The EU’s main privacy law, the General Data Protection Regulation (GDPR) is three years old. Access Now has produced what it calls an “implementation report”, which usefully summarizes the GDPR’s achievements and problems. One of the latter is the lack of enforcement by the Irish Data Protection Commission. Another is the continuing use by Web sites of “cookie walls“, also known as “cookie banners”, to force visitors to give up their GDPR rights. If they don’t, people may be denied access to the site. Cookie walls typically require visitors agree to share large quantities of personal data with hundreds or even thousands of companies, often through real-time bidding.
According to research carried out by the privacy organization NOYB.eu, the majority of major EU Web sites do not offer an option to reject cookies at all. Many use deceptive colors and contrasts – so-called “dark patterns” – to cajole or trick users into clicking on the “accept” option. In total, 90% of the sites examined did not provide an easy way to withdraw consent to cookie tracking. NOYB.eu and its founder, the privacy activist Max Schrems, have had enough of this blatant disregard for the rights of users under the GDPR. They have launched a new campaign against what they call “cookie banner terror”:
Today, noyb.eu sent over 500 draft complaints to companies who use unlawful cookie banners – making it the largest wave of complaints since the GDPR came into force.
By law, users must be given a clear yes/no option. As most banners do not comply with the requirements of the GDPR, noyb developed a software that recognizes various types of unlawful cookie banners and automatically generates complaints. Nevertheless, noyb will give companies a one-month grace period to comply with EU laws before filing the formal complaint. Over the course of a year, noyb will use this system to ensure compliance of up to 10,000 of the most visited websites in Europe. If successful, users should see simple and clear “yes or no” options on more and more websites in the upcoming months.
According to Schrems, companies admit that only around 3% of users want to accept cookies. That’s backed up by interesting data about the opt-in rate for users of Apple’s new iOS 14.5, discussed recently on this blog. Research by the company Flurry shows that worldwide only about 15% of users chose to allow tracking; in the US it is even lower, around 6%. Schrems points out that many Internet users blame the necessity to accept cookies on the GDPR, when in fact it is a result of most Web sites adopting designs that violate the GDPR. The latter requires a simple “yes” or “no” option for cookies, but companies have deviated greatly from this simple approach.
The draft letters being sent out by NOYB.eu are not formal complaints under the GDPR. They give companies a month to re-design their sites to comply with EU legislation. Schrems’ organization has produced a guide to help them do that, as well as a FAQ to answer their queries. The aim is to nudge the most popular Web sites in the EU to do the right thing, and comply with the GDPR.
If they don’t, NOYB.eu makes it clear that it will proceed to a formal complaint to the data protection authorities in the relevant country. This makes its draft complaint a powerful way of giving non-compliant companies a last chance to fall into line. Moreover the planned scale of this campaign is also likely to emphasize to companies that this is not some minor issue, but a major assault on their neglect of the GDPR’s rules. Since the system is automated, there is no reason why Web sites beyond the initial 10,000 could not be targeted to ensure that as much of the Web ecosystem in the EU as possible complies with the GDPR. NOYB.eu is working on another project that would allow people in the EU to signal their privacy choices automatically, without ever seeing cookie banners at all. Schrems says that more on this will be revealed in the coming weeks.
This is not the only important new campaign that NOYB.eu is involved in. In a joint action with Privacy International, the Hermes Center for Transparency and Digital Human Rights, and Homo Digitalis, Schrems’ organization has filed legal complaints against Clearview AI, the facial recognition company that emerged from the shadows last year. According to the groups:
Clearview has no lawful basis for collecting and processing any of this [biometric] data. In particular, it does not obtain data subjects’ consent and such practices cannot fall under its “legitimate interests”. In addition, the processing of special categories data cannot be considered to be of data that has been “manifestly made public” by the data subject (Article 9(2)(e) GDPR)
This is obviously not just about Clearview AI: the scraping of facial images from the Internet is a widespread practice. A win by these organizations against Clearview AI would apply to all companies operating in a similar way. As the increasing number of posts on Privacy News Online about facial recognition and its problems indicates, this is an extremely important area for privacy rights:
the development and deployment of this sort of surveillance by private actors has a chilling effect on people’s willingness to express themselves online, and can be a threat to people going about their lives freely. It is crucial for a healthy, striving and open Internet that people feel free to share personal information and photos however and wherever they want, without the fear that they might be ‘grabbed’ by private companies and shared with strangers.
The data protection authorities in Austria, France, Greece, Italy, and the United Kingdom have three months to respond to the complaints.
Featured image by David Bohmann.