The organization NOYB launched a new round of cookie complaints in August 2022 against a select group of website owners who it claims have disregarded or failed to fully acknowledge earlier requests to update their cookie consent banners to comply with EU legal standards for consent.
In this article, we will look into Noyb’s complaints and how you can ensure that your business doesn’t fall under their radar. So keep reading for more information on Noyb, its complaints, and whether it applies to you, or jump straight to the Noyb compliance checklist to find out how you can avoid fines now and in the future.
UPDATE The European Data Protection Board (EDPB) adopted three dispute resolution decisions based on Article 65 GDPR concerning Meta Platforms Ireland Limited after NOYB filed three complaints against Facebook, Instagram, and Whatsapp 4.5 years ago. Read about this story here →
May 2021 The European privacy organization noyb launched a massive campaign to put out the fire of non-compliance, bringing up to 10,000 complaints against offenders. Additionally, as part of this operation, offenders were given free advice to help them comply.
Just over a year after initiating a significant effort targeting thousands of sites blatantly breaking EU cookie tracking restrictions, Noyb reports that the most recent batch of 226 complaints has been filed with 18 data protection authorities (DPAs) throughout the EU.
The concerns focus on misleading settings discovered in cookie banner setups. In addition, website users may not even be allowed to opt-out of tracking, which would be a blatant violation of the legislation governing consent.
noyb has set up a system to discover different types of violations and generate GDPR complaints. After a review from their legal team, companies that are found to be non-compliant are served with an informal draft complaint via email. They are given 60 days to comply with the law by changing their settings. If companies fail to do so, *noyb will file a complaint with the relevant data protection authority*. This could result in a fine of up to € 20 Million, in accordance with the GDPR.
The results of noyb’s research (https://noyb.eu/en/noyb-files-422-formal-gdpr-complaints-nerve-wrecking-cookie-banners) found that 81 % did not offer a “reject” option on the first cookie banner layer, while a further 73% used deceptive colors and contrasts to lead users to click the “accept” option. Finally, 90% did not provide a way to withdraw consent as easily as giving it.
In 2021, more than 500 draft complaints were sent to European companies allegedly using non-compliant cookie banners. Recently, noyb has launched the second round of its action against deceptive cookie banners and dark patterns. They will continue following their goal by scanning, reviewing, warning, and enforcing the law/best practice on up to 10,000 websites in the following months.
Noyb’s compliance campaign entails sending initial complaints to the offending sites in question, offering help to rectify any dark patterns (or other consent issues). The chairman of Noyb Max Schrems has said in a statement,
We want to ensure compliance, ideally without filing cases. If a company, however continues to violate the law, we are ready to enforce users’ rights.
It’s worth mentioning that only sites that consistently disregarded these reminders and detailed compliance instructions are now the focus of official complaints with the action of the appropriate data protection authority.
According to Noyb, “most” of the websites it has filed formal complaints about currently don’t give users a way to withdraw their consent to tracking. While 30% of all warned websites have implemented an ad reject button on their site, others still ignore aspects like deceptive designs. Schrems said:
Instead of giving a simple yes or no option, companies use every trick in the book to manipulate users. We have identified more than fifteen common abuses. The most common issue is that there is simply no ‘reject’ button on the initial page.
In regards to the complaints made by Noyb, we’ve compiled a simple and easy-to-do checklist for your cookie banner:
👉 Give users a way to withdraw consent – Make sure you enable the privacy widget in your Privacy Controls and Cookie Solution.
👉 Provide unambiguous designs – Designing an unambiguous banner is straightforward. Simply edit your compliant cookie banner in your dashboard.
👉 Provide a reject button on users’ first visit to your site.
👉 Do not pre-tick options on your cookie banner. Make sure you select all compliance settings to configure a compliant cookie banner automatically.
👉 Do not provide a link instead of a button.
Compliance doesn’t have to be tricky. In order to help make websites compliant, iubenda offers attorney software solutions. It eases the strain and helps guarantee that your business is prepared for the future.
The noyb campaign has become very popular within the internet and online news communities, but in fact, they are highlighting points that data protection authorities have already been adopting across Europe in order to prevent dark patterns and ensure clear and more informed choices.
Over the years, iubenda has been committed to offering simple and effective solutions for compliance with the data protection regulations, with a close look at the international best practices and stimulating the sensitivity of companies towards these topics.
Our Privacy Controls and Cookie Solution helps you fully comply with the requirements of the GDPR ePrivacy and more. Not only does it give you full customisation control over your cookie banner and settings, but the automated default GDPR configuration puts you ahead of the game by preventing the major points of non-conformity considered by noyb’s analysis. And, of course, it allows you to be compliant with the rules imposed by the GDPR itself and national DPAs.
Going into more detail, let’s see how to make sure you set the correct settings for your cookie banner, using noyb’s “violation types” list.
Within the Privacy Controls and Cookie Solution configurator, click on EDIT under the GDPR configuration and select Manual configuration, then make sure that the “Explicit Reject button“ option is enabled.
Our solution is designed to always respect the opt-in principle, just make sure to have the “Offer granular control with per-category consent” option enabled
Our default configuration ensures that the accept and reject buttons are equally conspicuous (color/design/prominence) but you can customize them inside the Style & Text configuration, under Theme options (click on EDIT).
Note that these buttons’ “equal prominence” is a mandatory requirement in several countries, so we highly suggest using the same graphic configuration for both buttons.
Our solution does not allow the use of a link or other options that may make customization hidden or hard to find
The customize button is linked to the accept button, and it’s present by default (you can still manage the enabling of these buttons under the GDPR Manual configuration though).
In terms of design and colors, the customize button does not need to be exactly the same as the accept and reject buttons, in any case you can customize it inside the Style & Text configuration, under Theme options (click on EDIT).
Just check that the button is clearly visible and not hidden by other graphic configurations (e.g. background color and text).
This might be relevant only if you have enabled the IAB TCF configuration. In this case, you should restrict purposes to only allow Consent as a valid legal basis to treat data.
Under the IAB TCF configuration (click on EDIT), enable Restrict purposes and select the “Consent only“ option on each enabled purpose
Please note that also some national DPAs, like in Italy and Belgium, have excluded the use of legitimate interest as a valid legal basis, that’s why it’s important to restrict it to “Consent only” if you operate in those countries (you can read more about country-specific requirements in our Cookie Consent Cheatsheet).
Our cookie management solution can recognize and block a wide range of cookies, with the exception of the so-called strictly necessary cookies. You can still manually identify the scripts that are subjected to the requirement of prior consent.
Keep attention to set prior blocking to all non-essential cookies. You might have to modify the category you assigned to some script that installs cookies for this issue. You can read more about Manual tagging in this guide.
By default, our solution integrates a privacy widget that allows users to easily access and edit their privacy preferences.
Within Privacy Widget options (under Style & Text configurations) you can customize the position, format, and colors of your widget or choose to add a link in the footer to your page to access privacy and tracking preferences.
The steps we’ve detailed above can be useful whether you want to avoid provoking a complaint from noyb or just want to verify that your settings are consistent with GDPR general requirements.
