Cookie 'banner terror’: are you in Schrems' sights?

Automated activism is here now on how compliant businesses are. Are you ready for potential tech-enabled complaints on your site's cookies?

In 1993 Tesco ran a trial of a loyalty scheme: the Tesco Clubcard. When the results of the trial of the scheme were presented to the board in 1994, the chair, Lord Ian MacLaurin, said, ‘what scares me about this is you know more about my customers in three months than I know in 30 years’.

At the time, the card seemed an innocuous way to monitor customer behaviour. But it worked. Very well indeed. Sir Terry Leahy, chief executive between 1997 and 2011, said that it was the most significant factor in Tesco’s success at that time.

Are we seeing the start of similar game-changing developments in data protection compliance?

We may well be.

Step in, in particular, non-profit organisations like noyb (‘My Privacy is None of Your Business’), led by data activist Max Schrems (yes, that Max Schrems).

Under the straplines of ‘everybody hates #cookiebanners’ or ‘cookie banner terror’, noyb announced on 31 May that it is now targeting businesses which make it difficult to opt out of cookies. Noyb has already issued draft complaints to over 500 of the most popular websites across Europe. It has also set up a portal—the ‘WeComply!’ platform—where businesses who’ve been contacted can review their case and engage with noyb on the changes that the non-profit organisation believes need to be made. Over the course of the next year noyb says it is looking to send up to 10,000 complaints.

Like the Clubcard three decades ago, noyb’s heady ambitions have been turbocharged by technology: it has developed a system that trawls websites looking for non-compliance and then flags it up to these Vienna-based privacy campaigners. Complaints are auto-generated after an tech-enabled deep review of a business’s website cookies. Noyb says that it will then give non-compliant businesses one month to change their sites.

Can a third party potentially know more about your compliance, or worse, non-compliance than you do? In a word, ‘yes’. And, as organisations like noyb are showing, they are willing to do something about it.

Although cookies may have fallen off the radar of many businesses, failure to comply with the rules, including the GDPR, could potentially result in hefty fines. The French privacy regulator, CNIL has recently been looking at cookies compliance more, giving updated guidance clarifying their use. Other regulators such as the Spanish privacy regulator, AEPD, updated their guidance last summer. While the new EU-wide ePrivacy Regulation is still being negotiated, businesses shouldn’t be lulled into a fall sense of security. Cookies haven’t fallen off the regulators’ radars.

If you’ve received such a complaint, do get in touch. In the meantime if you have any questions on cookies or would like to chat generally about them, we’d be delighted to hear from you.


This information is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances. © Shoosmiths LLP 2024.



Read the latest articles and commentary from Shoosmiths or you can explore our full insights library.