European Union: The Cookie Crumbles? EU Advocacy Group Files 226 Complaints Alleging Cookie Consent Violations

Specifically, the group is alleging that websites are commonly using deceptive cookie banners that do not adhere to the GDPR's express consent requirements.

In early August, the European Union data protection advocacy group None of Your Business ("NOYB") filed 226 complaints with 18 different EU authorities against websites using the widely popular OneTrust cookie consent management platform. Importantly, NOYB signaled that it was not done and that it would be making similar complaints for users of other popular cookie consent management platforms.

The alleged violations include: (1) there is no "reject" button in the pop-up or banner; (2) the "accept" option was pre-selected for the user; (3) deceptive link design (e.g., no button options for the user); (4) deceptive button colors or contrast (e.g., the "accept" and "reject" button are different colors); (5) non-necessary / non-essential cookies loading prior to the user granting consent due to "legitimate interest" being claimed; (6) advertising or functional cookies being classified as essential or necessary cookies; and (7) a user's ability to opt-out not being as easy as it is to consent.

According to NOYB, the group will serve a "compliance guide" on entities it views as being in violation of the EU's General Data Protection Regulation ("GDPR") and ePrivacy Directive's consent requirements with regard to cookies. They will then grant the entity a 60 day grace period. If the entity is not in compliance within those 60 days, NOYB will then file a complaint.

EU Cookie Requirements

Under applicable EU law (including the GDPR and the ePrivacy Directive), entities must obtain a user's consent before loading cookies. Consent cannot be implied, meaning cookies cannot load prior to obtaining the required consent.

The only exception to the prior consent rule is that strictly necessary or essential cookies can be loaded prior to consent. Strictly necessary or essential cookies include those cookies that are essential for the basic operation of the website. For example, if a website has a shopping cart feature, cookies that hold items in a shopping cart are considered essential.

However, simply obtaining consent is not enough to be considered in compliance with EU legal requirements. Entities are also required to provide accurate and specific information about the data each cookie used on the website collects. Such information must be delivered to the user prior to the user granting consent, or the consent is not valid.

Additionally, and in line with the complaints filed by NYOB, entities cannot use deceptive banners or pop-ups to obtain the consent and must make it as easy for users to opt-out as it was for them to consent. With regard to making it easy for a user to opt-out, entities have generally created a conspicuously posted link to "cookie settings" similar to common practices of privacy policies or terms of use.

Cookie Consent Takeaways

Entities currently using cookie consent management platforms should review their settings and banners to ensure compliance with EU legal requirements and to ensure their banners are not mistakenly deceptive.

NYOB has indicated that more complaints are imminent, so reviewing cookie consent platform settings and ensuring compliance can mitigate against any potential compliant risk.

Additionally, entities operating and targeting the EU that also operate websites accessible in the EU that do not have cookie consent platforms in place should begin to implement such policies and procedures to ensure they are obtaining the consents necessary under EU law.

As scrutiny on cookies grow and the legal environment rapidly changes, the Benesch Data Protection and Privacy team is committed to staying at the forefront of knowledge and experience to assist our clients in compliance efforts. We are available to assist you with any compliance needs.