Three years after the entry into force of the GDPR (general data protection regulation), defenders of the respect of the privacy of Internet users are tired of waiting for its application. They are particularly sorry that the overwhelming majority of websites still do not respect the obligation to leave the choice to their visitors to be tracked or not by means of small computer files called “cookies”.
The Noyb association (for “None of Your Business”, that is to say “Not your business”) is at the forefront of this fight. Led by Austrian lawyer Max Schrems (known for having twice brought down transatlantic data-sharing agreements due to the lack of sufficient guarantees on the American side), the non-profit organization has just given a major blow to fist on the table.
20 million euros
On Monday, Noyb sent 560 warnings to as many large websites, accused of not respecting the GDPR in terms of collecting the consent of Internet users to the deposit of cookies. The incriminated companies range from giants Google and Twitter to local web pages with a large audience. They are located in 33 countries, including all members of the European Union with the exception of Malta.
This unprecedented salvo will be followed by formal complaints in a month to the competent national CNIL, if the publishers concerned do not change their practices, warned the association. Any offenders are then exposed to a penalty of up to 20 million euros.
To carry out its massive charge, Noyb used algorithms that analyzed the consent collection banners presented to Internet users. By the end of the year, the association wants to have passed the 10,000 main websites consulted in Europe through this filter.
Already, on its sample of 560 sites, more than 80% do not display a “Refuse” button. Others use various techniques (submenus, different colors, pre-ticked boxes, diverted purposes, etc.) to force the Internet user to consent.
The French CNIL on the offensive
“An entire industry of consultants and designers is developing crazy click mazes to ensure imaginary consent rates. Frustrating people until they click ‘OK’ is a clear violation of GDPR principles, ”insists Max Schrems. Businesses openly admit that only 3% of all users actually want to accept cookies, but over 90% can be tricked into clicking the “Accept” button.
In France, the CNIL has also made this subject its hobbyhorse. “Refusing cookies must be as simple as accepting them”, insists the authority – which ended up publishing its guidelines on the subject last fall, warning that it would monitor and sanction their non-compliance to count April 1.
Publishers, who fear losing a precious advertising windfall if they can no longer track Internet users, have largely fallen back on solutions such as the “cookie wall” (a barrier offering as an alternative to the refusal of cookies the payment of a sum flat rate) – whose legality has yet to be assessed – or even unclear mentions such as a “Continue without accepting” link displayed at the top of the banner, much less prominent than the “Accept” button – a model than the CNIL itself. even suggested in his recommendations last September.
Despite these numerous warnings and this slowness of execution, the CNIL makes a finding similar to that of Noyb: the RGPD, voted in 2016, is still not respected. The French authority therefore gave notice at the end of May about twenty organizations, public and private. Their list could go on and on.