On Monday (May 31st, 2021) the “Noyb” association sent over 500 data privacy complaints to various companies. The reason for the complaint is a missing reject button in the Consent-(Cookie)-Banner of the website, or the overly complicated reject option.
Noyb is an Austrian association of data privacy activists, founded by Max Schrems and was best known for the Schrems II judgment.
Since the introduction of the European General Data Protection Regulation (GDPR) in May 2018, there has been an ongoing discussion about how exactly a Consent-(Cookie-)Banner should look in terms of its functionality and design. In any case, it is undisputed that the use of cookies and similar technologies in many cases requires the consent of the website visitors. However, it is unclear how exactly this consent request should look like on a website.
The GDPR (Article 7) is listing some conditions to the consent of a user, but does not specify how the consent dialogue itself must be designed. In GDPR Recital 42 (5) it is explained in more detail that consent is only given voluntarily if the user has a “real or free choice”. It is therefore clear that the user must also have the option to refuse consent. However, there are no clear guidelines as to what such a refusal option should look like.
In the absence of clear regulations, several variants of cookie banners have now emerged in practice, which make it more or less easy to refuse consent to the use of cookies and similar technologies when entering a website. This has led to a debate between data protectionists and website operators, in which (e.g.) “Noyb” plays a central role. Like other privacy advocates, the view of Noyb is that (in accordance with the GDPR) a cookie banner must give users a clear choice between “yes” and “no”. The rejection must be just as quick with one click as the approval and a “hiding” this option behind terms such as “adapt” or “settings” is not permissible in this view.
Max Schrems and his association "Noyb" have now developed software that can recognize various types of illegal cookie banners and automatically generate complaints. According to Noyb, the respective companies are given a one-month period to adjust their own banners to the settings that Noyb considers to be data privacy compliant.
Noyb criticizes the following points of the consent banner in the complaints:
- No rejection option in the first banner dialog (first layer)
- Preselected categories, purposes or services
- Reject link instead of a reject button
- Misleading contrast of the reject button
- Misleading color of the reject button
- Incorrectly used legality condition “Legitimate Interest” (GDPR, Art. 6.1 f)
- Purpose misused "Essential"
- The possibility of withdrawing consent is not as easy as giving consent (GDPR, Art. 7.3)
Noyb does not give any specific information or examples in its article, but has created a guide based on Onetrust CookiePro on how the individual points are to be implemented. Unfortunately there are no negative/positive examples in it either.
Specifically, for example, the following Noyb cookie banner is not permitted:
Here, the Reject Button is missing. Corrected it could look like this:
Even here, privacy advocates like Noyb could still criticize the pale color scheme of the reject button and/or the icon selection.
A consent banner based on Noyb's ideas is exemplary from a data privacy point of view. On the other hand, the approval rates sometimes drop to far below 50%, which means that reliable evaluations are hardly possible. Website operators should therefore perhaps also consider the question of whether the tracking pixels used can possibly be redeisgned to data protection-friendly variants in order to be able to collect data without user consent.