The privacy organisation noyb will file more than 10,000 complaints for use of cookies contrary to its interpretation of compliance.

By Gail Crawford, Myria Saarinen, Tim Wybitul, Wolf Boehm, Charlotte Guerin, and Amy Smyth

On 31 May 2021, the nonprofit privacy organisation noyb (short for “none of your business”) launched a large-scale campaign to combat allegedly unlawful cookie banners and practices. According to a press release, noyb has already sent draft complaints to the operators of more than 500 frequently visited websites, and is intending to send a further 10,000 complaints this year. This is space where website operators arguably have considerable room for interpretation and to develop a variety of approaches for providing cookie information and obtaining cookie consent. Noyb’s campaign seeks to impose its interpretation of applicable cookie rules across the EU through threats of complaints to supervisory authorities.

Affected companies that fail to bring their cookie practices into compliance with noyb’s interpretation of the legal requirements will face complaints brought by noyb to the competent data protection supervisory authorities.

Categories of Alleged Violations

Founded in 2017 by activist Maximilian Schrems, noyb has used specially developed software to analyse cookie banners and practices deployed on websites for conformity with cookie rules (as described below), and to generate draft complaints to the site operators.

Noyb’s campaign is focused on eight categories of alleged violations of ePrivacy Directive (ePrivacy) or General Data Protection Regulation (GDPR) requirements:

  • Type A – No option/ button to reject all cookies on the first layer of the cookie banner
  • Type B – Pre-ticked boxes on the second layer (the authors believe this to mean any default opt-in, although the language is not clear)
  • Type C – Deceptive “link” design/link instead of a button to reject cookies
  • Type D – Deceptive button colors (which the authors believe to mean any colors that try to influence user behavior)
  • Type E – Deceptive button contrast (which the authors believe to mean any contrasts that try to influence user behavior)
  • Type H – Legitimate interests claimed as legal basis for the use of cookies
  • Type I – Inaccurate classification of cookies
  • Type K – No icon to withdraw consent
  • Type L – Close button on the cookie banner

Noyb’s Expectations for Website Operators

When noyb’s software detects one or more of these perceived violations, the website operator receives a notification that triggers a one-month “grace period” to bring the website into compliance with noyb’s understanding of the ePrivacy and GDPR requirements for use of cookies. Noyb has also developed the “WeComply!” platform, which allows notified website operators to review the complaint against them along with noyb’s guidance on how to achieve compliance with its standards. Website operators can also use the platform to report back on any steps they have taken to achieve compliance. Noyb has threatened to file a complaint to the competent data protection authority against any affected website that does not meet all of the organisation’s stringent requirements within the one-month grace period.

Legal Framework

Companies must look to both the ePrivacy Directive and the GDPR for the legal framework governing the use of cookies and other tracking technologies, as well as to guidance produced by relevant national supervisory authorities. The draft ePrivacy Regulation is intended to replace the current ePrivacy Directive and would have direct effect in all EU Member States, though the regulation is still under intense discussion with no final draft or implementation date in sight. Notably, guidance or opinions published by data protection authorities are not legally binding on the courts deciding on these questions in individual cases.

 

 

The legal requirements, regulatory guidance, and best practices for lawful use of cookies have long been a moving target, and are only harmonised between Member States to a limited degree.

For example, in Germany, the implementation of the ePrivacy Directive cookie rules (Art. 5(3)) through Sec. 15(3) German Telemedia Act (TMG) was subject to the so-called Planet49 decision of the Court of Justice of the European Union (CJEU) and the so-called Cookie Consent II decision of the Federal Court of Justice (judgment of 28 May 2020 – I ZR 7/16).

From 1 December 2021, the German Telecommunication-Telemedia-Data Protection-Act (TTDSG) will replace the rules on cookies under the current TMG.

In France, the CNIL’s updated guidance on cookies went into effect on 1 April 2021. In late May, the CNIL announced the filing of approximately 20 formal notices to organisations that it had found did not allow users to reject cookies as easily as they accepted them.

The UK’s cookie regime closely mirrors the EU regime (under the UK’s implementation of the ePrivacy Directive and the UK GDPR). However, neither future Court of Justice of the European Union (CJEU) case law nor the ePrivacy Regulation will be binding on the UK, and there is potential for increasing divergence in the legal framework and in the approach to enforcement.

Legal Risks for Affected Companies

Affected companies should not underestimate the legal risk that the noyb initiative poses. If noyb ultimately files complaints to a supervisory authority on behalf of data subjects, regulators are required to initiate investigations and may take remedial action. If a data protection supervisory authority determines that a company has violated ePrivacy rules or the GDPR, it may also impose a fine.

The legal consequences for violations of ePrivacy laws differ between the UK and Member States, as well as between individual Member States. For example, the German TMG currently does not foresee fines for violations of the rules for setting and accessing cookies; however, this will change under the upcoming TTDSG. Under the UK regime, fines may be imposed for certain ePrivacy breaches, though the maximum penalty of £500,000 is significantly lower than the UK GDPR’s maximum fine limit (including for consent violations) of £17.5 million. In France, undertakings breaching the national law implementing the ePrivacy directive may be fined up to €10 million or 2% of their global annual turnover (whichever is higher). The CNIL’s groundbreaking ePrivacy fines issued in December 2020 (totalling £135 million) demonstrate not only the divergence in ePrivacy sanctions, but also the risk of multiple ePrivacy enforcement actions across the EU (in the absence of the GDPR’s one-stop-shop / lead supervisory authority mechanism).

Affected companies may also face a risk of civil litigation. Under the GDPR, individuals who used affected websites can assert claims for damages. Specialised consumer lawyers and litigation vehicles have already repeatedly used such proceedings and associated press coverage as an opportunity to enforce numerous GDPR claims for damages. Finally, there is a threat of civil lawsuits for injunctive relief (e.g., by way of interim legal protection brought by individuals, competitors, or consumer protection organisations). Affected companies should consider incorporating defensive strategies against civil litigation as part of their overall response.

Next Steps

Certain of the alleged violations analyzed by noyb’s campaign may introduce significant investigation and enforcement risks for affected companies.

But contrary to the representations of noyb, the rules for lawful cookie consent are as a whole by no means clear — nor should they necessarily to be interpreted in the manner that noyb has set out. The majority of noyb’s alleged GDPR and ePrivacy violations leave room for arguments that companies may leverage to defend their approach to cookies. In the absence of clear and consistent guidelines on the part of the authorities or comprehensive case law, companies should assess their specific legal risks and determine their practical options and strategy in response to the campaign.