Second wave of complaints targets deceptive cookie banners

What happened

• The European Center for Digital Rights (known as “noyb”), an online privacy campaign group founded by well-known activist Max Schrems, has filed a new round of complaints against companies it claims are still using “deceptive cookie banners” and are otherwise in violation of GDPR rules, following prior warnings to update their cookie consent banners. This comes just over a year after noyb launched a major project targeting thousands of sites flouting cookie tracking laws.
• According to the campaign group, 226 websites have been the subject of the second round of complaints, which have been filed with 18 data protection authorities (DPAs) around Europe. In relation to the complaints, Schrems said “after one year, we got to the hopeless cases that hardly react to any invitation or guidance. These cases will now have to go to the relevant authorities.”
• As with earlier actions by noyb, the complaints concern websites using the OneTrust cookie solution, which is the most widely used cookie banner software. This is due to the fact that the tool used by noyb to automatically scan websites and identify those that aren’t compliant is currently only compatible with One Trust. But it’s not the software itself that’s the issue — rather the deceptive settings that some website operations are choosing to configure through the tool, noyb claims.
• The alleged offenders are accused of using so-called “dark patterns” in their cookie banners, which are user interface design techniques intended to trick or at the very least persuade users to engage in activities they may not otherwise choose. Dark patterns are said to enhance the number of users who agree to having cookies installed on their web browsers, however privacy advocates argue that opt-ins gained through dark patterns do not constitute valid consent and therefore violate GDPR.
• Noyb provides a list of many typical dark patterns that appear in OneTrust cookie banners. These include the absence of a ‘Reject’ option on the first layer of a consent pop-up banner, pre-ticked boxes on the second layer of a consent mechanism, and misleading design features which make the ‘Accept’ option more prominent or obscure the meaning of different options.

Why it matters

• Misleading GDPR consent pop-ups have been the focus of many complaints and DPAs have been active recently regarding the lawful use of cookies and other digital services, however, noyb is yet to hear the decisions on its first set of charges filed with DPAs last year. The European Data Protection Board (EDPB) has launched a taskforce to coordinate the responses of the DPAs, however, enforcing claims is a lengthy process and the first decisions on the complaints are not expected until the end of this year.
• The websites which are the target of noyb’s complaints will presumably have been aware of the next steps, since according to Schrems, noyb initially sends draft complaints to offending websites and then allows them 60 days to amend their settings, before filing a formal complaint if changes are not made.
• Not all agree with noyb’s interpretation of GDPR and some of those targeted may believe they’re on firm grounding, and that they don’t need to change their cookie banners in order to comply with GDPR.
• However, dark patterns are becoming the target of EU DPAs, and the EDPB’s guidelines on “dark patterns in social media platform interfaces” confirm their focus on such practices. In addition, dark patterns are expressly prohibited under the EU’s upcoming Digital Services Act, which is anticipated to go into effect at the beginning of 2024. This will soon eliminate any room for ambiguity. The only remaining issue is how quickly regulators will enforce the ban.
• There are wider changes being made already, with Google adjusting its cookie banner pop-up in Europe in April to make it equally easy to accept or reject cookies. Additionally, noyb say website operators’ attitudes are changing, and it’s seeing much higher levels of compliance across Europe.
• Deceptive design strategies for the use of cookies is not only unethical, but it may also lead to an organisation’s cookie banner attracting the attention of privacy activists and DPAs. In light of the most recent developments, organisations should take advantage of the chance to review the cookie mechanisms that are currently in place on their websites, making sure that non-essential cookies are disabled by default and that users are given the necessary information and freedom of choice regarding the use of cookies, without having to travel across multiple screens.
• For UK based organisations, the ICO has produced guidelines addressing the use of  cookies and similar technologies in detail, which is available here.

What happened

• The CNIL, France’s data protection authority, has issued a preliminary ruling finding that adtech giant Criteo violated the EU GDPR, imposing a preliminary fine of €60 million following a lengthy investigation.
• CNIL launched its investigation into Criteo’s data processing practices connected to targeted advertising and user profiling in 2020, following a complaint filed in 2018 by NGO Privacy International, a UK-based data privacy advocacy group, over the data processing practices of several adtech firms including Criteo.
• NGO Privacy International alleged, amongst other things, that Criteo’s use of internet users’ personal data, including special category data, for profiling purposes lacked a lawful basis and violated several GDPR principles.
• It accused Criteo of running a “manipulation machine” through the use of a number of tracking tools and data processing procedures that are intended to profile web users so that behavioural ads can be targeted at them and advertisers can pay for “individual-level shopper predictions.”
• Six other firms, including credit reference agencies Experian and Equifax, data brokers Acxiom and Oracle, and adtech companies Tapad and Quantcast, were also subject to complaints by the advocacy group for the way they gathered, used, and sold users’ personal data for ad revenue without their knowledge or consent.
• It is understood that Criteo is now preparing for a formal hearing before the CNIL Sanction Committee where it has the right to respond to the findings. As part of the cooperation system outlined in Article 60 of the GDPR, the committee will publish a draft conclusion following the hearing, which the other European data authorities will subsequently evaluate.
• According to Criteo, the case’s resolution and any related fines are unlikely to be resolved until sometime next year.

Why it matters

• The adtech industry has faced greater scrutiny under the GDPR in recent years and news of the intended fine will undoubtedly put other firms in the industry on edge, especially as privacy regimes continue to amplify globally.
• In May 2019, the Irish Data Protection Commission confirmed it was investigating Quantcast, while the ICO has ongoing probes into Acxiom, Experian, and Equifax.
• In February of this year, the European arm of the Interactive Advertising Bureau was fined €250,000 by the Belgian data protection authority for GDPR violations.
• The ICO has also publicly called on Google and other online companies to eliminate privacy risks posed by the adtech industry when it issued a set of data protection standards to be met when developing new advertising technologies.
• At this stage, it’s unclear whether the ruling could lead to a series of fines being issued by CNIL and other European data authorities against adtech firms for similar infringements.
• However, given that this case is amongst the first high-profile adtech companies to be hit with such a high GDPR penalty, it will certainly set the precedent for regulatory action moving forward, and is therefore likely to be subject to significant scrutiny and potential objections from the other European supervisory authorities before reaching a final decision. Xcina Consulting will closely monitor the developments and provide updates as the case progresses.