Austrian privacy activist and lawyer Max Schrems, who has been a thorn in the side of Facebook for nearly a decade, is now taking aim at firms which persist on using unlawful cookie banners to gain consent, threatening to make official complaints about them unless they change their websites.
Schrems’ privacy organisation, NOYB, has this week sent over 500 draft complaints to companies who it believes use unlawful cookie banners, in a move claimed to be the largest wave of complaints since GDPR came into force.
By law, users must be given a clear yes/no option on whether to accept tracking and analytical cookies when visiting a website.
However, NOYB insists most banners do not comply with the requirements of GDPR, so it has developed software that recognises various types of unlawful cookie banners and automatically generates complaints.
The organisation’s legal team reviews each website, while the system automatically generates a GDPR complaint. Companies are served with an informal draft complaint via email and even get a step-by-step guide on how to change their settings to comply with the law.
The organisation is then giving companies a month to comply with GDPR before filing the formal complaint. Over the course of a year, NOYB claims it will use this system to ensure compliance of up to 10,000 of the most visited websites in Europe. If successful, users should see simple and clear “yes or no” options on more and more websites in the upcoming months.
In a statement, NOYB said: “GDPR was meant to ensure that users have full control over their data, but being online has become a frustrating experience for people all over Europe. Annoying cookie banners appear at every corner of the web, often making it extremely complicated to click anything but the ‘accept’ button.
“Companies use so-called ‘dark patterns’ to get more than 90% of users to ‘agree’, when industry statistics show that only 3% of users actually want to agree.”
Schrems, who also single-handedly brought down the Safe Habour transatlantic data transfer agreement, as well as its successor Privacy Shield, added: “A whole industry of consultants and designers develop crazy click labyrinths to ensure imaginary consent rates. Frustrating people into clicking ‘okay’ is a clear violation of GDPR’s principles.
“Under the law, companies must facilitate users to express their choice and design systems fairly. Companies openly admit that only 3% of all users actually want to accept cookies, but more than 90% can be nudged into clicking the ‘agree’ button. Some companies are clearly trying everything to make privacy a hassle for users, when they have a duty to make it as simple as possible.
“Almost all situations in which users are confronted with data protection are designed by companies. They often deliberately make the designs of privacy settings a nightmare, but at the same time blame GDPR for it. This narrative is repeated on hundreds of pages, so users start to think that these crazy banners are required by law.”
Apple cut to the core by new unlawful tracking claims
Decision Marketing at 10: How GDPR changed the world
Third time lucky? EU and US open Privacy Shield talks
US tech giants rocked as Privacy Shield gets the chop
Apple, Spotify, Google and Netflix face GDPR data probe
Transatlantic data transfers torpedoed once again
Facebook ‘still using illegal safe harbour agreement’
Let battle commence: first GDPR complaints are filed
New ruling halts US data transfer