EU: Non-compliant cookie banner? You might be Schrems’ next target
Automated review process
The press release further explains that it has developed software that automatically recognises different types of cookie banners deemed unlawful on the basis of criteria pre-established by NOYB. It subsequently automatically serves an informal draft complaint via email to the relevant company, giving it one month to make the necessary changes to the cookie banner. Once done, companies are invited to visit a dedicated NOYB website to report their full compliance. Failing that, NOYB threatens to file a formal complaint with the relevant supervisory authority.
In parallel, NOYB also published an FAQ on how to ensure cookie banner compliance as well as specific guidance for the OneTrust tool. These provide practical information including screenshots, showing controllers how to modify their cookie settings.
The criteria used by NOYB to determine whether the cookie banner of a website is compliant include:
- pre-ticked boxes that must be unticked should the user refuse consent to (certain categories of) cookies;
- non-strictly necessary cookies being inaccurately classified as strictly necessary cookies so that they are placed without consent;
- users not being able to withdraw consent as easily as to give it (e.g. not providing a website tab to access the cookie management tool and withdraw consent);
- the use of legitimate interests instead of consent to place cookies;
- the fact that the first-layer of the cookie banner does not contain a button to reject all cookies; and
- deceptive link designs, button colours and contrasts which give more prominence to the “accept” option.
Certain of these criteria are in line with the legal requirements established by the GDPR, the Court of Justice of the EU’s Planet 49 case (case C-673/17 of 1 October 2019) as well as the updated Guidelines 05/2020 on consent of the European Data Protection Board. However, NOYB’s interpretation of the cookie requirements sometimes goes further. For example, there is no formal requirement to implement a “reject all” button in the law (though it is advocated by certain regulators) or criteria to identify “deceptive designs”. Time will determine to which extent regulators (and, at a later stage, courts) will agree with NOYB’s interpretation and to which extent a company risks being fined for not complying with NOYB’s notice.
Cookie enforcement on the agenda
While arguably some of these interpretations may rely on a strict interpretation of the law, one may wonder whether the companies targeted by NOYB (and the CNIL) will be prepared to take the risk to defend their position and find out whether regulators, and eventually the courts, follow their interpretation.
By Guillaume Couneson and Valérie Heremans