A privacy group has lodged hundreds of complaints against what it calls “cookie banner terror” online.
Noyb, headed by well-known Austrian privacy advocate Max Schrems, is targeting companies which it says deliberately make it hard to opt-out of tracking cookies.
“By law, users must be given a clear yes/no option,” the group said.
Marketing groups have blamed the EU’s strict privacy rules for creating the problem.
Cookies are used for all sorts of purposes, but one of their major uses is for third-party advertising tracking – which is why ads for a product you may have searched for “follow” you from website to website.
After the EU’s General Data Protection Regulation (GDPR) was implemented in 2018, websites began to display very prominent pop-up forms, and some American sites withdrew service to EU users.
That also applied to the UK and was carried over into UK law post-Brexit.
But many websites force users to revoke consent for dozens of marketing partners individually – a process that can take several minutes. Others highlight the “accept all” in green color or make it more prominent.
Noyb – an acronym for “none of your business” – says that kind of form is designed to make it “extremely complicated to click anything but the ‘accept’ button”.
Most sites ‘do not comply’
To combat this, the group has created an automated system, which it says can find violations and auto-generate a complaint under GDPR.
It claims “most banners do not comply with the requirements of the GDPR”.
Fines can be up to €20m (£17.5m) or 4% of a company’s global revenue, whichever is higher.
Of the 500 pages in its first batch of complaints, 81% had no “reject” option on the first page, but rather hidden in a sub-page, it said. Another 73% used “deceptive colors and contrasts” to lead users into clicking “accept”, and 90% provided no easy way to withdraw consent, it said.
Noyb says it is first issuing draft complaints to 10,000 of the most-visited websites across Europe, along with instructions on how to change settings.
But it says that if firms do not comply within a month, they will file full formal complaints with enforcement authorities.
“If successful, users should see simple and clear ‘yes or no’ options on more and more websites in the upcoming months,” the group said.
Mr. Schrems, the chair of the group, is a well-respected privacy advocate who has lodged successful legal challenges in the past.
In July last year, he successfully had an agreement that governed the transfer of EU citizen’s data to the United States struck down by Europe’s highest court.
Mr. Schrems said this latest campaign was designed to combat “a whole industry of consultants and designers” making “crazy click labyrinths”.
“Frustrating people into clicking ‘okay’ is a clear violation of the GDPR’s principles,” he said, accusing firms of trying “to make privacy a hassle for users.”
“They often deliberately make the designs of privacy settings a nightmare, but at the same time blame the GDPR for it.
“This narrative is repeated on hundreds of pages, so users start to think that these crazy banners are required by law.”
The legal basis for cookie consent is complicated, involving an older set of rules called the ePrivacy Directive as well as the more recent GDPR, and a range of national data protection authorities which enforce the rules.
Data protection and privacy expert Pat Walshe said that the way the advertising industry had approached the rules had “led to confusion at best”.
“In my humble opinion, a lack of regulatory enforcement has emboldened the ad industry and in part led to the current state of the ‘data vampire’ infested web and app experiences,” he said.
“In light of the lack of regulatory enforcement the Noyb action is welcome. If regulators won’t uphold and enforce the law then organizations like Noyb play an even more important role than ever.”
Cookies themselves have also come under fire in recent years, with many calling for them to be replaced by another system.
Google, for example, has begun a process of phasing out the support for third-party cookies in its popular Chrome web browser, citing privacy concerns.