The privacy activists that took down Google Analytics sent 270 draft complaints on Friday (4 March) to website operators who use cookie banners that do not comply with the EU data protection rules.
The batch is the second of a series of complaints by NOYB, the NGO led by Max Schrems, the Austrian activist who become famous for initiating the legal proceedings that brought down the EU-US data transfer agreements in two separate lawsuits.
The privacy advocates recently scored a major victory as two of their complaints prompted the Austrian and French data protection authorities to declare Google Analytics illegal for unduly transferring the personal data of EU residents to the United States.
NOYB’s battle against non-compliant cookie banners started in May 2021, when the organisation presented over 500 complaints. The activists are giving the companies a 60-day grace period to bring their banner in line with the requirements of the General Data Protection Regulation (GDPR).
“We want to ensure compliance, ideally without filing cases. If a company however continues to violate the law, we are ready to enforce users’ rights,” Schrems said in a statement.
The GDPR provides that refusing consent to personal data processing should not be more difficult than giving it. The initiative is meant to counter the so-called ‘dark patterns’, the practice of extorting user consent for instance with the design of a certain interface.
In other words, non-compliant websites do not give a ‘yes or no’ option but make it so difficult for users to deny their consent that they just accept the cookies against their will. NOYB estimates that 90% of users click accept in these cases, while only 3% of them would want to.
According to the activists, in the first round of complaints 42% of the companies tried to make the relevant remedies within one month but the overwhelming majority were still not compliant.
456 complaints were officially filed with 20 different data protection authorities, coordinated by an ad hoc task force of the European Data Protection Board (EDPB), the EU body responsible for streamlining the GDPR enforcement.
For NOYB, the first round of complaints had a significant deterrent effect on other non-compliant websites, which even though not directly concerned adjusted their banners to prevent a complaint, likely under advice from the cookie banner software providers.
“We saw a clear ‘spill over’ effect. Many websites we have not yet contacted quickly improved their settings, once we started filing complaints. This means that our approach was ensuring compliance beyond the individual cases,” said Ala Krinickytė, a data protection lawyer at NOYB.
The organisation said it will continue to scan and review cookie banners from up to 10,000 websites in the coming months.
[Edited by Nathalie Weatherald]