Privacy lobbyist group NOYB (None of Your Business) seems to be stirring up quite a bit of fuzz with their automated cookie infringement web crawler. This online tool can detect online infringements of cookie regulations across Europe and it seems to be so successful that it now even had the EDPB realizing that they should be better prepared on the expected flow of complaints. In order to coordinate this, the European Data Protection Board has just set up a Cookie Task Force to ensure coordinated action by the various European data protection authorities.
None of Your Business?
NOYB is the interest group or pressure group of Austrian Max Schrems. We know the latter, of course, as the man who single-handedly brought down the Safe Harbor principle and – only last summer – the Privacy Shield before the European Court of Justice, thereby putting a bomb on the exchange of data with the United States.
NOYB has built a reputation in recent years as the pit bull of privacy law. They actively campaign throughout Europe against the aforementioned Privacy Shield, against infringements of the cookie legislation, against the use of tracking IDs on smartphones by parties such as Google, against the mandatory creation of accounts to buy or use goods or services online, … Their actions consist of petitions and awareness, but also complaints to different data protection authorities and of conducting lawsuits and class actions in different EU Member States.
European web crawler detects cookie infringements
Since last summer, NOYB has launched a project in which they systematically scan the internet for websites in all EU Member States that detect infringements of the (local) cookie and then send complaints to the competent authorities in a fully automated manner. Finding those infringements is actually not even that hard, since somewhere between 60 and 90% of European websites do not comply with the cookie regulations…
In a first wave, NOYB filed 560 complaints this summer, including several against Belgian companies. Some of our own clients – who had obviously not consulted us for cookie advice beforehand – were also “lucky” to be amongst the ones contacted by NOYB. That first wave was the prelude to an announced action against at least 10,000 websites across Europe in the course of 2021 and 2022…
European Task Force
The European Data Protection Board (EDPB) is the umbrella supervisor that monitors and coordinates the work of the various national data protection authorities. At its last monthly plenary meeting, that EDPB has now decided to set up a “cookie banner task force” specifically to coordinate the response to the cookie complaints filed by NOYB with various EU data protection authorities. The task force must ensure consultation and cooperation between the Member States and the development of best practices. In its press release , the EDPB refers explicitly to NOYB’s automatic scans and complaints.
This coordination is more than welcome, by the way. Despite being based on an EU directive, cookie rules and the way that they are interpreted and applied throughout the EU continues to vary considerably between Member States. For example, using Google Analytics cookies in the Netherlands does not require prior opt-in. Using those same cookies without opt-in in Belgium, Germany or Spain without permission can lead to a fine of several thousand euros. At the request of the entire Belgian digital industry, Sirius Legal has raised this issue with both the Belgian Data Protection Authority and the State Secretary for Digitization earlier this year, by the way.
Is your website cookie compliant?
The basic rule may be simple, but digging further, one will quickly notice that cookie regulations can be quite complex. That is also the reason why at Sirius Legal we have written an entire book about cookie compliance.
Very often we notice that companies themselves do not know or have no control over the cookies, fingerprints or other trackers on their website, that third parties such as social media platforms place unsolicited cookies via your website, that companies do not know what data is collected via their website, what that data is used for and with whom it is shared or that companies cannot provide the necessary transparency to the visitors on their website about all this question.
Things often go wrong from a technical perspective as well and it can be a challenge for companies to select the best cookie consent management platform and to set it up to work correctly.
This is exactly why, together with digital performance marketing agency Grava, Sirius Legal has developed a “cookiescan” service that combines both the legal and technical aspects of cookie compliance in Belgium and throughout Europe.