Organisations must improve their “cookie banner terror” practices

Max Schrems’ privacy group, NOYB, is targeting organisations that make it difficult for people to opt out of tracking cookies.

The group launched 422 formal complaints last month, claiming that the organisations in question were violating the GDPR (General Data Protection Regulation).

It comes less than three months after another raft of complaints, as NOYB targets “cookie banner terror”.

The group says that it plans to file up to 10,000 further complaints this year.

What’s the issue?

The GDPR requires organisations to ask for individuals’ consent before using certain types of cookies ­– i.e. files that track how people interact with their website.

The requirement applies to cookies that, “when combined with unique identifiers and other information received by the servers, may be used to create profiles” and identify specific people.

Meanwhile, the PECR requires consent for any non-essential cookie. That includes anything from basic analytics cookies to more complex ones, such as those used for profiling.

These requirements are the reason so many websites contain splash pages warning you about cookies. They ask you to click ‘okay’ to access the rest of the site, thereby gaining your consent.

However, NOYB believes that websites aren’t giving users a clear yes or no option.

The group said that in its first batch of complaints, 81% of organisations gave users no option to reject the use of cookies. If users didn’t want cookies to be tracked, they had to navigate to a page that isn’t linked in the cookie warning.

Meanwhile, 73% of sites used “deceptive colours and contrasts” that encourage users to click “accept”, and 90% provided no easy way for users to withdraw consent.

Schrems said: “Frustrating people into clicking ‘okay’ is a clear violation of the GDPR’s principles.”

He added: “They often deliberately make the designs of privacy settings a nightmare, but at the same time blame the GDPR for it.

“This narrative is repeated on hundreds of pages, so users start to think that these crazy banners are required by law.”

Compliance doesn’t have to be complicated

Although cookie requirements are covered in multiple legal frameworks – such as the PECR (Privacy and Electronic Communications Regulations), the GDPR and relevant national laws – the practicalities are comparatively straightforward.

By law, organisations must turn off tracking cookies, and can only turn them on if they gain the user’s consent.

The problem, says Schrems, is that organisations are creating elaborate cookie banners to increase the chances of users giving their consent. This risks a GDPR breach and could result in a significant fine.

If you’re looking for help understanding your requirements, DQM GRC can help. With our GDPR Cookie Compliance Service, you’ll receive a full website review to make sure your cookie banner complies with the law.

Our experts will highlight any cookies with known risks or that are not included in your cookie policies or notices. They’ll also provide a report that contains an action plan that explains your current compliance posture and the steps you should take to improve.