NOYB takes one step further toward ending the « cookie banner terror »
Recently, NOYB (None Of Your Business) has announced the development of an automated system that identifies and reports violations of the GDPR. In brief, as soon as the software recognises an unlawful cookie banner, an informal draft complaint is sent to European organisations. The digital publisher then has one month to comply with EU laws. Otherwise, another complaint will be submitted but this time, it will be a formal complaint to the data protection authorities (DPAs). In the long run, NOYB plans on ensuring compliance of “up to 10,000 of the most visited websites in Europe”. Last week, NOYB had already sent 560 draft complaints.
A way to stop “frustrating Europe into consent”
In the crosshairs of NOYB: publishers make it deliberately hard to opt out of tracing cookies. According to Max Schrems, this illegal practice makes the Internet user experience very frustrating.
Beyond the « cookie banner terror », it is the so-called dark patterns that are actually exposed. These patterns are responsible for the generalised consent of Internet users to share their data, either unconsciously or in a laissez-faire attitude. The definition given by Max Schrems is very clear: “developing crazy click labyrinths to ensure imaginary consent rates and deliberately making the designs of privacy settings a nightmare”. In brief, it consists of using every “trick in the book to manipulate users into giving their consent”.
IAB’s reply to NOYB
Firstly, IAB Europe recalls that the TCF establishes harmonised minimum standards to help digital publishers comply with the GDPR and ePrivacy Directive. Local DAPs, however, may have different interpretations and additional requirements based on the TCF that NOYB should be aware of in order to adjust its focus accordingly. Publishers that are complying with specific local standards must not be reprimanded.
Secondly, the IAB re examines a few points that are worth recalling:
- The reject option in a CMP is not an obligatory requirement established by the EDPB. In France, the CNIL makes this option mandatory only in the presence of the « accept all » button.
- To avoid the misuse of pre-ticked options, the TCF requires the default option to be the “no consent” option.
- Condemning the use of dark patterns, the TCF requires the CMPs to be clear and perfectly understandable by users.
- The users have to be regularly reminded of their right to withdraw their consent.
Automation at the heart of online data protection
Overall, IAB Europe welcomes this initiative, as it admits that automated tools for auditing CMP compliance are now essential to implement an effective enforcement of the GDPR.
 “Noyb Aims to End ‘Cookie Banner Terror’ and Issues More than 500 GDPR Complaints.” Noyb.eu, 31 May 2021, noyb.eu/en/noyb-aims-end-cookie-banner-terror-and-issues-more-500-gdpr-complaints.
 Same as note 1
 Sedefov., Filip. IAB Europe, 8 June 2021, iabeurope.eu/blog/iab-europe-tcf-and-noybs-war-on-cookie-banners/.
“Noyb Aims to End ‘Cookie Banner Terror’ and Issues More than 500 GDPR Complaints.” eu, 31 May 2021, noyb.eu/en/noyb-aims-end-cookie-banner-terror-and-issues-more-500-gdpr-complaints.
“Privacy Group Targets Website ‘Cookie Terror’.” BBC News, BBC, 31 May 2021, www.bbc.com/news/technology-57306802.
Filip. IAB Europe, 8 June 2021, iabeurope.eu/blog/iab-europe-tcf-and-noybs-war-on-cookie-banners/.