Als onderdeel van een eenjarig project wil Noyb (None Of Your Business, de organisatie van privacyactivist Max Schrems) de naleving van de Algemene Verordening Gegevensbescherming (AVG) afdwingen met betrekking tot de inzet van cookies op maximaal 10.000 websites in Europa. Nadat op 31 mei een schriftelijke waarschuwing en een conceptklacht naar meer dan 500 bedrijven waren gestuurd, werd 42% van alle overtredingen binnen 30 dagen verholpen. 82% van alle bedrijven is echter niet volledig gestopt met het schenden van de AVG. Daarom heeft noyb vandaag 422 klachten ingediend bij tien gegevensbeschermingsautoriteiten.
42% of all violations in first batch of 516 websites fixed. In the first batch of complaints, companies remedied 42% of the violations that noyb identified in Spring 2021. Of the companies that previously violated the law in this respect, 42% added a “reject” option. 68% removed “pre-ticked” boxes. 46% solved issues around using different colors for “accept” and “reject” buttons. 22% gave up on claiming that they have a “legitimate interest” that would allow tracking without user consent. Overall, 1028 individual violations across more than 516 websites were removed by the companies. Among the companies that fully stopped using “dark patterns” to gain user consent, are global brands like Mastercard, Procter & Gamble, Forever 21, Seat or Nikon.
“Withdrawal” option biggest obstacle for compliance. The biggest resistance from websites concern the GDPR’s requirement to make withdrawing consent as easy as giving consent. Only 18% added such an option (a “withdrawal icon”) to their website.
Max Schrems, Chairperson of noyb: “We saw a lot of improvements on many websites and are very happy with the first results. Some major players like Seat, Mastercard or Nikon have instantly changed their practices. However, many other websites have only stopped the most problematic practices. For example, they may have added a ‘reject’ option, but still make it hard to read. The requirement to show a prominent withdrawal option clearly faced the biggest resistance from website owners.”
422 cases filed with DPAs in ten countries. As many companies have only resolved certain violations, noyb still had to file complaints in 422 of the 516 cases, or in 82% of all initial draft complaints. It will therefore be up to Data Protection Authorities (DPAs) to review the complaints by noyb and enforce the law.
Max Schrems: “In informal feedback we heard that companies worried that competitors would not comply which would create unfair advantages. Others said that they want a clear ruling by the authorities, before they start complying. We therefore hope that the data protection authorities will issue decisions and sanctions soon.”
Additional 36 “major” pages fully resisted. Independent of scanning websites in the first batch, noyb also looked into larger global and national websites that use custom “cookie banners” and required manual review. This includes all major platforms like Amazon, Twitter, Google or Facebook. All of them have resisted settling fixing their banners. noyb will consequently file an additional 36 complaints concerning these websites. These pages are not included in the statistics above, as their violations were somewhat different than the automatically scanned pages.
Max Schrems: “There is a trend that larger players and pages that are very dependent on advertisement largely ignored our offer to settle cases. Some openly argue that it would be legal to manipulate users into clicking ‘okay’. We will obviously bring cases here as well.”
Need for European Harmonization. Many DPAs already issued non-binding guidelines on the use of “dark patterns” in cookie banners. While they all go in the same direction, they are often only discussing certain types of dark patterns and stay silent on others. noyb has based its complaints on the various guidelines, but businesses regularly rejected guidelines from other DPAs from another Member State.
Max Schrems: “We need clear pan-European rules. Right now, a German company feels that the French authorities’ interpretation of the GDPR only applies to France, even though they operate under the same law within the same European market.”
Special Role of Austrian DPA. noyb has tried to file directly with the local DPA of the website whenever possible. We have contacted the relevant DPAs beforehand. About 50% of all complaints will be filed with the Austrian DPA (“Datenschutzbehörde”) who will, in turn, have to relay these cases to other countries, as noyb is unable to file in the relevant languages. In about 100 cases there is no establishment in the EU which makes the Austrian DPA the sole authority as the complainants are based in Vienna. The fact that about half of the cases go through Austria, makes the small Austrian DPA a central player in this case which is rather demanding for an authority with limited budget and personal.
Max Schrems: “We have done everything in our power to streamline these complaints. Nevertheless, we are fully aware that this first ‘mass complaint’ in the EU will be demanding for authorities.”
Next Steps. As the first test phase is now completed, noyb will aim at the current goal and scan, review, warn and enforce the law on up to 10,000 website within one year, so that users will have a real choice in the future.
Max Schrems: "We expect the first decisions by the end of the year. By then we should see most other websites switch to simple 'yes' or 'no' options."
