22. August 2022
On August 9th, 2022, the Austrian NGO noyb announced on its website that it had lodged over 200 complaints with 18 supervisory authorities against several websites that have the cookie banner software “OneTrust” in use.
noyb claims that those banners are designed in a way that nudges the user into clicking the accept button.
According to noyb’s legal analysis, websites that use these cookie banners are neither in conformity with the ePrivacy Directive nor with the GDPR. Further noyb argues: “Deceptive cookie banner designs try to force a user’s agreement by making it insanely burdensome to decline cookies. The GDPR actually requires a fair yes/no choice, not crazy click-marathons.”
It is important to highlight that the complaints were only lodged against companies hosting these websites and using possibly unlawful cookie banners which did not respond to noyb’s emails. Interestingly enough, even companies who have not been contacted by noyb have proceeded, in the mean-time, to update their cookies in accordance with a guiding document provided by noyb.
In response to noyb’s multiple complaints in relation to cookie banners, the EDPB decided to establish a task force in September 2021.
5. October 2021
On September 27, 2021, the European Data Protection Board (EDPB) announced that it has established a “Cookie Banner” taskforce in order to coordinate the complaints and corresponding responses filed with several EU data protection authorities (DPA) by the non-governmental organization None of Your Business (NOYB) in relation to website cookie banners.
In May 2021 NOYB sent over 500 draft and formal complaints to companies residing in the EU regarding the use of their cookie banners. The complaints seem to focus on the absence of a “reject all” button on most of the websites as well as the way cookie banners use deceptive design in order to get data subjects to consent to the use of non-essential cookies. Another regular complaint is the difficulty for refusing cookies, as opposed to the simple way of consenting to them.
The EDPB stated that “this taskforce was established in accordance with Art. 70 (1) (u) GDPR and aims to promote cooperation, information sharing and best practices between the DPAs”. The taskforce is meant to exchange views on legal analysis and possible infringements, provide support to activities on the national levels and streamline communication.
7. April 2021
Starting from April 1st, 2021, the French supervisory authority the Commission Nationale de l’Informatique et des Libertés (CNIL) is planning on starting its enforcement of Ad Tracker usage across the internet.
Following its Ad Tracker Guideline, the CNIL gave companies a time frame to adjust ad tracker usage and ensure compliance with the Guideline as well as the GDPR. This chance for the companies to adjust their ad tracker usage has ended on March 31st, 2021.
The new rules on cookies and ad trackers mainly revolve around the chance for the user to give active, free and informed consent. User consent for advertising cookies must be granted by a “clear and positive act”. This encompasses actions such as clicking an “I accept” button and no longer can be agreed to by simply continuing to use the website.
In addition, cookie banners must not only give the option to accept, they also have to give the option to reject. The act to reject cookie has to be as simple and easy as the act to accept cookies. Referring to “Cookie Options” is no longer a valid form of rejection, as it makes the user have to go through an extra step which may dissuade them from rejecting cookies. A valid option remains rejecting cookies by closing the Cookie Banner, but it has to be ensured that unless the cookies are indeed accepted, none but the essential cookies are activated.
Lastly, the Cookie Banner has to give a short information on the usage of the cookies. The CNIL’s Guideline allows for a more detailed information to be linked in the Cookie Banner, however companies should also give a short information in the Cookie Banner in order to be able to obtain “informed” consent.
At the beginning of March, the CNIL announced that “compliance with the rules applicable to cookies and other trackers” would be one of its three priorities for 2021, along with cybersecurity and the protection of health data. In a first act to follow that goal, the CNIL will now begin to conduct checks to ensure websites are in compliance with advertising tracker guidelines.
It is expected that companies that did not adjust their cookie and ad tracker usages will face fines according to the level of lacking compliance.