On Monday (May 31st, 2021) the “Noyb” association sent over 500 data privacy complaints to various companies. The reason for the complaint is a missing reject button in the Consent-(Cookie)-Banner of the website, or the overly complicated reject option.
Noyb is an Austrian association of data privacy activists, founded by Max Schrems and was best known for the Schrems II judgment.
The GDPR (Article 7) is listing some conditions to the consent of a user, but does not specify how the consent dialogue itself must be designed. In GDPR Recital 42 (5) it is explained in more detail that consent is only given voluntarily if the user has a “real or free choice”. It is therefore clear that the user must also have the option to refuse consent. However, there are no clear guidelines as to what such a refusal option should look like.
Max Schrems and his association "Noyb" have now developed software that can recognize various types of illegal cookie banners and automatically generate complaints. According to Noyb, the respective companies are given a one-month period to adjust their own banners to the settings that Noyb considers to be data privacy compliant.
Noyb criticizes the following points of the consent banner in the complaints:
- No rejection option in the first banner dialog (first layer)
- Preselected categories, purposes or services
- Reject link instead of a reject button
- Misleading contrast of the reject button
- Misleading color of the reject button
- Incorrectly used legality condition “Legitimate Interest” (GDPR, Art. 6.1 f)
- Purpose misused "Essential"
- The possibility of withdrawing consent is not as easy as giving consent (GDPR, Art. 7.3)
Noyb does not give any specific information or examples in its article, but has created a guide based on Onetrust CookiePro on how the individual points are to be implemented. Unfortunately there are no negative/positive examples in it either.
Specifically, for example, the following Noyb cookie banner is not permitted:
Here, the Reject Button is missing. Corrected it could look like this:
Even here, privacy advocates like Noyb could still criticize the pale color scheme of the reject button and/or the icon selection.
A consent banner based on Noyb's ideas is exemplary from a data privacy point of view. On the other hand, the approval rates sometimes drop to far below 50%, which means that reliable evaluations are hardly possible. Website operators should therefore perhaps also consider the question of whether the tracking pixels used can possibly be redeisgned to data protection-friendly variants in order to be able to collect data without user consent.