[belorn]

The GDPR already explicitly forbids 95% of the cookie banners out there, but large companies decided to ignore it and simply face the fines if they in some hypothetical future will arrive. The rest of the industry followed.

Until the law that defined informed consent actually get enforced, a new law can not really fix it unless the regulators start to add the threat of jail time to repeat offenders.

[galgalesh]

> but large companies decided to ignore it and simply face the fines if they in some hypothetical future will arrive.

This is not the case. The fines are up to 2% of annual global turnover. This scares companies.

Moreover, some of the worst offending cookie banners are slowly being replaced by better ones as more and more organizations (such as noyb) file official complaints and companies get fined.

[krageon]

> This is not the case. The fines are up to 2% of annual global turnover. This scares companies.

You are wrong. The initial fine is much, much lower and companies have so long to dabble in wilful ignorance that it is at the moment not something that has teeth. Companies are like bullies, they don't respect threats - only harm.

[JumpCrisscross]

> initial fine is much, much lower and companies have so long to dabble in wilful ignorance

Another diluent: the maximum fine is practically the lesser of 2% and the NPV of business in that European country, or, expansively, in Europe. If you have little business in Europe, it’s cheaper in some cases to simply close shop.

[labawi]

I'm pretty certain an actual fine (not ceasing operations) has a limit of max(10M€, 2% worldwide revenue of previous year) and double if you're antithetical to GDPR. Also, it's per infringement and isn't a yearly free pass to continue once you're fined.

Companies are not doing much because enforcement is lacking, and in case you get caught, most fines are in the neighborhood of reasonable rather than instant liquidation.

[0] https://noyb.eu/en/irish-dpc-handles-9993-gdpr-complaints-wi...

[chopin]

GDPR says:

> Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (emphasis mine).

As for the absolute sum, there is no limit.

[anoncake]

It obviously doesn't scare them enough, even if it should in theory.

[nicoburns]

An standardised protocol approach might make enforcement easier. It would make it a lot more clear cut whether someone was infringing or not.

[Nextgrid]

Automated enforcement is already easy if there was willingness to do it. The majority of non-compliant cookie banners use a handful of libraries and/or third-party services such as TrustArc so detecting these with a web scraper is be trivial.

[M2Ys4U]

Noyb - one of the organisations behind this proposal - have started contacting the operators of non-compliant websites,[0] as the first step in forcing them towards compliance.

If they change their ways then good, if not Noyb has a much more solid case when making a complaint to the SAs and/or the courts.

[0] https://noyb.eu/en/noyb-aims-end-cookie-banner-terror-and-is...

[virgilp]

I mean, a good first step would be to start fining companies 2% of the revenue. Especially Google. And then maybe automate the GDPR fines, because it's definitely possible to identify that a site puts up a non-compliant banner.

No need to add the threat of jail time, _especially_ if it isn't enforced.

[delfinom]

2% of revenue while stalling the GDPR process and taking it to court for 10 years makes it only 0.2% ;)

[virgilp]

Even so, it would be 0.2% per EU country, right? Because the legislation is transposed into member states legislation. I doubt that anybody would really want to fight (& risk losing) in even 5 member states per year...

[vntok]

That would be 2% each year for ten years of infringement though, and very expensive lawyers to pay for at least that duration.