3 Min Read

Cookie Bite

Read more

By Eleanor Ludlam and Camila Elliot


Published 29 April 2022


European Data Protection Authorities (“DPAs”) have issued some headline grabbing cookie-related fines so far this year; on 6 January 2022, CNIL issued whopping fines of €150million against Google and €60million on Facebook (read more here) and similarly this month, Hamburg’s regulator warned Google and YouTube that their cookie banners, which collect data on users for targeted advertisements, do not comply with the transparency and consent requirements under the established by the e-privacy Directive and the GDPR.

The law requires that the rejection of cookies has to be as easy for users as the setting of cookies. Complicated user consent mechanisms will face harsh criticism from the regulators.

DPA audits

In the wake of these fines, we have seen DPAs carrying out audits on their countries’ largest e-commerce platforms to reveal how few are compliant with the European cookie laws (the ‘e-privacy Directive’ (implemented in the UK by PECR2) and the GDPR).

For example, the Latvian DPA - Data State Inspectorate (“DSI”) - launched an audit on the websites belonging to 26 of its country’s largest e-commerce platforms and found that every website violated at least one of the EU laws on cookies. The DSI found that none of the websites had adequate consent mechanisms for placing cookies in users’ browsers; a mandatory requirement under the GDPR and Latvia’s Information Society Services Act3.

The DSI has not issued any fines or other penalties at this stage, but instead adopted a “consult first” principle and served cure notices on each company with compliance deadlines of either 11 April or 12 August 2022, depending on the severity of the violation. The DSI warned that if the companies fail to correct the breaches within the deadline, they will then exercise “other powers” granted to it under the GDPR4.

A further audit of 1,000 of the largest websites in the United States found that 67% were not using cookies in compliance with EU laws. PYMNTS commented that the study revealed “43% of websites not offering users the ability to opt out of selling data, 55% failing to notify users of cookies when they visit the site for the first time, and 32% of sites containing ad trackers.”

Although the e-privacy Directive and GDPR are European laws and thus, outside the jurisdiction of the US, websites originating in the US must still modify their practices to ensure compliance if they intend to also sell goods and services to customers residing in the EU.

Round 2 for noyb

Last month, NGO noyb launched its second round of action against website operators whose cookie banners do not comply with the e-privacy Directive and has issued more than 270 draft regulatory complaints5. This follows almost one year on from noyb’s first batch of draft complaints sent in May 2021, where it claimed to have filed a total of 456 complaints with 20 different DPAs. Noyb boasts that in the first round, 42% of all violations were remedied by companies within 30 days.

Cookie compliance remains a key area of focus for regulators across Europe and should, as a consequence, continue to be high on the corporate agenda to avoid fines and action from interested third parties, such as nyob.



1European Directive 2002/58/EC
2Privacy and Electronic Communications (EC Directive) Regulations 2003
3Except cookies which are strictly necessary for the functioning of the website.