European consumer rights organization noyb has filed a complaint against Google, accusing the company of misleading users about the new “Privacy Sandbox” feature in the Chrome browser.
In September 2023, Google announced the discontinuation of third-party cookie files used for aggressive user tracking online. However, according to noyb, the proposed replacement — “Privacy Sandbox” — effectively continues the same tracking practices, but now managed directly by Google within the browser.
When enabling the sandbox, users are shown a pop-up with the message “Enable ad privacy feature.” Users in the European Union are given the choice between “Enable” and “No, thanks.” Google claims that clicking “Enable” constitutes consent to tracking under Article 6(1)(a) of the GDPR. However, according to noyb, the company concealed the fact that choosing this option would activate Google’s own tracking.
Noyb believes that Google intentionally designs the wording and interface of these prompts to maximize user consent. Google employs “dark patterns” — deceptive design solutions — in the pop-up, confusing users. The pop-up suggesting to enable “Privacy Sandbox” is crafted to mislead people. Google uses terms like “protection,” “restriction,” and “privacy,” creating the impression that the feature genuinely safeguards users.
Max Schrems, chairman of noyb, stated: “Google simply lied to its users. People thought they were agreeing to a privacy feature, but they were tricked into accepting Google’s ad tracking system. Consent must be informed, transparent, and fair to be lawful. Google did exactly the opposite.”
Google’s main argument is that the new “Privacy Sandbox” is less invasive than third-party tracking systems. While this may be true, it does not exempt Google from complying with European data protection laws. Max Schrems pointed out: “If you steal less money from people than another thief, you cannot call yourself a ‘wealth protection agent.’ But that’s exactly what Google is doing here.”
Through “Privacy Sandbox,” Google attempts to fully control the analysis of its users’ online behavior: Chrome tracks all visited websites and creates interest lists such as “Student Loans,” “Lingerie,” or “Finance,” which are then shared with advertisers.
Max Schrems noted: “There is growing criticism that major tech companies are making billions from invasive ad tracking technologies. Instead of truly improving the situation, Google responds with a kind of illegal ‘privacy cover-up,’ introducing a new tracking system.”
According to Article 4(11) of the GDPR, consent must be “specific, informed, and unambiguous expression of the data subject’s wishes.” Given the highly misleading nature of the pop-up, users could not know they were actually consenting to their data being processed for targeted advertising. Instead, they were misled into thinking Google would protect their personal data. This means Google clearly did not meet the requirements for obtaining valid consent under GDPR.
Noyb demands that the Austrian Data Protection Authority (DPA) instruct Google to bring its data processing activities into compliance with the GDPR, cease processing data collected based on invalid consent, and notify data recipients to discontinue their processing. Additionally, noyb proposes that the authority impose an effective, proportionate, and deterrent fine on Google.