Your Options

Legal Questions

Other Practical Questions

WeComply! is a free option for controllers to comply with EU law and therefore avoid a complaints procedure before the relevant authority. Given the voluntary and informal nature of this platform, please understand that we had to streamline the process as described below.

Your Options

How can I make my banner compliant?

It is your duty as a controller to make your website and banner fully compliant with the law. Nevertheless, noyb is aiming to make this as easy as possible: To help well-intentioned controllers to quickly comply with the law and resolve the complaint before it is filed with the relevant authority, we're providing the WeComply! platform and the following guidance free of charge:

  • OneTrust
  • TrustArc
  • Cookiebot
  • Usercentrics
  • Quantcast
  • Didomi
  • CrownPeak
  • Cookie Notice & Compliance for GDPR (Wordpress)
  • CookieYes (Wordpress)
  • Other Solutions

The setup can usually be changed by anyone that has access to the admin panel of the cookie banner or consent management platform (CMP). We recommend that you provide the guidance above to the relevant person within your organization. Please understand that we cannot give you direct or personal legal advice and that you need to contact your technical or legal team to assist you if you need more information. For any additional questions, please refer to your CMP or software provider.

What happens if my website fully complies with the issues raised in the draft complaint?

When you let us know that you resolved the issues raised in the draft complaint, noyb will verify this. If you remedied all the violations, the complaint will not be filed. If any violation remains unremedied, the full complaint with all initial violations will be filed with a relevant data protection authority.

In doing so, you avoid a complaint procedure under Article 77 GDPR and a possible fine under Article 83(5) GDPR of up to € 20 Million or 4% of your annual revenue, whichever is higher.

We may scan your website in the future to see if you have rolled back the relevant improvements and become non-compliant again ("random monitoring"). Please always check the documents shared with you above to ensure that you are actually fully compliant.

What happens if my website does not remedy the issues raised in the draft complaint?

When you do not resolve the legal violations raised in the draft complaint, we will exercise our statutory right to file a complaint with the relevant data protection authority (Article 77 and 80 GDPR) and/or any other relevant authority after the expiration of the indicated deadline. We may amend the final complaint to reflect changes or add information on the lack of compliance.

Under Article 83(5) GDPR you may face a possible fine of up to € 20 Million or 4% of your annual revenue, whichever is higher. It is likely that authorities will take into account the lack of compliance with this 'pre-litigation' warning and the proposed solution as an additional factor under Article 83(2) GDPR to increase the fine.

What happens if my website partially complies with the issues raised in the draft complaint?

When you partially comply with the issues raised in our draft complaint and do not resolve the case fully, we will nonetheless file a complaint with the relevant data protection authority (Article 77 and 80 GDPR) and/or other relevant authorities as of the time when the data subject initially visited your website.

From a legel perspective, later changes do not remedy the initial violation. Partial compliance is furthermore extremely complicated to follow up with. We have therefore decided against a piecemeal approach and follow an "all or nothing" approach. We may amend the final complaint to reflect changes or add information on the lack of (full) compliance.

Under Article 83(5) GDPR you may face a possible fine of up to €20 Million (or 4% of your annual revenue, whichever is higher), but you may also raise the fact that you partly complied with the warning as a mitigating factor. It will be up to the relevant authority to take a view on whether knowingly violating the law can be offset by partially complying with the law when calculating a fine.

What happens if I change my setup but then violate the law in another way?

If you comply with our warning and settle the case, but we realize that you violate the law in another way, we will nonetheless proceed with filing a complaint with the relevant data protection authority (Article 77 and 80 GDPR) and/or any other relevant authority as of the time when we initially visited the website and/or when we noticed the additional violation.

You may face a possible fine of up to €20 Million or 4% of your annual revenue (whichever is higher), but you may attempt to refer to the fact that you partially complied as a mitigating factor for any fine. This will be up to the relevant authority's consideration.

What if I feel that noyb made an error?

No one is perfect, but we have focused on cases that clearly violate the law and had a team of GDPR lawyers work on the legal side of things.

We used sophisticated technical means to verify that the webpage indeed factually violated the law and documented the relevant data (like HTML files, data flows, configuration files, cookie data, and screenshots). Furthermore, a person visited the website and verified the accuracy of the technical analysis.

However, if you feel that we have nevertheless made a mistake, please use the 'Report error' function on the WeComply! platform and we will be happy to review any reported mistake.

Generally, we will not reply to feedback. We will only reply if we believe your feedback substantially changes the draft complaint. We will also not reply to messages outside the platform. This is because of the amount of communication and to keep all communication about your complaint in one place. It is in both our interests to not miss any communication.

What if I need more time?

The law has been applicable since 25.5.2018 and the rights of the data subject were violated when she/he visited your webpage. The GDPR has a general expectation for controllers to act "without undue delay" and in any case within one month when being confronted with a request by a data subject.

noyb therefore chose 60 days as a voluntary grace period. We anticipate that changing the settings with your CMP takes about 30 minutes. We are therefore satisfied that the duration of 60 days is more than sufficient for any controller to follow internal processes and fully comply with the law.

Please understand that we are unable to negotiate this timeline, given our limited resources and a large number of controllers we are dealing with.

Legal Questions

What is the legal basis for sending me this resolution proposal?

Under Article 80(1) GDPR noyb is able to represent a data subject that has visited your website and file a complaint under Article 77 GDPR without the need to send a warning, notice or resolution proposal to a controller.

As we are aware that many controllers are willing to comply with the law once they become aware of a possible violation, we allow for an 'easy way out': You can download the relevant documents beforehand via the WeComply! platform, rectify the problem and we will voluntarily hold back from filing the complaint as we consider the case resolved.

Such an option to informally resolve the complaint is entirely voluntary, but helps avoid costs and paperwork. This makes life easier for you, us, and the relevant authority.

Why do you think I have violated the law?

You can find all the details about the factual and legal problems that we have identified on your website in the draft complaint that is available on the WeComply! platform. Please use the login details to download the draft complaint if it was not provided to you yet.

What are "violation types"?

To simplify the process, we have identified typical violations and grouped them into "violation types". Each violation type has specific factual and legal elements and has an assigned letter. You may find that only some of these types (e.g. "C" and "F") are relevant for your case, while others are not. This is because you are either not violating the law in these ways, or we have not yet identified these violations.

Do I have to pay a fee when resolving the complaint?

No, we do not ask you to pay us to resolve this issue. In contrast to law firms and alike, noyb is a non-profit and only aims to ensure compliance with the fundamental right to data protection. We hope that our approach is not only helpful for data subjects, but also for controllers.

Does my website become fully compliant if I have complied with your requests?

Not necessarily. We have only focused on certain typical violations of the law that are easy to remedy. We highly recommend to take a critical look at your website, all the plug-ins, codes and cookies that you use. As we have seen great differences in options, you may also want to check if there is a cookie banner or consent management platform (CMP) that provides for more privacy-friendly options.

Will you file the exact version of the complaint that is shown on the WeComply! platform?

You are shown a draft version of the complaint. While we do not plan to substantially depart from the draft version, we may file an amended version of the complaint that may take into account any reported errors, any change of setup, or the fact that a controller has ignored the warning.

What legal meaning does my resolution with noyb have?

We have the right to file a complaint whenever the rights of a data subject that we represent are violated. Our resolution system is an entirely voluntary service which allows controllers to resolve a complaint without going before the relevant authority and risking high fines.

Resolving a case via our system merely notifies us that you stopped any detected non-compliant action. We will assess your feedback, the actual compliance with the law, and act accordingly.

We do not engage in a formal and legally binding settlement or alike, as there are vastly different traditions for such instruments in the EU member states.

Do you guarantee that you will not file against my website if we resolve the issues raised in the complaint?

The WeComply! platform is aimed at resolving most cases before a formal complaint procedure is initiated. We have no intention of filing a case if you show willingness to comply with the law, so you can be assured that if you are fully compliant, we will consider the case as resolved.

However, we reserve the right to take further action (e.g. in cases of only partial compliance or new forms of violations). We do not engage in a formal and legally binding settlement with you.

Which authority do you plan to file your complaint with?

Depending on local legislation, the facts of the case and language restrictions, we may file the final complaint with various data protection authorites for violations of the GDPR and/or other national authorities in charge of enforcing the ePrivacy Directive. This may be different from the authority indicated in the draft complaint and the complaint may be amended accordingly.

Other Practical Questions

Who is noyb?

"noyb - European Center for Digital Rights" is a European non-profit organisation based in Vienna/Austria (Registration Number in the Austrian registry of associations: 1354838270). Similar to consumer rights organisations, we are aimed at enforcing European data protection and privacy laws. The role of non-profit organizations like noyb is foreseen in Article 80 GDPR.

Why did noyb check compliance of banners?

Many users complain that they are confronted with cookie banners that leave them with little chance to say "no". As this seems to be a broad and systematic issue, we have taken a closer look. Our campaign aims to provide users with a real choice, and also protect controllers that fully comply with the law from unfair competition.

Why did you choose my website?

All websites have to comply with the law. We understand that some controllers may feel that another controller should have been hit first.

To make our approach as transparent as possible, we chose websites based on (1) jurisdictions, (2) the number of visits, (3) the CMP used, and (4) the detected violations. These factors have legal, technical and practical reasons.

In simple terms: we chose websites where the relevant EU law applies, where we could easily detect violations, and based on the relevant numbers of visitors.

Does noyb publish the details about individual controllers?

We run statistics and may publish aggregated and individualized reports about the (non-)compliance by controllers. We always publish such information in a fair and neutral manner.

What information do you hold about my website?

We usually scan websites multiple times over longer periods of time before and after the relevant visit for the complaint. We only use a relevant subset of the data we have generated to support our complaint. You can find this data on the WeComply! platform.

We need historic data to track violations over a longer period of time. This is for example necessary when controllers submit false, misleading or manipulated evidence in a procedure and/or only fix their problems while a procedure is pending. Such additional data is not provided on the WeComply! platform.

What languages do you use?

The default languages we use is English. For legal and administrative reasons our complaints will often be filed in German. We may translate certain documents and parts of this platform into other languages (currently German, French, Polish, Spanish and Italian).

We appreciate if you can get back to us in one of these languages, preferably in English.

As the proposal to resolve the complaint is entirely voluntary from our side, please understand that not all elements are available in all languages. Once a complaint has been filed with the relevant authority, you will be served in the language required by the applicable procedural law.

How can I best communicate with noyb?

We are a small non-profit organization. Our cost-free voluntary WeComply! platform is aimed at helping controllers comply with the law, without the need to go through a costly and time-consuming legal procedure and without the need to have a large team of case managers on our side. We therefore ask you to use the cost-free platform to communicate with us.

Please understand that we cannot engage in additional direct communication with thousands of controllers. If you send us a direct email or other message, we are unlikely to respond.

Do I get some information about the outcome of your review?

You can voluntarily provide us with an email address when you report your case as resolved. Once we have reviewed the case, we will let you know about our second analysis of your website.