Cracking down on cookies: Recent complaints and regulatory enforcement

While the rules relating to the use of cookies and similar tracking technologies in the UK and Europe are long established, it is only in recent years that we have seen a targeted focus by data protection authorities ("DPAs") to crack down on cookie-related compliance. This reaction from the regulators is partly a response to increasing complaints from data subjects and partly due to focused efforts by privacy activists calling for stricter regulation and enforcement action.

The ICO recently indicated that it is paying close attention to the use of cookies and, in particular, cookie configuration settings on websites. The ICO has also warned that this new focus will likely result in it taking action and issuing fines against organisations that fail to comply. Organisations should therefore review current cookie practices and monitor developments in this area, especially given that there are plans to increase the potential maximum fine payable for such non-compliance (as currently proposed in the new Data Protection and Digital Information Bill (No.2)).

For the purposes of this blog post, cookies and similar technologies are collectively referred to as "cookies".

Cookie complaints campaigns

Cookie complaints serve as a powerful tool for individuals to exercise their rights and hold organisations accountable for their data protection practices. While individual users have the right to submit complaints if they suspect that websites are not compliant with the law in relation to their use of cookies, NOYB (the non-profit privacy advocacy organisation founded by Max Schrems) has initiated a number of impactful "cookie complaint campaigns" to date. The main focus of these campaigns revolved around companies that had failed to provide users with the option to accept or decline cookies or a method for the user to easily withdraw consent.

NOYB has developed a tool that automatically checks for organisations that use unlawful cookie banners:

In May 2021, NOYB issued more than 500 complaints to companies using unlawful cookie banners on their websites. NOYB provided companies a one-month grace period before filing 456 formal complaints with 20 different DPAs in Europe. The campaign focused on popular web pages in Europe, with Google and Twitter being among the group of companies targeted by the initial campaign.
In March 2022, NOYB launched the second round of its action against non-compliant cookie banners. A further 270 complaints were sent to companies using unlawful cookie banners with a 60-day grace period to comply.
Subsequently, in August 2022, NOYB lodged 226 formal complaints with 18 DPAs across Europe against those companies that had failed to comply within the 60-day grace period.

The spill-over effect that such campaigns have achieved is significant, with many organisations taking proactive steps to bring their cookie banners into compliance, regardless of whether they received a complaint from NOYB or not.

Regulatory enforcement

DPAs across Europe have seemingly responded to the increasing complaints from data subjects and privacy activists by increasing regulatory enforcement action in relation to unlawful cookie practices. We have set out below a summary of the recent fines issued by various DPAs across Europe.

Criteo	On 15 June 2023, the French DPA ("CNIL") imposed a fine of €40 million on Criteo (an online advertising company) for various data protection breaches. In particular, the CNIL investigation found that Criteo had failed to comply with its obligation to verify and demonstrate that its partners had obtained valid consent from internet users to the placing of Criteo tracker cookies for the purpose of providing targeted advertising on Criteo partner websites. In particular, it was noted that Criteo did not include any requirements in its contracts with partners to collect valid consent from users, nor had Criteo taken any steps to audit potential partners before contracting with them.
KG COM	On 15 June 2023, the CNIL imposed a fine of €30,000 on KG COM (an operator of several websites offering clairvoyance readings) for violating French data protection laws relating to cookies. In particular, the website did not have a cookie banner, and cookies were deposited on users' devices without their consent upon entering the website. Although an information banner was later set up, it did not provide an easy option for users to refuse cookie placement.
Apple	On 29 December 2022, the CNIL imposed a fine of €8 million on Apple for failing to collect consent of French iPhone's users before depositing advertising identifiers on their terminals under an old iOS version when visiting the App Store. In particular, the advertising targeting settings on the iPhone were pre-checked by default, without users' prior consent, and users had to go through multiple steps to deactivate this setting.
TikTok	On 29 December 2022, the CNIL imposed a penalty of €5 million on TikTok for not allowing users of "tiktok.com" to refuse cookies as easily as accepting them and for not informing users in a sufficiently precise manner of the purposes of the different cookies. In this case, several clicks were required to refuse all cookies, whereas only one was required to accept them. At the same time, no sufficient information was available regarding the purposes of the cookies on either the cookie banner or in the context of the choice interface accessible after clicking on a link in the banner.
Microsoft	On 19 December 2022, the CNIL imposed a penalty of €60 million on Microsoft, in particular for not allowing its users to refuse cookies as easily as accepting them on the website "bing.com". The CNIL found that when users visited the website, cookies were deposited on their terminal without their consent, including but not limited to cookies used for advertising purposes. The CNIL also observed that there was no button allowing users to refuse the deposit of cookies as easily as accepting it. A further penalty of €60,000 a day was threatened if Microsoft failed to comply with the CNIL's order to collect valid consent of French resident bing.com users within three months.
Google	On 31 December 2021, the CNIL fined Google a total of €150 million for not allowing users of "google.fr" and "youtube.com" to refuse cookies as easily as accepting them. In particular it was noted that one button allowed immediate acceptance of cookies, while several clicks were required to refuse all cookies. It was found that this complex refusal mechanism would discourage users from refusing cookies.

Cookie Banner Taskforce

In addition to increased enforcement action by individual DPAs, the launch of the Cookie Banner Taskforce by the EDPB signifies the EDPB's intent to coordinate a response to non-compliant cookie practices. The Cookie Banner Taskforce by the EDPB was established in September 2021 in an effort to coordinate the European DPAs' responses to the formal complaints filed across Europe by NOYB in May 2021 (see above – Cookie Complaints Campaign). In January 2023, the EDPB published a report on the work undertaken by the Cookie Banner Taskforce ("Report") to encourage a consistent approach to enforcement against non-compliant cookie banners by European DPAs.

The taskforce considered the relevant provisions of the ePrivacy Directive and the EU GDPR relating to cookies and the Report sets out the common denominator approach in relation to various cookie practices agreed by the relevant DPAs:

Practices	Common denominator approach
No reject button on the first layer	On the first layer of a cookie banner, users should be given both an option to accept cookies and a button to reject cookies (as opposed to an accept button and a link to access further options).
Pre-ticked boxes	Pre-ticked boxes to opt-in to non-essential cookies in the second layer of the cookie banner is not sufficient to constitute valid consent.
Provision of information	Cookie banners should contain a clear indication on what the banner is about, the purpose of the consent being sought and how to consent to cookies.
Use of deceptive colours and contrast	The design of cookie banners should not allow for deceptive colours or designs that may encourage users to select "accept all" instead of the other available options.
Legitimate interests	It is not lawful to rely on the legitimate interests of the controller for the use of non-essential cookies instead of collecting valid consent for the use of such cookies. In addition, non-compliance with the rules on the use of cookies will result in non-compliance of any subsequent processing of personal data collected through cookies.
Inaccurately classified essential cookies	The taskforce accepted that it is difficult in practice to assess whether cookies are "strictly necessary" or essential, but referred to the criteria cited in the opinion No. 4/2012 on Cookie Consent Exemption of WP29 as useful guidance.
No withdraw icon	Users should be provided with an easily accessible way to withdraw consent, such as by including a visible icon or a link placed in a visible and standardised location.

Compliance with the taskforce's common denominator approach will ensure that users have sufficient information to make informed choices and to exercise control and manage their cookie preferences and privacy settings.

What should organisations be thinking about?

In light of the above, in particular the ICO's recent indication that it intends to pay close attention to cookie compliance, organisations should take proactive steps to review website cookie banners and to ensure compliance with applicable laws relating to the use of cookies.

Given the significant risk of enforcement action for failure to comply, we encourage organisations to take proactive steps, including to:

Review website cookie banners to ensure compliance with the law and the guidelines set out above;
Audit the cookies used on websites and take steps to accurately classify such cookies in line with recognised guidance; and
Ensure that cookie policies are accurate, up-to-date and provide sufficient information to enable users to make informed choices relating to cookie preferences and privacy settings.

Related Expertise