Are you getting down on cookie pop-ups? Complaints that the web is “unusable” in Europe due to frustrating and confusing “data choice” notifications that get in the way of what you are trying to do online are certainly not hard to find.
What’s hard to find is the ‘Reject All’ button which allows you to turn off non-essential cookies that feed unpopular things like scary ads. Yet the law says there should be a clearly offered opt-out. So people who complain that the EU’s “regulatory bureaucracy” is the problem are aiming at the wrong target.
EU legislation on cookie consent is clear: Internet users should be offered a simple and free choice: accept or refuse.
The problem is, most websites just don’t comply. They choose to mock the law by offering a skewed choice: generally a very simple optionin (to give them all your data) vs a very confusing, frustrating and tedious (and sometimes even no reject option at all).
Make no mistake: this is ignoring the law by design. The sites choose to try to tire people out so that they can continue to enter their data by offering only the most cynically asymmetrical “choice” possible.
However, since this is not how cookie consent is supposed to work under EU law, sites that do so face severe fines under the General Data Protection Regulation (GDPR) and / or the ePrivacy directive for flouting the rules.
See, for example, those two huge fines imposed on Google and Amazon in France at the end of last year for depositing tracking cookies without consent …
While these fines have certainly turned heads, we generally haven’t seen much EU enforcement on cookie consent – yet.
Indeed, most data protection agencies have taken a soft approach to bringing sites into compliance. But there are signs that law enforcement will get much stricter. On the one hand, the DPAs have published detailed guidance on what good cookie compliance looks like – so there’s no excuse for being wrong.
Some agencies also offered compliance grace periods to give businesses time to make necessary changes to their cookie consent flows. But it is now three years since the EU’s flagship data protection regime (GDPR) entered into force. So, again, there is no valid excuse for having a horribly cynical cookie banner again. It just means that a site is trying its luck by breaking the law.
There’s another reason to expect the cookie consent enforcement to roll out soon: European privacy group Noyb is launching major campaign to clean the fire from the trash today of non-compliance – with a plan to file up to 10,000 complaints against violators during the course of this year. And as part of this action, he offers free advice to offenders to get them to comply.
Today it announces the first batch of 560 complaints already filed against sites, large and small, located across the EU (33 countries are covered). Noyb said the complaints target companies ranging from big players like Google and Twitter to local pages “that have relevant visitor numbers.”
“Instead of giving a simple yes or no option, companies are using all the tricks in the book to manipulate users. We have identified more than fifteen common abuses. The most common problem is that there is simply no ‘reject’ button on the initial page, ”he added. “We focus on popular pages in Europe. We estimate that this project can easily reach 10,000 complaints. Because we are funded by donations, we offer businesses a free and easy settlement option, unlike law firms. We hope that most complaints will be resolved quickly and we may soon see the banners become more and more privacy-friendly. “
To expand its action, noyb has developed a tool that automatically analyzes cookie consent flows to identify compliance issues (such as no opt-out options offered at the top level; or confusing button coloring; or false “legitimate interest” registrations, to name just one of the many chronic offenses); and automatically create a draft report that can be emailed to the offender after being reviewed by a member of the association’s legal staff.
It’s an innovative and scalable approach to tackling the systematically cynical manipulation of cookies in a way that could really shake things up and clean the trash fire from horrible cookie pop-ups.
Noyb even gives violators a warning first – and a full month to clean their paths – before filing a formal complaint with their competent DPA (which could result in a tempting fine).
Its first batch of complaints focus on the consent management platform (CMP) OneTrust, one of the most popular template tools used in the region – and which European privacy researchers have already shown (cynically ) provides its customers with many options to define non-compliant choices such as pre-checked boxes… Talk about taking the cookie.
A spokesperson for noyb said it started with OneTrust because its tool is popular, but confirmed the group will expand the action to cover other CMPs in the future.
Noyb’s first batch of cookie consent complaints reveals the rotten depth of the dark patterns deployed – with 81% of the over 500 pages not offering a reject option on the initial page (meaning users have to dig in in the submenus to try to find it); and 73% use “deceptive colors and contrasts” to try to trick users into clicking the “accept” option.
Noyb’s evaluation on this batch also found that a total of 90% did not provide a way to easily withdraw consent as required by law.
It’s a snapshot of a really massive application failure. But questionable cookie consent now works on borrowed time.
When asked if she was able to determine the prevalence of cookie abuse in the EU based on the sites she crawled, the noyb spokesperson said it was difficult to determine, due to technical difficulties in her process, but she said an initial intake of 5,000 websites has been reduced to 3,600 sites to focus on. And of those, he was able to determine that 3,300 had violated the GDPR.
There were 300 left – either with technical issues or with no violations – but, again, the vast majority (90%) were found to have violations. And with so many rule violations, it really does require a systematic approach to solving the problem of “false consent” – so noyb’s use of automation technology is very appropriate.
More innovation is also on the way from the nonprofit – which told us it was working on an automated system that will allow Europeans to ‘flag their privacy choices in the background, without banners. annoying cookies ”.
At the time of writing, he couldn’t provide us with more details on how it would work (it will likely be some sort of browser plug-in), but said he would post more details “in the next few weeks “- so I hope we learn more soon.
A browser plug-in capable of automatically detecting and selecting the ‘Reject All’ button (even if only from a subset of the most popular CMPs) seems to be able to rekindle the ‘do not to follow “. At the very least, it would be a powerful weapon to combat the plague of dark patterns in cookie banners and toss non-compliant cookies into digital dust.