Cookies Crumbling – The Rise of Cookie Litigation

Published 24 junio 2021

Well-known privacy group, nyob has issued more than 500 complaints against companies from 33 countries which, it alleges, use non-compliant cookie banners. Nyob, which stands for “none of your business” and is headed up by privacy campaigner Max Schrems, has apparently developed software which is able to recognise non-compliant cookie banners and automatically generate a complaint. It has stated that across the coming year, it will use the system to target 10,000 of the most visited websites in Europe, with a view to bringing associated cookie banners into compliance.

The rules around the use of cookies and associated cookie banners are clear and, in the UK, are set out in the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) which are derived from European Directive 2002/58/EC, the “e-privacy Directive”. In short, companies must provide sufficient information about the cookies and obtain consent prior to setting cookies (or similar technologies) on a user’s device unless they are deemed strictly necessary (i.e. without which the website simply would not work). To be valid, consent must meet the standard set out in the General Data Protection Regulation (“GDPR”) or the UK GDPR in the UK post Brexit, that is freely given, specific and informed. There must be some form of unambiguous positive action on the part of the user – for example, ticking a box or clicking a link – and the person must fully understand that they are giving consent.

Nyob’s complaint is that the way the majority of cookie banners (the consent management module on websites that allows users to give consent) collect consent insofar as they do not present users with a simple “yes” or “no” option and instead make it difficult for users to do anything other than click “accept”, does not constitute consent that meets the GDPR standard. It is right that companies must not make it difficult for users to make a choice as to their cookie settings, and nor should organisations emphasise the “agree” or “allow” cookie option over “reject” or “block” as this constitutes “nudging” which is not compliant. However, it is not quite as simple as nyob seeks to maintain when it says users should be presented with a “yes” / “no” option.

We note that the section on nyob’s website which is dedicated to this campaign, and the associated FAQs, make no mention of the e-privacy Directive and instead the focus is on the GPDR. Whilst it is correct to say that the standard of consent required of companies derives from the GDPR, the obligation to obtain consent in the first place arises out of the e-privacy Directive (which was implemented in the UK by PECR). The UK’s data protection regulator, the Information Commissioner’s Office (the “ICO”), has previously made clear that companies should look at PECR first in relation to cookies before turning to the general rules in the GDPR. As such, it is curious that there is no mention of PECR/the e-privacy Directive in relation to nyob’s complaint.

As regards the legal basis upon which nyob is bringing these complaints, we note that it cites Article 80(1) GDPR, and states that “it is able to represent a data subject that has visited your website and file a complaint under Article 77 GDPR without the need to send a warning, notice or resolution proposal to a controller”. Article 80(1) GDPR contains what is effectively a limited form of collective redress, permitting data subjects to authorise an organisation to complain and/or seek judicial remedies against a supervisory authority, data processor or data controller on its behalf. Notably, the GDPR does not prevent multiple data subjects from authorising the same organisation to lodge their complaints and seek compensation.

Of course, no disclosure has been made by nyob as to which data subjects it represents in relation to the Article 80(1) GDPR action, but one can perhaps draw an inference from the fact they state the project is being funded through donations by its c. 4,000 supporting members, that those are the data subjects to whom they refer. Otherwise, the project would be more akin to an Article 80(2) GDPR action where an organisation may lodge a complaint with an appropriate supervisory authority independent of any mandate from data subjects (effectively an opt-out collective action), save that the organisation may not make compensatory claims in this manner. With nyob’s project, the intention is to complain to the companies direct as opposed to the supervisory authorities which is presumably why Article 80(2) GDPR has not been relied upon.

Prior to nyob’s project launch, we identified an up-tick in the number of cookies related complaints we were being asked to advise upon for clients. Although such complaints typically resolve prior to litigation being started, and whilst the damages paid to complainants is often minimal, the costs associated in defending these actions can quickly spiral. If this trend continues, and nyob’s actions trigger similar cookie projects, or indeed further individual complaints, companies would be well-advised to review their consent management tools to ensure compliance with the e-privacy Directive/PECR and the GDPR/UK GDPR, as applicable.