noyb aims to end “cookie banner terror” and issues more than 500 GDPR complaint

EDRi's member sent over 500 draft complaints to companies who use unlawful cookie banners - making it the largest wave of complaints since the GDPR came into force. "Some companies are clearly trying everything to make privacy a hassle for users, when they have a duty to make it as simple as possible."

By noyb (guest author) · June 2, 2021

On 31 May, EDRi’s member sent over 500 draft complaints to companies who use unlawful cookie banners – making it the largest wave of complaints since the GDPR came into force. 

By law, users must be given a clear yes/no option. As most banners do not comply with the requirements of the GDPR, noyb developed a software that recognizes various types of unlawful cookie banners and automatically generates complaints. Nevertheless, noyb will give companies a one-month grace period to comply with EU laws before filing the formal complaint. Over the course of a year, noyb will use this system to ensure compliance of up to 10,000 of the most visited websites in Europe. If successful, users should see simple and clear “yes or no” options on more and more websites in the upcoming months. 

Frustrating Europe into consent. The GDPR was meant to ensure that users have full control over their data, but being online has become a frustrating experience for people all over Europe. Annoying cookie banners appear at every corner of the web, often making it extremely complicated to click anything but the “accept” button. Companies use so-called “dark patterns” to get more than 90% of users to “agree” when industry statistics show that only 3% of users actually want to agree. 

Max Schrems, Chair of noyb: “A whole industry of consultants and designers develop crazy click labyrinths to ensure imaginary consent rates. Frustrating people into clicking ‘okay’ is a clear violation of the GDPR’s principles. Under the law, companies must facilitate users to express their choice and design systems fairly. Companies openly admit that only 3% of all users actually want to accept cookies, but more than 90% can be nudged into clicking the ‘agree’ button.” 

Blame it on the GDPR? Many internet users mistake this annoying situation as a direct outcome of the GDPR, when in fact companies misuse designs in violation of the law. The GDPR demands a simple “yes” or “no”, as reasonable people would expect, but companies often have the power over the design and narrative when implementing the GDPR. 

Donate to EDRi to build a people-centered, democratic digital future. Donate Now

Max Schrems: “Some companies are clearly trying everything to make privacy a hassle for users, when they have a duty to make it as simple as possible. Almost all situations in which users are confronted with data protection are designed by companies. They often deliberately make the designs of privacy settings a nightmare, but at the same time blame the GDPR for it. This narrative is repeated on hundreds of pages, so users start to think that these crazy banners are required by law.” 

Automated system to produce up to 10.000 complaints. To address this extremely wide-spread issue, noyb has developed a system that automatically discovers different types of violations. The noyb legal team reviews each website, while the system automatically generates a GDPR complaint. Companies are served with an informal draft complaint via email and even get a step-by-step guide (PDF) on how to change software settings to comply with the law. If companies choose not to change their settings within a month, noyb will however file a complaint with the relevant authority, which may issue a fine of up to € 20 Million. Further details can be found in the FAQs on our platform. 

Max Schrems: “We want to ensure compliance, ideally without filing cases. If a company however continues to violate the law, we are ready to enforce users’ rights.”

Most pages violate the GDPR. Of the more than 500 pages where a complaint was issued, 81 % did not offer a “reject” option on the initial page at all. Users had to dive into sub-menus to find a hidden “reject” option. A further 73% used deceptive colours and contrasts to lead users to click the “accept” option. A total of 90% did not provide a way to easily withdraw consent.

Max Schrems: “Instead of giving a simple yes or no option, companies use every trick in the book to manipulate users. We have identified more than fifteen common abuses. The most common issue is that there is simply no ‘reject’ button on the initial page.” 

First 560 websites in 33 countries got a draft complaint today. noyb started the new system today and delivered the first draft complaints to 560 websites from 33 countries, including every EU/EEA member state but Malta and Liechtenstein. Companies range from large players like Google or Twitter to local pages that have relevant visitor numbers. Over the course of the year 2021, noyb plans to follow up with up to 10.000 further complaints. The settlement is free of costs for the companies, as noyb is funding this project through donations by its around 4,000 supporting members. 

Max Schrems: “We focus on popular pages in Europe. We estimate that this project can easily reach 10.000 complaints. As we are funded by donations, we provide companies a free and easy settlement option – contrary to law firms. We hope most complaints will quickly be settled and we can soon see banners become more and more privacy-friendly.”

The article was first published by EDRi’s member noyb here.

(Contribution by: EDRi member,

  • See noyb’s Frequently Asked Questions (FAQs) on our WeComply! platform
  • The French CNIL has recently issued guidance on cookie banners and now announced to take first enforcement actions. The requirements of the CNIL are very close to the requirements of the noyb project. 
  • In a similar debate about true consent by users Apple has moved towards a clear opt-in by users when the Apple Advertisement ID is shared with an app. This neutral design lead to more than 90% of all US users deny tracking
  • noyb is working not only on cookie banners, but also an automated system that would allow Europeans to signal their privacy choices in the background, without annoying cookie banners. More on this will be published in the next weeks – so stay tuned