30.07.2021 - Reading time 10 Minutes

Wave of cease-and-desist letters from Noyb against cookie banners: what’s behind it?

The data protection organisation Noyb launches a wave of cease-and-desist letters against cookie banners. More than 500 cease-and-desist letters have already gone out and another 10,000 are to follow. 
Who is Noyb? The team around Max Schrems is by no means unknown, so this action should be taken seriously. He has already brought lawsuits against Facebook, Apple, Microsoft and more. His most famous action, however, is the lawsuit before the European Court of Justice against the then Safe Harbour Agreement. The expectation is therefore that these warnings will actually be enforced if the companies concerned do not take the appropriate steps. 
What’s behind this? Noyb says that many cookie banners are misleading and unlawfully designed. Companies are obtaining consent to tracking by fraud. Here is Max Schrems’ video of the entire action:

How should a cookie banner be designed?

In fact, it is currently assumed that most cookie banners are ineffective. As already mentioned earlier, this is due to the incorrect use/presentation of the data being retrieved. 
When are cookie banners actually necessary? Consent is always required as soon as there is no compelling reason. Since there is no catalogue of these essential cookie banners, the safest way is to obtain consent wherever the functionality is not affected by the cookie. Conversely, for you this means that as soon as the use of your service is not affected by the omission of cookies, this requires consent. For example, you can assume that all cookies that are used purely for marketing are not considered necessary.
What about the Google Tag Manager, for example? Even when cookies are not stored by the GTM, user data is still collected, which requires explicit consent. The same applies to so-called fingerprinting. Everything considered from an advertising perspective. 
The situation is different when the data is absolutely necessary, for example for transactions. No consent is required in this case.

What consent needs to be obtained now and what form may it take?

Three pieces of information are always essential when it comes to consent:
1.    Any third party providers processing the data are to be named.
2.    Users are to be informed of what data is being used for what purpose.
3.    How long the data is stored. 

Furthermore, the user is to be given the opportunity to change or withdraw their information at any time. 

What are the most common sources of error, or errors in cookie banners? According to Noyb, these are as follows: 

The aforementioned points are only a rough overview of the most common mistakes and stumbling blocks. Are you unsure whether your cookie banner is configured correctly or perhaps you have received a warning?
Then feel free to contact us, we will be able to provide quick and easy assistance.
Mail: dsb@secjur.com
Telephone: +49 40 228 599 520

Arrange a free initial meeting