What is NOYB’s cookie banner campaign about?
Privacy group fights dark patterns on cookie banners with new tool
The non-profit privacy group NOYB (None of Your Business) has announced a campaign to “end cookie banner terror” on the Internet by forcing websites to trim deliberately complicated and unlawful cookie banners in order to become compliant with the EU’s General Data Protection Regulation (GDPR).
On May 31, NOYB filed over 500 draft complaints to companies in 33 EU countries who use cookie banners on their websites in ways that violate the GDPR’s requirements for protection of end-users’ personal data, e.g. by nudging end-user behavior or simply by being overly complex in their design (also known as “dark patterns”).
Using a newly developed technology that can map out a website’s consent flow and determine whether it’s in violation of the GDPR, NOYB plans to send up to 10,000 such draft complaints to websites before the end of 2021.
On August 17, NOYB then filed 422 complaints to data protection authorities in ten EU countries, making good of their threat to pursue legal action on the companies that didn’t fix their non-compliant cookie banners within a month. Even though 42% of the violations originally flagged in the May draft complaints had been fixed, according to NOYB, 82% of companies were still non-compliant with the EU’s GDPR.
According to the EU’s GDPR and the European Data Protection Board (EDPB), consent to cookies on website must be freely given, specific, informed, and unambiguous to be valid.
That’s why cookie banners must give end-users a clear yes/no choice between accepting or rejecting cookies.
What are the common findings in NOYB’s cookie banner campaign?
The websites in NOYB’s cookie banner complaints violate this basic requirement in different ways, including –
- Cookie banners have no “reject” option next to “accept”, meaning that users cannot opt out of cookies as easily as they can opt in
- Cookie banners have pre-ticked boxes, giving a false sense of a “freely given” consent
- Cookie banners will have deceptive designs and color schemes that nudge users towards accepting cookies
- Cookie banners make it harder for end-users to withdraw their consent than it was to give it
- Cookie banners will have inaccurate classifications of cookies
- Cookie banners will claim legitimate interest wrongfully.
Scan your website and become compliant for free with Cookiebot CMP
Guide on how to ensure that your cookie banners are GDPR compliant
Led by the famous and fierce data privacy activist Max Schrems, NOYB has fought several major data privacy battles in recent years.
Most famous is their win in the CJEU case that brought down the EU-US data transfer scheme known as the Privacy Shield.
With NOYB’s cookie banner campaign, renewed focus and intensified scrutiny is being put on clearing out and trimming down the many deceptively complex and non-compliant consent schemes that leave end-users frustrated, and their personal data ill protected.
NOYB’s cookie banner campaign, summarized
- NOYB has developed a tool that automatically maps a website’s cookie consent flow and is able to determine whether a cookie banner lives up to the GDPR’s requirements or not
- NOYB sends a draft complaint to the non-compliant website, including a detailed guidance on how to correct the cookie banner implementation to meet GDPR standards
- NOYB gives the website in violation one month to change their cookie banner
- If the website in violation does not change their non-compliant cookie banner, NOYB files a formal complaint with the data protection authority in the EU member country where the website/company is located
Scan your website for free to see all cookies and trackers in use
Try Cookiebot CMP free for 30 days – or forever if you have a small website.
Ensure GDPR compliance with Cookiebot CMP
Step-by-step guide to make your cookie banner GDPR compliant
Cookiebot CMP comes with strict standard settings that automatically provides your website with a GDPR compliant cookie banner.
This means that if you implement Cookiebot CMP on your website and don’t change any settings, your cookie banner configuration will be in compliance with the GDPR by default.
If you change standard settings and are unsure whether your cookie banner still lives up to the GDPR’s requirements, check out our easy-to-follow guide here.
At Usercentrics, the parent-company of Cookiebot CMP, we work to protect end-user privacy by delivering easy-to-use and automatic compliance solutions to websites all over the world.
We believe that our solution can help foster a thriving, sustainable internet economy by balancing data privacy and data-driven business around end-user consent.
Cookiebot CMP is highly customizable so that websites anywhere can configure their cookie banners to fit the local and relevant data protection requirements, and to make sure they fit with website designs.
Cookiebot CMP’s world-leading scanner automatically detects all cookies and trackers on your website and controls them in an easy-to-use cookie banner that lives up to all requirements by the EU’s GDPR.
Cookiebot CMP offers compliance solutions for all major data privacy laws – not just EU’s GDPR, but also California’s CCPA/CPRA, Brazil’s LGPD, South Africa’s POPIA, Canada’s PIPEDA, Thailand’s PDPA, Malaysia’s PDPA and many others.
Following NOYB’s cookie banner campaign, we have created an overview of possible GDPR violations and a step-by-step guide for how you can ensure that your cookie banner is configured in GDPR compliance.
Our step-by-step guide takes you through the Cookiebot CMP manager and points out all the places where a GDPR violation could occur if settings are changed.
See our guide to make your Cookiebot CMP banner fully GDPR compliant
Scan your website for free to find and control all cookies in use
Try Cookiebot CMP free for 30 days – or forever if you have a small website
The GDPR’s requirements for your cookie banner
Under the EU’s General Data Protection Regulation (GDPR), it is the legal responsibility of website owners and operators to ensure that personal data from individuals inside the EU is only collected and processed if end-users have given their prior, explicit consent.
Summarized, the GDPR makes the following requirements for how your website must collect end-user consents (via cookie banners) –
- Prior and explicit consent must be obtained before any activation of cookies (apart from whitelisted, necessary cookies)
- Users must have an equally easy choice between “rejecting” or “accepting” cookies, i.e. the “reject” option is not allowed to be hidden away in a cookie banner’s second layer. The “reject” option is also not allowed to be obscured by way of different color or design schemes
- Consent must be freely given, i.e. no pre-checked boxes on the cookie banner
- Consent must be granular, i.e. users must be able to activate some cookies rather than others and not be forced to consent to either all or none • Consent must be as easily withdrawn as they are given
- Consent must be informed on the part of the end-users, i.e. all your cookies must be classified and correctly assigned
- Consent must be securely stored as legal documentation
- Consent must be renewed at least once per year. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance.
If you’re in doubt whether your website’s cookie banner meets all the above GDPR requirements, check out our easy guide here.
Guide to ensure GDPR compliance with Cookiebot CMP
Learn more about the GDPR and cookies
Scan your website for free to see all cookies in use
Learn more about Cookiebot CMP and the IAB Transparency and Consent Framework
What is NOYB’s cookie banner complaints about?
NOYB’s cookie banner complaints is a campaign pushing for websites in the EU to obey by the rules set down by the GDPR, which states that end-users must be offered a clear yes/no choice between cookies online. Many websites today fail to live up to the GDPR’s requirements, and NOYB is taking action by threatening formal legal complaints.
How can I know if my cookie banner is GDPR compliant?
Your website’s cookie banner must give end-users a clear choice to say “yes” or “no” to cookies, and not be nudging, deceptive or overly complex. Scan your website with Cookiebot consent management platform to see whether your domain is in compliance with the GDPR.
Try Cookiebot CMP free for 30 days – or forever if you have a small website
Is my cookie banner allowed to just say “accept”?
No, your cookie banner must leave the end-user with a genuine choice of accepting and rejecting the cookies in use on your website. NOYB’s cookie banner complaints are centered around exactly this issue. End-users must be able to say “yes” or “no” to cookies equally easy.
What happens if my cookie banner does not live up to the GDPR?
Non-compliance with the EU’s GDPR can lead to fines of up to €20 million or 4% of your company’s annual global revenue, whichever is higher. Customer relations and brand reputation can also suffer from violations of end-user data protection.
Get started with Cookiebot CMP today for full GDPR compliance
Guide for ensuring GDPR compliance with Cookiebot CMP
Read our blogpost on GDPR and cookie consent
Read our blogpost on EDPB guidelines on valid cookie consent in the EU
Noyb files 422 complaints to EU data protection authorities
NOYB aims to end “cookie banner terror” and issues more than 500 GDPR complaints
Europe’s cookie consent reckoning is coming, TechCrunch