Europe's cookie consent reckoning is coming

·7 min read

Cookie pop-ups getting you down? Complaints that the web is "unusable" in Europe because of frustrating and confusing "data choice" notifications that get in the way of what you're trying to do online certainly aren't hard to find.

What is hard to find is the "reject all" button that lets you opt out of non-essential cookies that power unpopular stuff like creepy ads. Yet the law says there should be an opt-out clearly offered. So people who complain that EU "regulatory bureaucracy" is the problem are taking aim at the wrong target.

EU law on cookie consent is clear: Web users should be offered a simple, free choice -- to accept or reject.

The problem is that most websites simply aren't compliant. They choose to make a mockery of the law by offering a skewed choice: Typically a super simple opt-in (to hand them all your data) versus a highly confusing, frustrating, tedious opt-out (and sometimes even no reject option at all).

Make no mistake: This is ignoring the law by design. Sites are choosing to try to wear people down so they can keep grabbing their data by only offering the most cynically asymmetrical "choice" possible.

However since that's not how cookie consent is supposed to work under EU law, sites that are doing this are opening themselves to large fines under the General Data Protection Regulation (GDPR) and/or ePrivacy Directive for flouting the rules.

See, for example, these two whopping fines handed to Google and Amazon in France at the back end of last year for dropping tracking cookies without consent.

While those fines were certainly head-turning, we haven't generally seen much EU enforcement on cookie consent -- yet.

This is because data protection agencies have mostly taken a softly-softly approach to bringing sites into compliance. But there are signs enforcement is going to get a lot tougher. For one thing, DPAs have published detailed guidance on what proper cookie compliance looks like -- so there are zero excuses for getting it wrong.

Some agencies had also been offering compliance grace periods to allow companies time to make the necessary changes to their cookie consent flows. But it's now a full three years since the EU's flagship data protection regime (GDPR) came into application. So, again, there's no valid excuse to still have a horribly cynical cookie banner. It just means a site is trying its luck by breaking the law.

There is another reason to expect cookie consent enforcement to dial up soon, too: European privacy group noyb is today kicking off a major campaign to clean up the trash fire of non-compliance -- with a plan to file up to 10,000 complaints against offenders over the course of this year. And as part of this action it's offering freebie guidance for offenders to come into compliance.

Today it's announcing the first batch of 560 complaints already filed against sites, large and small, located all over the EU (33 countries are covered). noyb said the complaints target companies that range from large players like Google and Twitter to local pages "that have relevant visitor numbers."

“A whole industry of consultants and designers develop crazy click labyrinths to ensure imaginary consent rates. Frustrating people into clicking ‘okay’ is a clear violation of the GDPR’s principles. Under the law, companies must facilitate users to express their choice and design systems fairly. Companies openly admit that only 3% of all users actually want to accept cookies, but more than 90% can be nudged into clicking the ‘agree’ button," said noyb chair and long-time EU privacy campaigner, Max Schrems, in a statement.

“Instead of giving a simple yes or no option, companies use every trick in the book to manipulate users. We have identified more than 15 common abuses. The most common issue is that there is simply no ‘reject’ button on the initial page," he added. “We focus on popular pages in Europe. We estimate that this project can easily reach 10,000 complaints. As we are funded by donations, we provide companies a free and easy settlement option -- contrary to law firms. We hope most complaints will quickly be settled and we can soon see banners become more and more privacy friendly.”

To scale its action, noyb developed a tool that automatically parses cookie consent flows to identify compliance problems (such as no opt-out being offered at the top layer; or confusing button coloring; or bogus "legitimate interest" opt-ins, to name a few of the many chronicled offences); and automatically create a draft report that can be emailed to the offender after it's been reviewed by a member of the not-for-profit's legal staff.

It's an innovative, scalable approach to tackling systematically cynical cookie manipulation in a way that could really move the needle and clean up the trash fire of horrible cookie pop-ups.

noyb is even giving offenders a warning first -- and a full month to clean up their ways -- before it will file an official complaint with their relevant DPA (which could lead to an eye-watering fine).

Its first batch of complaints are focused on the OneTrust consent management platform (CMP), one of the most popular template tools used in the region -- and which European privacy researchers have previously shown (cynically) provides its client base with ample options to set noncompliant choices like pre-checked boxes … Talk about taking the biscuit.

A noyb spokeswoman said it's started with OneTrust because its tool is popular but confirmed the group will expand the action to cover other CMPs in the future.

The first batch of noyb's cookie consent complaints reveal the rotten depth of dark patterns being deployed -- with 81% of the 500+ pages not offering a reject option on the initial page (meaning users have to dig into submenus to try to find it); and 73% using "deceptive colors and contrasts" to try to trick users into clicking the "accept" option.

noyb's assessment of this batch also found that a full 90% did not provide a way to easily withdraw consent as the law requires.

Cookie compliance problems found in the first batch of sites facing complaints. Image Credits: noyb

It's a snapshot of truly massive enforcement failure. But dodgy cookie consents are now operating on borrowed time.

Asked if it was able to work out how prevalent cookie abuse might be across the EU based on the sites it crawled, noyb's spokeswoman said it was difficult to determine, owing to technical difficulties encountered through its process, but she said an initial intake of 5,000 websites was whittled down to 3,600 sites to focus on. And of those it was able to determine that 3,300 violated the GDPR.

That still left 300 -- as either having technical issues or no violations -- but, again, the vast majority (90%) were found to have violations. And with so much rule-breaking going on it really does require a systematic approach to fixing the "bogus consent" problem -- so noyb's use of automation tech is very fitting.

More innovation is also on the way from the not-for-profit -- which told us it's working on an automated system that will allow Europeans to "signal their privacy choices in the background, without annoying cookie banners."

At the time of writing it couldn't provide us with more details on how that will work (presumably it will be some kind of browser plug-in) but said it will be publishing more details "in the next weeks" -- so hopefully we'll learn more soon.

A browser plug-in that can automatically detect and select the "reject all" button (even if only from a subset of the most prevalent CMPs) sounds like it could revive the "do not track" dream. At the very least, it would be a powerful weapon to fight back against the scourge of dark patterns in cookie banners and kick noncompliant cookies to digital dust.

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting