Max Schrems’ group issues fresh batch of cookie complaints

11 Aug 2022

Image: © Rawf8/

NOYB claims that websites are using deceptive designs to make it difficult for users to reject cookies, representing a breach of GDPR.

Digital rights group NOYB has lodged a new wave of 226 GDPR complaints against websites that allegedly use “deceptive” cookie settings.

The group established by privacy advocate Max Schrems lodged these GDPR complaints with 18 authorities in the EU. NOYB claims websites are using the cookie banner software OneTrust, but with “deceptive settings” that are making it difficult for users to reject the cookies.

Cookies are lines of code that a website stores in a user’s browser to track browsing activity and inform ads that are shown. A cookie banner is a notice that is displayed on websites when a user visits, to inform them of the use of cookies and to request consent to activate them.

To comply with the EU’s GDPR, websites must provide accurate information about the data each cookie tracks and its purpose in plain language before receiving consent from the user.

NOYB said in a statement that some companies use manipulative banner designs or “dark patterns” to try force users to consent to cookies.

“Deceptive cookie banner designs try to force a user’s agreement by making it insanely burdensome to decline cookies,” said NOYB data protection lawyer Ala Krinickytė. “The GDPR actually requires a fair yes/no choice, not crazy click-marathons.”

In May 2021, NOYB issued more than 500 draft GDPR complaints to companies that it said used “unlawful” cookie banners.

The privacy advocacy group said many websites it contacted have adapted their design to have clear yes and no options on cookie banners. It added that OneTrust alerted websites to adapt settings and even changed the standard settings of its software.

“We mainly saw positive feedback from websites, but also noticed a large spill-over effect,” Schrems said.

“Many websites we have not contacted yet have adapted their settings once they heard about these complaints. This shows that enforcement ensures compliance beyond the individual case.”

NOYB is now targeting the websites that have still not adapted their settings after receiving a draft complaint, bringing formal complaints to the relevant data protection authorities.

“After one year, we got to the hopeless cases that hardly react to any invitation or guidance. These cases will now have to go to the relevant authorities,” Schrems said.

“We want to ensure compliance, ideally without filing cases. However, if a company continues to violate the law, we are ready to enforce users’ rights.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic