Max Schrems, the renowned privacy activist, is making headlines again. In recent days the privacy group Noyb (an abbreviation standing for “none of your business”), which is led by Mr Schrems, has reportedly submitted a large number of complaints to many companies protesting that such companies make it difficult to opt-out of tracking cookies.
Cookies are small amounts of information that are downloaded on to certain equipment of users, such as smart phones and laptops, when users visit websites and use other online services. They let such websites and services identify users’ devices and collect and keep certain information about users’ activities and preferences. Cookies can be used for many different reasons, including third-party advertising tracking.
Both EU law (the EU General Data Protection Regulation (EU GDPR) and the EU Privacy Directive 2002/58/EC (ePrivacy Directive)) and the equivalent UK law require those organisations which set cookies, such as website operators and app developers, to inform website users about cookies (and similar technologies) that are being used. They must explain to users what the cookies do and why by providing users with clear and comprehensive information in clear and easily available language and must also obtain users’ consent to store cookies on their devices (other than in respect of essential cookies and certain other cookies used for communication purposes).
The central issue highlighted by Noyb’s complaints appears to concern consent to the use of cookies. For such consent to be deemed valid, it must be freely given, specific and informed and must involve an unambiguous deliberate action of some kind (e.g. checking a box). To make sure that consent is freely given, users should be given the option to deactivate non-essential cookies in a simple way. Operators of websites and other online services must give users control over any non-essential cookies and continue to allow users to use their websites if they don’t agree to the relevant cookies. Users must also be able to withdraw their consent easily at any time.
Noyb is apparently objecting to many cookie consent mechanisms on the basis that they render it “extremely complicated to click anything but the ‘accept’ button”, with some of the targeted websites making it time consuming to refuse consent to numerous marketing partners or emphasising “accept all” options over other options (such as “reject” options).
Noyb has reportedly issued draft complaints to 10,000 of the most popular European websites, but plans to submit full formal complaints with the relevant enforcement authorities if the companies that operate such websites fail to ensure compliance within a month. Noyb’s aim is to ensure the introduction of straightforward "accept" or "reject" options regarding the use of cookies on larger numbers of websites.
Given Mr Schrems' previous victories in various GDPR-related legal disputes, it will be interesting to see what impact Noyb’s complaints will have regarding cookie consent mechanisms and whether ultimately these will result in a change in the behaviour of providers of websites and other online services and/or increased regulatory enforcement action from relevant data protection supervisory authorities.
Website operators may want to take this opportunity to review their cookie notices, policies and consent mechanisms to make sure that they are complying with the relevant rules in case this becomes an area of increased regulatory scrutiny.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.