Where did all the “reject” buttons come from?!
More and more websites have added an option to say “no” to cookies and other tracking- as foreseen by the GDPR. Where did this trend come from?
In March 2021, noyb scanned the web for illegal cookie banners and filed more than 700 complaints across Europe. A final scan shows a detailed assessment after 1.5 years: more than 50% of the sites have improved their banners, in many cases, without noyb ever contacting them.
Background and data collection. Using specially developed software, noyb scanned more than 3,600 websites in March 2021 and collected data on whether the consent banners on these sites violated the GDPR. Based on this data, more than 700 complaints were filed against the most visited pages whose banners had GDPR violations, like no "reject" button or misleading designs. This triggered a massive rethinking process among many banner software providers and websites. Default settings were changed to a more GDPR-compliant version as a preventative measure, even if no complaint had even been filed.
"This wave of complaints has had a massive preventative effect. We're hearing from companies that they've already changed their stance on cookie banners after announcing our wave of enforcement - even if they haven't received a complaint themselves." – Max Schrems, Chair of noyb
This wave of complaints was accompanied by other enforcement measures by the data protection authorities; for example, the French CNIL introduced guidelines and required Google to introduce a "reject" button, which was also seen as a sign to many companies to adjust their banners and lead to major measuarable improvements in France.
Significant improvements. In October 2022, one and a half years later, the scan was repeated and comparison values were calculated for 1,631 websites. These show significant improvements for users: 56% of all scanned pages have changed for the better within the last one and a half years and have stopped using misleading colors for links and buttons and pre-ticked subcategories. The most frequent violation was also the most annoying: 82% (1,377) of all websites did not have a button to reject all cookies in March 2021. Users had to dive into sub-menus to find a hidden “reject” option. 574 (41%) of the scanned websites now introduced a "reject" button after our complaint waves. The total number of cookies set has also decreased by about 10% - contrary to recent trends.
"We have seen websites change illegal designs after just a few months. After 1.5 years, you can see a change in behavior even on sites we never contacted. We see a classic general prevention effect." - Ala Krinickytė, data protection lawyer at noyb
Warning increases compliance. Of these 1,631 websites, noyb sent a draft complaint to 483 and gave them up to 60 days to fix their violations. Nearly half of all the violations were fixed in this group. More than half now have a "reject" button in place, more than 70% no longer have pre-ticked categories, and two-thirds have changed misleading colors and links.
Deterrence works. In addition to the websites that were sent complaints, other websites that were not sent a warning by noyb became more GDPR compliant. 543 of the 1,148 websites in this sample that hadn‘t received a complaint improved their cookie banners. 78 are now fully compliant with the GDPR. The total number of cookies set and those containing personal data also decreased significantly.
"Most people normally abide by the law. In data protection, this isn’t always the case- but can be achieved through publicly noticeable enforcement." - Ala Krinickytė, data protection lawyer at noyb
More complaints planned. In the coming months, noyb will continue to pursue the goal of getting rid of misleading cookie banners and extend the project to sites using Consent Management Platforms (CMPs) . In a next step, noyb is further developing its software to launch similar action on other privacy violations as well.
Currently, noyb is still waiting for first decisions in the complaints that were filed in August 2021, even though many of the cases have seen considerable progress. The European Data Protection Board (EDPB) has launched a task force to coordinate data protection authorities for these cases, so we can hope for a coordinated approach.
Methodology
- As of 03/24/2021, 3,672 websites using Onetrust as a CMP and exhibiting GDPR violations were surveyed.
- This scan served as the basis for the two complaint waves, whereby only the most frequently visited websites by top level domain were investigated. In addition, complaints were also filed complaints against 20 high-ranking sites regardless of the CMP used. All of these initially received a draft complaint and 60 days to change the settings. If the banner was not changed in compliance with the law, noyb formally filed a complaint
- On 10/4/2022, the scan was repeated using the same principle. In the process, 2,137 web pages were found. 1,631 pages were represented in both the first and the second scan and are therefore used for this comparison. Since some websites no longer exist, use a different CMP provider or a different OneTrust version that cannot be detected by our software, the number has decreased.