Europe's Cookie Consent Changes: What You Need to Know

The Growing Frustration with Cookie Pop-ups in Europe

Are cookie notifications disrupting your online experience? Numerous reports indicate widespread dissatisfaction with the prevalence of frustrating and unclear “data choice” notifications encountered on the web, particularly within Europe.

Despite the legal requirement for a straightforward opt-out option for non-essential cookies, finding a clearly labeled “reject all” button remains surprisingly difficult. Consequently, criticisms directed at EU “regulatory bureaucracy” may be misdirected.

EU Law and the Right to Choose

The stipulations of EU law regarding cookie consent are unambiguous: web users must be presented with a simple and accessible choice – the ability to either accept or decline consent.

However, a significant number of websites are failing to adhere to these regulations. Instead, they are deliberately creating a biased selection process, typically offering a simple acceptance option alongside a complex and time-consuming rejection process, or even omitting a rejection option entirely.

This deliberate disregard for the law is driven by a desire to pressure users into accepting data collection by making the alternative overly burdensome.

Websites engaging in these practices risk substantial fines under the General Data Protection Regulation (GDPR) and the ePrivacy Directive for non-compliance.

Recent examples include significant fines levied against Google and Amazon in France for deploying tracking cookies without obtaining proper consent.

Increased Enforcement on the Horizon

While EU enforcement of cookie consent rules has historically been limited, indications suggest a shift towards stricter oversight is underway.

Data protection agencies have generally favored a gradual approach to compliance, but have now issued comprehensive guidance outlining proper cookie consent procedures, leaving little room for ambiguity.

Furthermore, the initial grace periods granted to companies for implementing necessary changes have expired, as three years have passed since the GDPR came into effect. Continuing to utilize manipulative cookie banners now constitutes a clear violation of the law.

noyb’s Campaign for Compliance

European privacy advocacy group, noyb, is launching a large-scale initiative to address the widespread non-compliance with cookie consent regulations. Their plan involves filing up to 10,000 complaints against offending websites throughout the year.

As part of this effort, noyb is providing free guidance to help organizations achieve compliance.

The first wave of 560 complaints has already been submitted, targeting both large corporations like Google and Twitter, as well as smaller websites with significant European traffic.

According to Max Schrems, chair of noyb, “Frustrating people into clicking ‘okay’ is a clear violation of the GDPR’s principles. Companies must facilitate users to express their choice and design systems fairly.” He further noted that despite only 3% of users actively wanting to accept cookies, over 90% are persuaded to do so through manipulative tactics.

Automated Detection and Reporting

To facilitate its campaign, noyb has developed an automated tool capable of analyzing cookie consent flows and identifying compliance issues. These include the absence of a reject option, misleading color schemes, and illegitimate “legitimate interest” opt-ins.

The tool generates draft reports that are reviewed by noyb’s legal team before being sent to the offending websites.

This innovative and scalable approach aims to systematically address the pervasive issue of cynical cookie manipulation.

noyb is providing offenders with a one-month warning period to rectify their practices before filing official complaints with the relevant Data Protection Authorities (DPAs), potentially leading to substantial fines.

Focus on Consent Management Platforms

The initial complaints are focused on OneTrust, a popular consent management platform (CMP), which has been previously criticized for offering options that facilitate non-compliant cookie consent practices.

noyb intends to expand its action to encompass other CMPs in the future.

Prevalence of Dark Patterns

An analysis of the first batch of complaints revealed that 81% of the websites examined did not offer a reject option on the initial page, forcing users to navigate through submenus. Furthermore, 73% employed deceptive colors and contrasts to encourage acceptance.

A staggering 90% of the websites did not provide a straightforward method for withdrawing consent, as required by law.

This data highlights a widespread failure in enforcement, but the situation is rapidly changing.

noyb estimates that approximately 90% of the 3,600 websites it analyzed were found to be in violation of the GDPR.

Future Innovations in Privacy Protection

In addition to its complaint-driven approach, noyb is developing an automated system that will allow European users to express their privacy preferences automatically, eliminating the need for intrusive cookie banners.

Details regarding this system, potentially a browser plug-in, will be released in the coming weeks.

Such a tool could potentially revive the “do not track” concept and provide a powerful defense against manipulative cookie banner practices.

The development of automated solutions is crucial for addressing the systematic nature of the “bogus consent” problem and ensuring a more privacy-respecting online experience.