to cookies equally easy.

Scan your website for free to see all cookies in use

What happens if my cookie banner does not live up to the GDPR?

Non-compliance with the EU’s GDPR can lead to fines of up to €20 million or 4% of your company’s annual global revenue, whichever is higher. Customer relations and brand reputation can also suffer from violations of end-user data protection.

Get started with Cookiebot CMP today for full GDPR compliance

Resources

Guide for ensuring GDPR compliance with Cookiebot CMP

Read our blogpost on GDPR and cookie consent

Read our blogpost on EDPB guidelines on valid cookie consent in the EU

Noyb files 422 complaints to EU data protection authorities

NOYB aims to end “cookie banner terror” and issues more than 500 GDPR complaints

WeComply! FAQ on NOYB

Europe’s cookie consent reckoning is coming, TechCrunch

Privacy group targets website ‘cookie terror’, BBC

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.

    Make your website’s use of cookies and online tracking compliant today

    TRY FOR FREE