The privacy organization Noyb is sending complaints to more than 500 companies in Europe and the U.S. that use illegal cookie banners on their websites.
The initiator and chairman of the board of Noyb is the Austrian lawyer and data protection activist Max Schrems. His lawsuits before the European Court of Justice ended the Safe Harbour agreement of 2000 and the Privacy Shield of 2016. The “Schrems I” and “Schrems II” rulings are now considered milestones in the field of data protection. With the current wave of complaints, Schrems is taking action against the widespread non-compliant cookie banners on the websites of large companies.
Cookies are small data packets generated by browsers and websites and stored on end devices. They collect user-related information and make it available to website operators. They can use this information to compile statistics, draw conclusions about the surfing behavior of site visitors, and create user profiles that can be used for targeting activities.
My privacy – None of your business
Noyb is an acronym for “none of your business”. On its website www.noyb.eu, the organization provides information about its various projects. Currently, it has set itself the task of taking action against illegal consent requests for cookies. Because anyone who wants to refuse consent to the setting of cookies and thus to the collection of corresponding data is sometimes confronted with confusing cookie banners. Illegal banners, as Noyb complains. In many cases, users cannot simply agree to or refuse data tracking with a single click, as is required by the GDPR. Instead, they are forced to navigate through complicated privacy settings and manually make settings on subpages one by one. Misleading color coding of buttons and text can deceive users into giving their consent – even unintentionally. This violates the GDPR (General Data Protection Regulation), according to Noyb.
Using software developed for this purpose, Noyb can detect unlawful cookie banners and generate complaints automatically. Up to 10,000 complaints are to be produced in this way, which are initially sent as an informal e-mail to the operator of the respective website. Affected companies then have one month to adjust their cookie banners accordingly, only then is a formal complaint made to the relevant authority, which can then theoretically impose a fine of up to 20 million euros. Noyb does not earn any money with these complaints; unlike classic warning letters, the companies concerned do not incur any costs. Noyb is financed exclusively by donations from its approximately 4,000 members.
What does the future hold?
Noyb’s action is directed against larger companies and will lead to a certain injustice: Companies that are not reported to the authority are usually not subject to prosecution. Affected companies will probably have to adapt their cookie banner, which will lead to major disadvantages in online marketing. In practice, there is currently a risk of an arbitrary division between companies that come to the attention of the authorities as a result of the action and those that continue to use a cookie banner that is not fully compliant with the law in a certain gray area.
However, at the latest when the new TTDSG comes into force at the end of 2021, it will probably be foreseeable that the data protection authorities will increase the controls and a cookie banner that strictly complies with the law will become the standard.
Whether the path of “cookieless” tracking will enable user tracking without annoying cookie banners in the future remains to be seen: because the technologies currently used here, fingerprinting, eTags and authentication cache, also require the consent of the user.
With Google Analytics 4 (GA4), Google is trying hard to present its new technology in a privacy-compliant light and touts “cookieless” tracking and anonymized IP addresses. On closer inspection, however, this is still a “transparent user” and a deceptive package that cannot be used in a privacy-compliant manner without the user’s consent.
It remains to be seen whether there really will be new technologies and approaches from companies in the future that enable tracking without cookies and without annoying banners, and at the same time can be used without active consent in compliance with data protection laws.