Some 560 companies across Europe received draft complaints on Monday from a digital rights advocacy group co-founded by Austrian privacy campaigner Max Schrems over what it claims is the unlawful use of cookie banners on their websites.
A number of Irish-based websites have been targeted by the group, including Ulster Bank, Virgin Media Ireland, Chill Insurance, University College Cork, TK Maxx, Ben & Jerry's, Hotpoint, Whirlpool, and MyHome.ie, a property website owned by The Irish Times.
The organisation has developed software that recognises such banners and can automatically generate complaints to data protection authorities. However, it said it would give companies a one-month grace period to comply with the EU law before filing formal complaints.
In relation to the complaints, Nyob said 81 per cent did not offer a “reject” option on the initial web page. Users had to “dive” into sub-menus to find a hidden “reject” option. Nyob also claims 73 per cent used deceptive colours and contrasts to lead users to click the “accept” option. A total of 90 per cent did not provide a way to easily withdraw consent.
“We want to ensure compliance, ideally without filing cases. If a company continues to violate the law, we are ready to enforce users’ rights,” Mr Schrems, chairman of Nyob, said.
In a statement on the Nyob complaint, a spokesman for MyHome.ie said: “Late on Sunday night we received an email setting out what was described as a draft notification of a complaint. The draft complaint appears to relate to a consent management platform on our website. We take issues like this very seriously and we have the strictest framework available – one which is recommended to publishers by the IAB (the trade organisation for digital advertising).
“The system we use to manage this service is the most widely-used platform in the market. The email we received talked about offering us an opportunity to respond to their draft complaint but no time was given for that response. Nevertheless we will review the matter further to see if any action is required.”
University College Cork confirmed it had received correspondence from Nyob and said it was “reviewing the matters raised”. Appliance firm Whirlpool and Ulster Bank are also reviewing the matter.
Virgin Media Ireland rejected the claims made.
“The design of our cookie banner takes account of the law and all guidance issued by Office of the Data Protection Commissioner who throughout 2020 gave extensive guidance to industry on cookie compliance,” a spokeswoman said.
The Irish Times contacted the other Irish-based organisations that received correspondence from Nyob but has not yet received comment from them on this issue.
Nyob said it intends to use its new software solution to ensure compliance of the most visited websites in Europe over time. It wants users to see simple and clear “yes or no” options on websites asking permission to store cookies.
The group said GDPR was meant to ensure internet users have full control over their data. But, it argues, being online has become a frustrating experience because of annoying cookie banners designed to make it complicated to do anything other than click on the “accept” button.
“Frustrating people into clicking ‘okay’ is a clear violation of the GDPR’s principles. Under the law, companies must facilitate users to express their choice and design systems fairly. Companies openly admit that only 3 per cent of all users actually want to accept cookies, but more than 90 per cent can be nudged into clicking the ‘agree’ button,” Mr Schrems said.
“Some companies are clearly trying everything to make privacy a hassle for users, when they have a duty to make it as simple as possible. Almost all situations in which users are confronted with data protection are designed by companies. They often deliberately make the designs of privacy settings a nightmare, but at the same time blame the GDPR for it. This narrative is repeated on hundreds of pages, so users start to think that these crazy banners are required by law.”
Nyob has delivered draft complaints to 560 websites across 33 countries. Over the course of 2021, it intends to follow-up with up to 10,000 further complaints.
“We hope most complaints will quickly be settled and we can soon see banners become more and more privacy friendly,” Mr Schrems said.
In the event of a company being found to have breached GDPR regulations, fines of up to €20 million or 4 per cent of a company’s annual revenues can be issued.