Top brands face official probe for illegal consent cookies

More than 400 companies – including major brands – are facing GDPR investigations across Europe for using unlawful cookie banners to gain online consent, after Austrian privacy activist and lawyer Max Schrems came good on his promise to make official complaints unless they changed their websites.

Back in June, Schrems’ privacy organisation, NOYB, sent over 500 draft complaints to companies who it believed use unlawful cookie banners.

The websites were warned that unless they made changes, a formal GDPR complaint would be lodged. Although 216 made the right changes, including top brands Nikon, MasterCard and Seat, in many cases they did not go far enough, and now 422 of those companies have had formal complaints made against them with 10 different data protection authorities.

Schrems said: “We saw a lot of improvements on many websites and are very happy with the first results. Some major players including Seat, MasterCard or Nikon have instantly changed their practices.

“However, many other websites have only stopped the most problematic practices. For example, they may have added a ‘reject’ option, but still make it hard to read. The requirement to show a prominent withdrawal option clearly faced the biggest resistance from website owners.”

By law, users must be given a clear yes/no option on whether to accept tracking and analytical cookies when visiting a website.

However, NOYB insists most banners do not comply with the requirements of GDPR, so it has developed software that recognises various types of unlawful cookie banners and automatically generates complaints.

The organisation’s legal team reviews each website, while the system automatically generates a GDPR complaint. Companies are served with an informal draft complaint via email and even get a step-by-step guide on how to change their settings to comply with the law.

The organisation then gives companies a month to comply with GDPR before filing the formal complaint.

Schrems added: “In informal feedback we heard that companies worried that competitors would not comply which would create unfair advantages. Others said that they want a clear ruling by the authorities, before they start complying. We therefore hope that the data protection authorities will issue decisions and sanctions soon.”

Amazon, Twitter, Google and Facebook, which rely heavily on the amount of data that they can acquire from visitors and were among those fingered by NOYB, have made no changes to their cookie banners. In response, NOYB says that it will file no less than 36 complaints about those websites.

Over the course of a year, NOYB claims it will use this system to ensure compliance of up to 10,000 of the most visited websites in Europe.

One of the major problems is getting consistency across data protection authorities in different countries. Without this, businesses can choose where to base themselves and whom to choose as their governing regulator. It allows them to ignore judgements from other countries unless their authority chooses to adopt that decision.

Schrems concluded: “We need clear pan-European rules. Right now, a German company feels that the French authorities’ interpretation of the GDPR only applies to France, even though they operate under the same law within the same European market.”