Monday 4 October 2021

EDPB creates cookie banner taskforce

Last week European Data Protection Board (EDPB), which is a body that represents European data protection authorities (DPAs), decided to establish a cookie banner taskforce. Why? Because of 422 complaints filed with ten different DPAs by a non-profit organization None of Your Business (NOYB), founded by Max Schrems. Responding to all these complaints certainly requires coordinated action in order to ensure uniform application of GDPR across the EU, as well as to support DPAs and to facilitate communication between them. Hopefully, this will also accelerate national proceedings and provide better consumer protection in the context of cookies and data processing. 

Cookies and other tracking technologies have attracted the attention of some authorities in recent years. Some of them have adopted guidelines or FAQs (see for example Spanish DPA guidelines or French DPA guidelines and recommendations). The issue is important because in many cases the use of cookies is not in compliance with the GDPR, especially when it comes to providing information about them, collecting consent to data processing or allowing the withdrawal thereof. Not to mention that cookie banners can be annoying and rather discourage people from reading complex cookie policies. This is why NOYB analysed several thousand websites available in the EU to identify the most common breaches and then filed complaints where necessary. But firstly, letters notifying the infringements were sent directly to the site controllers. What’s interesting, based on NOYB statistics - 42% of all violations were remedied within 30 days. This is not a bad result, but certainly falls short of expectations. The most frequent violations include, inter alia: no option to reject cookies on the first layer, pre-ticked boxes, lack of possibility to withdraw consent as easily as it was given and using a deceptive contrast or color for the „reject button”. 


What do the violators say? According to an informal feedback that NOYB received, the companies usually fear that if they comply with the requirements they risk falling behind their competitors. Some of them also prefer to wait for a clear explanation from the DPAs before complying. 


In other words, the question remains the same - how to have your cake and eat it too?