Cracking down on cookies: Recent complaints and regulatory enforcement
For the purposes of this blog post, cookies and similar technologies are collectively referred to as "cookies".
Cookie complaints campaigns
NOYB has developed a tool that automatically checks for organisations that use unlawful cookie banners:
- In May 2021, NOYB issued more than 500 complaints to companies using unlawful cookie banners on their websites. NOYB provided companies a one-month grace period before filing 456 formal complaints with 20 different DPAs in Europe. The campaign focused on popular web pages in Europe, with Google and Twitter being among the group of companies targeted by the initial campaign.
- In March 2022, NOYB launched the second round of its action against non-compliant cookie banners. A further 270 complaints were sent to companies using unlawful cookie banners with a 60-day grace period to comply.
- Subsequently, in August 2022, NOYB lodged 226 formal complaints with 18 DPAs across Europe against those companies that had failed to comply within the 60-day grace period.
The spill-over effect that such campaigns have achieved is significant, with many organisations taking proactive steps to bring their cookie banners into compliance, regardless of whether they received a complaint from NOYB or not.
DPAs across Europe have seemingly responded to the increasing complaints from data subjects and privacy activists by increasing regulatory enforcement action in relation to unlawful cookie practices. We have set out below a summary of the recent fines issued by various DPAs across Europe.
On 15 June 2023, the French DPA ("CNIL") imposed a fine of €40 million on Criteo (an online advertising company) for various data protection breaches. In particular, the CNIL investigation found that Criteo had failed to comply with its obligation to verify and demonstrate that its partners had obtained valid consent from internet users to the placing of Criteo tracker cookies for the purpose of providing targeted advertising on Criteo partner websites. In particular, it was noted that Criteo did not include any requirements in its contracts with partners to collect valid consent from users, nor had Criteo taken any steps to audit potential partners before contracting with them.
On 15 June 2023, the CNIL imposed a fine of €30,000 on KG COM (an operator of several websites offering clairvoyance readings) for violating French data protection laws relating to cookies. In particular, the website did not have a cookie banner, and cookies were deposited on users' devices without their consent upon entering the website. Although an information banner was later set up, it did not provide an easy option for users to refuse cookie placement.
On 29 December 2022, the CNIL imposed a fine of €8 million on Apple for failing to collect consent of French iPhone's users before depositing advertising identifiers on their terminals under an old iOS version when visiting the App Store. In particular, the advertising targeting settings on the iPhone were pre-checked by default, without users' prior consent, and users had to go through multiple steps to deactivate this setting.
Cookie Banner Taskforce
In addition to increased enforcement action by individual DPAs, the launch of the Cookie Banner Taskforce by the EDPB signifies the EDPB's intent to coordinate a response to non-compliant cookie practices. The Cookie Banner Taskforce by the EDPB was established in September 2021 in an effort to coordinate the European DPAs' responses to the formal complaints filed across Europe by NOYB in May 2021 (see above – Cookie Complaints Campaign). In January 2023, the EDPB published a report on the work undertaken by the Cookie Banner Taskforce ("Report") to encourage a consistent approach to enforcement against non-compliant cookie banners by European DPAs.
The taskforce considered the relevant provisions of the ePrivacy Directive and the EU GDPR relating to cookies and the Report sets out the common denominator approach in relation to various cookie practices agreed by the relevant DPAs:
Common denominator approach
No reject button on the first layer
On the first layer of a cookie banner, users should be given both an option to accept cookies and a button to reject cookies (as opposed to an accept button and a link to access further options).
Pre-ticked boxes to opt-in to non-essential cookies in the second layer of the cookie banner is not sufficient to constitute valid consent.
Provision of information
Cookie banners should contain a clear indication on what the banner is about, the purpose of the consent being sought and how to consent to cookies.
Use of deceptive colours and contrast
The design of cookie banners should not allow for deceptive colours or designs that may encourage users to select "accept all" instead of the other available options.
Inaccurately classified essential cookies
The taskforce accepted that it is difficult in practice to assess whether cookies are "strictly necessary" or essential, but referred to the criteria cited in the opinion No. 4/2012 on Cookie Consent Exemption of WP29 as useful guidance.
No withdraw icon
Users should be provided with an easily accessible way to withdraw consent, such as by including a visible icon or a link placed in a visible and standardised location.
Compliance with the taskforce's common denominator approach will ensure that users have sufficient information to make informed choices and to exercise control and manage their cookie preferences and privacy settings.
What should organisations be thinking about?
Given the significant risk of enforcement action for failure to comply, we encourage organisations to take proactive steps, including to:
- Review website cookie banners to ensure compliance with the law and the guidelines set out above;
- Audit the cookies used on websites and take steps to accurately classify such cookies in line with recognised guidance; and
- Ensure that cookie policies are accurate, up-to-date and provide sufficient information to enable users to make informed choices relating to cookie preferences and privacy settings.