With the aim to end “cookie banner terror”, privacy group noyb has issued 500 draft complaints to companies who use unlawful cookie banners.
The group explained that by law users must given a clear yes/no option - however most banniers do not comply with GDPR requirements. Subsequently, noyb developed a software that recognizes different types of unlawful cookie banners and automatically generates complaints.
The ‘cookie banner terror’ could see more than 10,000 complaints being filed across Europe.
In a blog post, the group explains that cookier banners appear at every corner of the web and has made it extremely complicated for users to click anything but the ‘accept’ button. Companies use “dark patterns” to get more than 90% of users to ‘agree’ when statistics show that just 3% of users actually want to agree.
Max Schrems, Chair of noyb:
“A whole industry of consultants and designers develop crazy click labyrinths to ensure imaginary consent rates. Frustrating people into clicking ‘okay’ is a clear violation of the GDPR’s principles. Under the law, companies must facilitate users to express their choice and design systems fairly. Companies openly admit that only 3% of all users actually want to accept cookies, but more than 90% can be nudged into clicking the ‘agree’ button.”
This has resulted in users blaming GDPR for the annoying situation, when in fact the blame lies on companies misusing designs in violation of the law.
“Some companies are clearly trying everything to make privacy a hassle for users, when they have a duty to make it as simple as possible. Almost all situations in which users are confronted with data protection are designed by companies. They often deliberately make the designs of privacy settings a nightmare, but at the same time blame the GDPR for it. This narrative is repeated on hundreds of pages, so users start to think that these crazy banners are required by law.”
Companies are served with an informal draft complaint and a step-by-step guide on how to change software settings to comply with the law. Companies have been given a one-month grace period to comply with EU laws before filing a formal complaint with the relevant authority.
“We want to ensure compliance, ideally without filing cases. If a company however continues to violate the law, we are ready to enforce users’ rights.”
Make sure to register and join us as he shares on his work, the state of EU data protection, and whether the EU-US data flows issue can ever be resolved.