On 31 May 2021, the nonprofit privacy organisation noyb (short for “none of your business”) launched a large-scale campaign to combat allegedly unlawful cookie banners and practices. According to a press release, noyb has already sent draft complaints to the operators of more than 500 frequently visited websites, and is intending to send a further 10,000 complaints this year. This is space where website operators arguably have considerable room for interpretation and to develop a variety of approaches for providing cookie information and obtaining cookie consent. Noyb’s campaign seeks to impose its interpretation of applicable cookie rules across the EU through threats of complaints to supervisory authorities.
Affected companies that fail to bring their cookie practices into compliance with noyb’s interpretation of the legal requirements will face complaints brought by noyb to the competent data protection supervisory authorities.
Categories of Alleged Violations
Founded in 2017 by activist Maximilian Schrems, noyb has used specially developed software to analyse cookie banners and practices deployed on websites for conformity with cookie rules (as described below), and to generate draft complaints to the site operators.
Noyb’s campaign is focused on eight categories of alleged violations of ePrivacy Directive (ePrivacy) or General Data Protection Regulation (GDPR) requirements:
- Type A – No option/ button to reject all cookies on the first layer of the cookie banner
- Type B – Pre-ticked boxes on the second layer (the authors believe this to mean any default opt-in, although the language is not clear)
- Type C – Deceptive “link” design/link instead of a button to reject cookies
- Type D – Deceptive button colors (which the authors believe to mean any colors that try to influence user behavior)
- Type E – Deceptive button contrast (which the authors believe to mean any contrasts that try to influence user behavior)
- Type I – Inaccurate classification of cookies
- Type K – No icon to withdraw consent
- Type L – Close button on the cookie banner
Noyb’s Expectations for Website Operators
For example, in Germany, the implementation of the ePrivacy Directive cookie rules (Art. 5(3)) through Sec. 15(3) German Telemedia Act (TMG) was subject to the so-called Planet49 decision of the Court of Justice of the European Union (CJEU) and the so-called Cookie Consent II decision of the Federal Court of Justice (judgment of 28 May 2020 – I ZR 7/16).
From 1 December 2021, the German Telecommunication-Telemedia-Data Protection-Act (TTDSG) will replace the rules on cookies under the current TMG.
In France, the CNIL’s updated guidance on cookies went into effect on 1 April 2021. In late May, the CNIL announced the filing of approximately 20 formal notices to organisations that it had found did not allow users to reject cookies as easily as they accepted them.
The UK’s cookie regime closely mirrors the EU regime (under the UK’s implementation of the ePrivacy Directive and the UK GDPR). However, neither future Court of Justice of the European Union (CJEU) case law nor the ePrivacy Regulation will be binding on the UK, and there is potential for increasing divergence in the legal framework and in the approach to enforcement.
Legal Risks for Affected Companies
Affected companies should not underestimate the legal risk that the noyb initiative poses. If noyb ultimately files complaints to a supervisory authority on behalf of data subjects, regulators are required to initiate investigations and may take remedial action. If a data protection supervisory authority determines that a company has violated ePrivacy rules or the GDPR, it may also impose a fine.
The legal consequences for violations of ePrivacy laws differ between the UK and Member States, as well as between individual Member States. For example, the German TMG currently does not foresee fines for violations of the rules for setting and accessing cookies; however, this will change under the upcoming TTDSG. Under the UK regime, fines may be imposed for certain ePrivacy breaches, though the maximum penalty of £500,000 is significantly lower than the UK GDPR’s maximum fine limit (including for consent violations) of £17.5 million. In France, undertakings breaching the national law implementing the ePrivacy directive may be fined up to €10 million or 2% of their global annual turnover (whichever is higher). The CNIL’s groundbreaking ePrivacy fines issued in December 2020 (totalling £135 million) demonstrate not only the divergence in ePrivacy sanctions, but also the risk of multiple ePrivacy enforcement actions across the EU (in the absence of the GDPR’s one-stop-shop / lead supervisory authority mechanism).
Affected companies may also face a risk of civil litigation. Under the GDPR, individuals who used affected websites can assert claims for damages. Specialised consumer lawyers and litigation vehicles have already repeatedly used such proceedings and associated press coverage as an opportunity to enforce numerous GDPR claims for damages. Finally, there is a threat of civil lawsuits for injunctive relief (e.g., by way of interim legal protection brought by individuals, competitors, or consumer protection organisations). Affected companies should consider incorporating defensive strategies against civil litigation as part of their overall response.
Certain of the alleged violations analyzed by noyb’s campaign may introduce significant investigation and enforcement risks for affected companies.
But contrary to the representations of noyb, the rules for lawful cookie consent are as a whole by no means clear — nor should they necessarily to be interpreted in the manner that noyb has set out. The majority of noyb’s alleged GDPR and ePrivacy violations leave room for arguments that companies may leverage to defend their approach to cookies. In the absence of clear and consistent guidelines on the part of the authorities or comprehensive case law, companies should assess their specific legal risks and determine their practical options and strategy in response to the campaign.