Time to simplify cookies
It is time to check if your website has GDPR compliant cookie notice. A new software scans websites and find those that have illegal cookie pop-ups. The software then makes automated complaints to data regulators. The non-profit organisation Noyb is once again getting attention due to its somewhat untraditional methods.
Founder of Noyb ("None of Your Business") Max Schrems, a lawyer and internet activist, has spearheaded several lawsuits that have led to important court decisions, most recently the so-called Schrems II case. Noyb has now developed a new software which identifies websites that make it unnecessarily cumbersome to opt out of being tracked by cookies. The software then makes automated complaints to the data protection authorities. Noyb expects to send a total of 10,000 complaints.
To start, Noyb has sent out 500 notifications to companies that have illegal cookie pop-ups. Of these, 81% had no opt-out button on the front page, and the user had to go through several clicks to say no to cookies. 73% of the websites are stated to have used enticing colours to make the user accept cookies. As many as 90% had no easy way for the user to withdraw a consent. These companies have now been given the opportunity to change their solution within a month. If nothing is changed on the website, the complaint will be sent directly to the relevant Data Protection Authority. There is perhaps no reason to believe that other websites have better solutions for cookies than those identified by Noyb.
Cookies have long caused trouble because two sets of rules apply at the same time: Both the GDPR and the ePrivacy directive. In Norway, these are administered by two different authorities, the Norwegian Data Protection Authority and the Norwegian Communications Authority (Nkom), respectively. For a long time, these authorities had somewhat different views on how consent to cookies should be obtained. Nkom accepted, e.g., that presets in the browser could constitute a valid consent to cookies, while according to the GDPR a more active consent is required.
After the so-called Planet49 case, where the Court of Justice of the European Union (CJEU) specified consent requirements for cookies, this changed. Both the UK data protection authority, ICO, and the French data protection authority, CNIL, concluded that prior consent in the browser settings can no longer be considered a valid consent. The European Data Protection Board (EDPB) has also assumed that consent to cookies must meet the requirements of the GDPR in order to be valid. Nkom has updated its guidelines accordingly, so that the consent obtained now shall be in line with the GDPR. Due to Nkom's previous interpretation, Norway has long allowed cookies in a way that has not been legal in the EU, but this has changed. Everyone having responsibility for websites that set cookies should pay attention to what Noyb is doing now.
The reasons why many companies have unnecessarily cumbersome cookie pop-ups is easily understood. It's all about the money. The more information a company has about a user, the more valuable the information is. This has meant that some players intentionally make it cumbersome for users to say no to cookies. Typically, a company puts the option to say no to cookies not easily visible on the front page, but further back or in a submenu so that many clicks are required. These are the illegal mechanisms Noyb wants to get rid of.
Noyb refers to surveys that show that only 3% of users want to be tracked online, while manipulative design can get more than 90% to consent. The Norwegian Consumer Council has focused on the same in its report on so-called "Dark patterns".
Noyb emphasizes that it is incorrect when some online players claim that it is GDPR's "fault" that cumbersome cookie banners are needed. Noyb emphasizes that a simple yes or no on the front page is sufficient. Data protection should be easy, not difficult.
There is no doubt that what Noyb does is good from a consumer standpoint. Many experience cookie pop-ups as a nuisance. However, if it was just a simple yes or no on the front page, it would not be so annoying, and those who want to be tracked so that they can get customized advertising, could get it.
Regardless, it's time to look at how your website provides information about cookies. Even though you may not have received a letter from Noyb. Yet.