Noyb launches wave of complaints against cookie banners

The data protection organization Noyb forwards complaints to more than 500 companies in Europe and the USA that use illegal cookie banners on their websites.

The initiator and CEO of Noyb is the Austrian lawyer and data protection activist Max Schrems. His complaints to the European Court of Justice put an end to the Safe Harbour Agreement of 2000 and the Privacy Shield of 2016. The "Schrems I" and "Schrems II" rulings are now considered milestones in the field of data protection. With the current wave of complaints, Schrems is taking action against the widespread non-compliant cookie banners on the websites of large companies.

Cookies are small data packets that are generated by browsers and websites and stored on end devices. There they collect user-related information and make it available to website operators. They can use this information to compile statistics, draw conclusions about the surfing behavior of website visitors and create user profiles that can be used for targeting activities.

My privacy - None of your business

Noyb is an acronym for "none of your business". The organization provides information about its various projects on its website www.noyb.eu. It has currently set itself the task of taking action against unlawful cookie consent requests. This is because anyone who wants to refuse consent to the setting of cookies and thus to the collection of corresponding data is sometimes confronted with confusing cookie banners. Illegal banners, as Noyb criticizes. In many cases, users cannot simply agree to or reject data tracking with a single click, as required by the GDPR. Instead, they are forced to navigate through complicated data protection settings and make individual settings manually on subpages. Misleading color coding of buttons and text can deceive users and thus induce them to give their consent - even unintentionally. According to Noyb, this violates the GDPR (General Data Protection Regulation).

Using software developed for this purpose, Noyb can detect illegal cookie banners and automatically generate complaints. Up to 10,000 complaints are to be produced in this way, which are initially sent to the operator of the respective website as an informal email. Affected companies then have one month to adapt their cookie banners accordingly before a formal complaint is made to the responsible authority, which can then theoretically impose a fine of up to 20 million euros. Noyb does not earn any money from these complaints; unlike traditional warnings, the companies concerned do not incur any costs. Noyb is financed exclusively by donations from its approximately 4,000 members.

What does the future hold?

Noyb's action is aimed at larger companies and will lead to a certain injustice: Companies that are not reported to the authority are generally not subject to prosecution. Affected companies will probably have to adapt their cookie banner, which will lead to major disadvantages in online marketing. In practice, there is currently a threat of an arbitrary division between companies that come to the attention of the authorities as a result of the action and those that continue to use a cookie banner that is not fully compliant with the law in a certain gray area.

However, at the latest when the new TTDSG comes into force at the end of 2021, it is likely that the data protection authorities will increase controls and a strictly legally compliant cookie banner will become the standard.

It remains to be seen whether the "cookieless" tracking method will enable user tracking without annoying cookie banners in the future: the fingerprinting, eTags and authentication cache technologies currently used here also require the user's consent.

With Google Analytics 4 (GA4), Google is making great efforts to present its new technology in a data protection-compliant light and is touting "cookieless" tracking and anonymized IP addresses. On closer inspection, however, it remains a transparent user and a deceptive package that cannot be used in compliance with data protection regulations without the user's consent.

It remains to be seen whether there really will be new technologies and approaches from companies in the future that will enable tracking without cookies and without annoying banners and at the same time can be used in compliance with data protection regulations without active consent.

Subscribe to the newsletter

and always up to date on data protection.

Read more articles

ChatGPT soon with age check: protection or surveillance?

ChatGPT soon with age check: protection or surveillance?

September 23, 2025
Data disaster at Meta? Billion-euro class action lawsuit gets underway!

Data disaster at Meta? Billion-euro class action lawsuit gets underway!

September 23, 2025
Misleading advertising and data protection violations: ImmobilienScout24 loses in court

Misleading advertising and data protection violations: ImmobilienScout24 loses in court

September 16, 2025