EU: Non-compliant cookie banner? You might be Schrems’ next target

On 31 May 2021, Max Schrems’ NGO, None Of Your Business (“NOYB”), sent over 500 draft complaints to companies which, according to NOYB, use non-compliant cookie banners on their website. If those complaints end up being filed, it would be the largest wave of complaints ever filed since the EU General Data Protection Regulation (“GDPR”) became applicable on 25 May 2018. And it is only just the beginning. NOYB intends to review the use of cookies of 10,000 of the most visited European websites in the course of 2021 and issue similar complaints in case of non-compliance.

According to NOYB’s press release, Max Schrems’ new battle is against “annoying cookie banners […] making it extremely complicated to click anything but the “accept” button”. The objective is to make sure users are given a simple and clear “yes” or “no” option when asked to consent to the use of cookies.

Automated review process

The press release further explains that it has developed software that automatically recognises different types of cookie banners deemed unlawful on the basis of criteria pre-established by NOYB. It subsequently automatically serves an informal draft complaint via email to the relevant company, giving it one month to make the necessary changes to the cookie banner. Once done, companies are invited to visit a dedicated NOYB website to report their full compliance. Failing that, NOYB threatens to file a formal complaint with the relevant supervisory authority.

In parallel, NOYB also published an FAQ on how to ensure cookie banner compliance as well as specific guidance for the OneTrust tool. These provide practical information including screenshots, showing controllers how to modify their cookie settings.

Review criteria

The criteria used by NOYB to determine whether the cookie banner of a website is compliant include:

  • pre-ticked boxes that must be unticked should the user refuse consent to (certain categories of) cookies;
  • non-strictly necessary cookies being inaccurately classified as strictly necessary cookies so that they are placed without consent;
  • users not being able to withdraw consent as easily as to give it (e.g. not providing a website tab to access the cookie management tool and withdraw consent);
  • the use of legitimate interests instead of consent to place cookies;
  • the fact that the first-layer of the cookie banner does not contain a button to reject all cookies; and
  • deceptive link designs, button colours and contrasts which give more prominence to the “accept” option.

Certain of these criteria are in line with the legal requirements established by the GDPR, the Court of Justice of the EU’s Planet 49 case (case C-673/17 of 1 October 2019) as well as the updated Guidelines 05/2020 on consent of the European Data Protection Board. However, NOYB’s interpretation of the cookie requirements sometimes goes further. For example, there is no formal requirement to implement a “reject all” button in the law (though it is advocated by certain regulators) or criteria to identify “deceptive designs”. Time will determine to which extent regulators (and, at a later stage, courts) will agree with NOYB’s interpretation and to which extent a company risks being fined for not complying with NOYB’s notice.

Cookie enforcement on the agenda

What is clear however is that cookie enforcement is on the rise. In December 2020, the French Data Protection Authority (the “CNIL”) issued three fines for a total EUR 135 million against Google and Amazon for failure to obtain user consent before setting advertising cookies and for providing inadequate information about cookies. In May 2021, the CNIL also started an online verification campaign, which ended up with 20 orders to comply sent on 25 May by the Chairwoman of the CNIL to companies which failed to set up an equally easy manner to accept and refuse cookies. This followed the CNIL’s release of its cookie guidelines back in 2020 which anticipated some of the interpretations of BOYD.

While arguably some of these interpretations may rely on a strict interpretation of the law, one may wonder whether the companies targeted by NOYB (and the CNIL) will be prepared to take the risk to defend their position and find out whether regulators, and eventually the courts, follow their interpretation.

By Guillaume Couneson and Valérie Heremans