Introduction
The Data Protection pressure group NOYB announced on 09 August 2022 that it had filed an additional 226 complaints to Data Protection Authorities (DPAs) in 18 countries over the use of OneTrust cookie banners. This is just the latest in a long line of complaints and regulatory investigations into the use of cookies.
What are the complaints about?
The complaints are part of an ongoing campaign that NOYB has launched looking at compliance with GDPR and with specific EU cookie laws. We looked at the background to these complaints last year here https://www.corderycompliance.com/cookie-enforcement-rising/. Effectively, the complaints are about the configuration of the OneTrust banner and software. As a general rule, it should be as easy to reject cookies as it is to accept them. The European Data Protection Board (EDPB) launched a special task force in September 2021 to coordinate the response across the EU to cookie banner complaints filed by NOYB. That task force is exchanging views on legal analysis and possible infringements, providing support to national DPAs and streamlining communication.
Previous complaints
The new complaints are part of a long-running campaign by NOYB and its founder Max Schrems. Cookies have been on the agenda for many DPAs with recent enforcement activity in Belgium, Czech Republic, Denmark, Finland, France, Germany, Netherlands, Norway and Spain. The UK has had a long-running investigation into Adtech which stalled during the pandemic but resulted in a Commissioner’s Opinion last November. We’ve written on some of the earlier enforcement action including fines in France for Google and Facebook in January here https://www.corderycompliance.com/google-fb-cookie-fines/ and the fines last year on Carrefour here https://www.corderycompliance.com/french-dpr-fine-for-dtt-non-compliance/. The European Parliament was also reprimanded in January this year as a result of an NOYB complaint (see https://www.corderycompliance.com/edps-on-data-trf-compliance/).
How the NOYB Campaign work?
In the first round of complaints, NOYB sent a number of organisations a link to an online tool. They asked them to improve their compliance and demonstrate that they had done so. In the first round, according to NOYB, 42% of organisations made changes within 30 days. In this round, according to Mr. Schrems compliance is worse – only 24% of concerns were dealt with in 60 days.
Proposed law changes
There are proposed changes to cookies law both at an EU level (see https://www.corderycompliance.com/client-alert-eu-privacy-reg-proposed-amends-metadata-cookies-legitimate-interests-consent/) and in the UK (see https://www.corderycompliance.com/reforms-uk-dp-regime-3/). The proposed EU changes have been particularly protracted. Nonetheless the complaints tell us that these are issues which consumer groups continue to be passionate about. It is notable that in some respects these complaints are against organisations which have done something – they have put cookies banners in place – but it seems they have not followed through to ensure compliance with the laws currently in place.
What happens next?
National DPAs will investigate the complaints that affect organisations and their jurisdiction.
NOYB has now said that they will move beyond looking at the OneTrust platform and that customers who use TrustArc, Cookiebot, Usercentrics and Quantcast are likely to be the next targets.
Practical steps to compliance
To manage their cookie compliance risk businesses should consider undertaking an overall cookie compliance audit. That may include the following:
- Identifying cookies that are either operating on or through the website;
- Confirming what types of cookies they are;
- Confirming whether cookie ownership is first party or third party;
- Confirming whether there is any third party access to the cookies;
- Determining cookie lifespan and deciding whether the duration is justifiable for the stated purpose;
- Confirming the purposes of each of the cookies that are used/intended to be used;
- Identifying the data that each cookie holds or processes;
- Confirming if the cookies are linked to other information held about users and whether the use of cookies involves processing personal data;
- Reviewing consent mechanisms – ask yourself: is it as easy to reject cookies as to accept them? Be especially aware of ‘nudging’, the colours you use and the look and feel of any cookies banner;
- Setting out an action plan to address any of the above issues and fully documenting the audit along with updating the business’ cookies policy and if necessary the privacy policy to ensure accuracy and consistency;
- Examining compensation claim risk and having a plan to deal with claims quickly. We have seen a rise in threatened cookies claims, some with more merit than others; and,
- Keeping abreast of changes in the law – some change is inevitable although the timing remains uncertain.
More Information
You can find out more about Cordery’s fixed fee cookies clinic to check your compliance here https://www.corderycompliance.com/more-cordery-solutions/cordery-cookies-clinic/.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
| Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | |
| Office: +44 (0)207 075 1784 | Office: +44 (0)207 075 1785 | |
| Jonathan.armstrong@corderycompliance.com | Andre.bywater@corderycompliance.com | |
 |
 |