On May 31, 2021 the Noyb association (None Of Your Business) has announced the initiative to end “cookie banner terror” checking 10,000 sites this year, and issuing complaints in case of non-compliant cookie banners.
For this purpose, Noyb has developed a tool to automate the analysis of websites’ compliance. Cookies and cookie banners are a hot topic right for medias and data protection authorities. Let’s find out more about this initiative in this article.
Cookies – Already 560 complaints in 33 countries by the Noyb association
The Noyb association announced to have contacted more than 500 companies whose cookie banner was not compliant.
The companies receive an informal draft complaint via email and get a step-by-step guide on how to bring the banner into compliance. If companies choose not to change their settings within a month, Noyb will however file an official complaint with the relevant authority in the EU member state where the website/company is located.
Two observations can be made from this initiative:
- Your cookie banner is now a concern for your customers, prospects and partners. Your company may therefore receive complaints.
- GDPR compliance is a key requirement for you in order to protect your e-reputation. Having non-compliant cookie banner, as well as sharing information with third parties, for example, can have a real impact on your e-reputation.
Cookie compliance – an old and hot topic
Cookies are an old topic. The 2002 version of the European ePrivacy Directive already dealt with this subject.
Subsequent regulations have followed one after the other:
- The ePrivacy Directive passed in 2002 and amended in 2009;
- The GDPR subsequently imposed the conditions under which users consents must be obtained;
- The future ePrivacy Regulation will further clarify a few aspects.
Data protection authorities are also very proactive and have taken ownership on this topic. The Belgian Data Protection Authority, the AEPD in Spain and the CNIL in France have published guidelines on how to implement valid users consents on websites before storing cookies on users devices, and on the use of “dark patterns” in cookie banners. Cookie compliance is being taken very seriously by data protection authorities and the EU.
However, in 2021, many sites still do not comply with legal requirements. For instance, news and information websites with cookie walls that require accepting cookies or subscribing in order to read articles.
This non-compliant behaviour has led some user protection associations to take action.
Cookie compliance – a topic that can be automated
As most websites do not comply with the legal requirement, Noyb has developed a tool to automate:
- the analysis of websites and the detection of non-compliant cookie banners;
- sending a draft complaint to the company concerned.
Noyb therefore hopes to examine 10,000 sites by the end of 2021.
Checking your website GDPR compliance requires multiple tasks that can be automated. If privacy protection associations manage to do so, regulatory authorities can do the same and easily ensure websites GDPR compliance.
Dark patterns or how to force you to say yes
According to the Noyb association, only 3% of users would be ready to accept cookies. This percentage shows why some websites are tempted to force their users to give their consent.
Website owners tend to associate a high rate of cookies rejection to:
- A loss of visibility on the website’s traffic. Incapability to count the number of visitors, and to analyse their behaviours to optimise the website ergonomic.
- The inability for the brand to address its prospects on other visited websites, as retargeting cookies were refused.
- The falling of advertising revenues. Targeted and personalised advertising being based on cookies, it directly impacts the display of advertising inserts on the website.
As a result, some website owners use subterfuges, such as dark patterns, to encourage users to accept cookies. Forcing people to consent without giving them the real possibility to agree to being tracked is outrageous and not compliant.
To address this extremely wide-spread behaviour, Noyb has decided to start this initiative and develop this system that automatically discovers compliance violations.
Dark patterns and the interaction with cookie banner: a few examples
The UX design of the cookie banner is manipulated in a way that forces users to perform an action that they didn’t mean.
A few examples:
- A highly visible “Accept” button, while the ”Refuse” button is almost invisible and written in very small characters;
- The “Refuse” button exists, but in order to use it, you have to go through several pages to find the button… On the other hand, accepting cookies only takes one single click.
What are the GDPR consent requirements?
How is consent considered valid under the GDPR?
Consent must be:
- Freely given: users have the choice between accepting and declining the cookies. In addition, accepting cookies is not a condition for access to your website content.
- Informed: users know about the category of cookies and the purpose of each of them while asking for cookie consent. The information must be in a simple and easy-to-understand language without any technical or legal jargon.
- Specific: each specific purpose of every category of cookies has a separate consent for users.
- Unambiguous: users take an explicit or positive action, such as click an accept button, to give their consent. There is no pre-checked box.
- Easily withdrawn: users can withdraw their consents as easily as they can give them.
The GDPR consent requirements allow regulators to easily look at the UX design of cookie banners and detect the non-compliant ones.
Conclusion: Is your cookie banner compliant with the GDPR?
By taking such initiative, Noyb is forcing market players to implement compliant cookie banners.
The most refractory ones will expose themselves to complaints with their regulatory authorities.
Today more than ever, users are concerned about their personal data.
This current context provides an opportunity to players who are willing to be transparent, and to protect themselves and their users data, building a trustful relationship.
The key is to rely on proven solutions on the market, such as those offered by Admeet.