A Belgian regulator attempted to dismiss a cookie-banner complaint without deciding whether the banner was lawful. This is the case with Max Schrems and NOYB who I had the pleasure of meeting in person at this years IAPP Global Privacy Summit.

The European Data Protection Board has now told it to go back and examine the substance of the case.
In Binding Decision 1/2026, adopted on May 28 and published July 14, 2026, the EDPB instructed the Belgian Data Protection Authority not to dismiss a complaint against Belgian public broadcaster Vlaamse Radio-en Televisieomroeporganisatie, commonly known as VRT, on the theory that the complainant had abused the GDPR complaint process.
Instead, the Belgian authority must investigate and decide whether VRT’s cookie practices actually complied with European data protection law.
The decision does not establish that VRT’s banner was illegal. It does not impose a fine, order a redesign, or resolve the allegations about cookies and consent.
Its immediate holding is procedural.
But its significance extends well beyond procedure.
The EDPB rejected the idea that an organized privacy group’s involvement, technical preparation, repeat complaints, or deliberate testing of websites is enough to characterize a valid GDPR complaint as abusive. The decision protects the ability of individuals to receive professional assistance when documenting online tracking and challenging consent practices.
It also sends a warning to businesses hoping that cookie-banner cases can be defeated through procedural objections rather than by demonstrating that their websites obtain valid consent.
The VRT Cookie Banner Complaint
The case arose from a complaint submitted to the Austrian Data Protection Authority by an individual represented by the Austrian privacy organization NOYB.
The complaint concerned VRT’s website and alleged violations of several GDPR provisions, including the principles of lawful and transparent processing, the conditions for consent, and transparency obligations. It also invoked Article 5(3) of the ePrivacy Directive, which governs the storage of and access to information on a user’s device.
Because VRT is established in Belgium and the alleged processing was cross-border, the Belgian Data Protection Authority acted as the lead supervisory authority under the GDPR’s one-stop-shop system.
The Belgian authority prepared a draft decision proposing to dismiss the complaint. It argued that the complaint process had been constructed in a way that amounted to an abuse of the rights provided by Articles 77 and 80(1) of the GDPR.
Article 77 gives a person the right to lodge a complaint with a supervisory authority when the person believes the processing of personal data violates the GDPR.
Article 80(1) allows that person to authorize a qualifying nonprofit organization to file and pursue the complaint on the person’s behalf.
The Austrian authority objected to the proposed dismissal. It argued that the complaint should be treated as admissible and decided on its merits rather than rejected on procedural grounds.
The Belgian authority did not accept that objection and referred the dispute to the EDPB under Article 65 of the GDPR. That mechanism allows the Board to issue binding decisions when European supervisory authorities cannot agree on the disposition of a cross-border case. (European Data Protection Board)
Why the Belgian Authority Claimed Abuse
The Belgian authority’s concerns appear to have centered on the organized nature of the complaint.
NOYB has conducted coordinated cookie-banner projects involving multiple websites, volunteers, technical tools, standardized evidence, and similarly structured complaints.
The organization has publicly described campaigns targeting what it considers deceptive or noncompliant cookie banners. In 2023, for example, it announced complaints involving 15 Belgian news and broadcasting websites, including VRT. NOYB alleged that some of those websites did not offer basic controls such as a readily accessible “reject all” option or an easy method of withdrawing consent. Those remain NOYB’s allegations, not findings in the VRT proceeding. (noyb.eu)
The Belgian draft decision reportedly viewed elements of this organized process as evidence that the complaint had been artificially created.
That reasoning raised a fundamental question:
Can an individual deliberately visit a website, use technical tools to document its tracking behavior, and work with a privacy organization to bring a test or strategic complaint?
The EDPB’s answer was that those facts, without more, did not establish abuse.
The EDPB Applied a Strict Abuse-of-Rights Test
European Union law recognizes a general prohibition against abusing legal rights.
But the threshold is demanding.
The EDPB explained that establishing abuse requires both an objective and a subjective component.
The objective component asks whether the formal requirements of the law were satisfied in circumstances where the underlying purpose of the relevant rules was nevertheless not achieved.
The subjective component requires evidence of an intention to obtain an improper advantage by artificially creating the conditions necessary to claim the right.
Both elements must be demonstrated. Suspicion, disagreement with the complainant’s strategy, or the organized nature of the complaint is not enough.
The Board also warned that an overly broad application of the abuse doctrine could improperly restrict rights created by EU law, including the fundamental right to data protection and the rights to lodge and pursue complaints under Articles 77 and 80.
Accordingly, the doctrine must be applied strictly, with the authority asserting abuse carrying the evidentiary burden.
Organized Complaints Are Not Automatically Abusive
The EDPB acknowledged that NOYB had played a leading role in a coordinated complaint project.
The process reportedly involved selecting controllers based on predefined criteria and using automated or technical means to assist in gathering evidence.
The Board did not regard that structure as enough to defeat the complaint.
The represented person had validly authorized NOYB to act under Article 80(1). The complaint sought to bring an alleged infringement to a supervisory authority’s attention, provide supporting evidence, and obtain an end to the alleged conduct.
Those actions align with the purposes of Articles 77 and 80.
The EDPB emphasized that organizations such as NOYB exist specifically to help protect individuals’ data protection rights. Professional assistance in assembling a complaint is therefore not inherently inconsistent with the GDPR.
The Board also recognized the practical reality of online tracking evidence.
Website configurations can change. Cookies may appear only under certain conditions. Consent interfaces may differ by device, browser, geography, or user action. Network requests and browser storage can be difficult for an ordinary user to capture and interpret.
A person challenging a cookie banner may need to create screenshots, preserve log files, record network activity, and collect evidence at the time of the website visit. The EDPB specifically noted that some complainants may have a legitimate interest in receiving technical assistance with that process.
That point is consequential.
European data protection rights would be far less useful if individuals could only exercise them without assistance from people who understand tracking technologies, consent-management platforms, browser logs, and the GDPR.
An Enforcement Organization Can Initiate the Process
Another important issue was who first conceived the complaint.
The Belgian authority appeared concerned that NOYB, rather than the individual, may have taken the initiative in identifying the website or organizing the challenge.
The EDPB did not treat that as dispositive.
Article 80 exists because many individuals lack the expertise, resources, or time to investigate data practices and pursue regulatory proceedings on their own.
A nonprofit organization can identify a suspected compliance problem, inform an affected individual, help generate technical evidence, and offer representation. The critical question is whether the individual has validly authorized the organization and whether the complaint genuinely pursues the rights recognized by the GDPR.
The EDPB found insufficient evidence that NOYB had pursued an improper interest separate from the represented person’s interests.
It also found no showing that the complainant sought compensation or another improper financial advantage. Seeking a decision that brings allegedly unlawful processing to an end was consistent with the complaint rights established by the GDPR.
The Decision Protects Test Cases
The ruling effectively preserves a role for strategic and test litigation in European privacy enforcement.
A test case is designed not only to resolve one person’s dispute but also to clarify how a law applies to a recurring business practice.
That does not make the underlying complaint illegitimate.
European consumer, competition, employment, environmental, and civil-rights laws have long been developed through strategically selected cases. Privacy law is no different.
Cookie banners are particularly suited to coordinated review because the same design patterns appear across thousands of websites:
- An obvious “accept all” button with no equivalent rejection option
- Consent switches activated by default
- Tracking before the user makes a selection
- Multiple steps required to reject cookies
- Color and contrast designed to steer acceptance
- Vague cookie categories
- Withdrawal controls that are difficult to locate
- Consent records disconnected from actual tag behavior
- Third-party scripts added after the banner was configured
- A banner that claims to block tracking while network calls continue
Organizations may consider these design decisions minor interface choices.
Privacy groups and regulators increasingly treat them as questions about whether consent is freely given, specific, informed, unambiguous, and capable of being withdrawn.
Allowing coordinated complaints makes it more likely that recurring patterns will be reviewed consistently instead of depending on whether an individual user can perform a technical website investigation alone.
What the Decision Did Not Decide
Businesses should not misread the ruling as a final decision against VRT.
The EDPB did not determine whether VRT’s website placed cookies unlawfully, whether its consent language was misleading, or whether the banner complied with the GDPR and ePrivacy requirements.
The Board decided only that the complaint should not have been dismissed for abuse based on the evidence before it.
The Belgian Data Protection Authority must now assess the substance of the allegations and prepare a new draft decision for the other concerned authorities under Article 60(3). The EDPB expressly stated that its binding decision did not prejudge other assessments that may arise in the case or in future proceedings involving similar parties.
That distinction should appear clearly in any reporting on the matter.
VRT remains entitled to present its technical, legal, and factual defense. The Belgian authority could ultimately conclude that some, all, or none of the allegations establish an infringement.
The new decision requires an answer. It does not dictate what that answer must be.
Why Article 65 Matters
The dispute also demonstrates the importance of the EDPB’s consistency mechanism.
Under the GDPR one-stop-shop, a company engaged in cross-border processing generally deals with a lead authority associated with its main European establishment. Other authorities remain involved when people in their jurisdictions are substantially affected.
This structure was designed to reduce fragmentation while preserving the participation of relevant national regulators.
But disagreement is inevitable.
A lead authority may favor dismissal, settlement, a lower fine, a narrower interpretation, or a different corrective measure. A concerned authority may believe that approach underprotects people in its jurisdiction or conflicts with how similar cases are handled elsewhere.
Article 65 allows the EDPB to resolve certain disagreements through a binding decision.
In the VRT matter, the Board accepted the Austrian authority’s objection as relevant and reasoned. It found that an improper procedural dismissal could create significant risks for data subjects’ rights and could undermine consistent GDPR enforcement if similar cookie complaints were heard in some countries but rejected as abusive in others.
The business lesson is straightforward:
A favorable preliminary position from one national regulator may not end a cross-border GDPR matter.
Other authorities can object, and the EDPB can require a different approach.
Cookie Banner Enforcement Is Becoming More Technical
The decision reinforces the growing importance of evidence.
A cookie banner cannot be assessed only by reading its visible text.
Compliance depends on the relationship among the interface, consent signal, browser storage, tag manager, third-party scripts, and actual network behavior.
A banner may display a rejection option while tracking technologies fire before the selection is made.
A preference center may show a vendor as disabled while another script activates it indirectly.
A consent-management platform may have been configured properly when launched but fall out of compliance after marketing adds a new pixel.
A website may block cookies but still transmit personal data through server-side events, fingerprinting, local storage, URL parameters, or tracking requests that do not depend on conventional cookies.
This is why privacy organizations and regulators increasingly rely on screenshots, HTTP requests, browser logs, cookie inventories, local-storage records, consent strings, and repeat testing.
The EDPB’s recognition that complainants may need technical assistance legitimizes that evidence-driven model of enforcement.
For companies, it means a screenshot of the banner is not proof that the underlying website complies.
The Banner and the Website Must Agree
Many organizations treat cookie compliance as a visual design project.
They install a consent-management platform, choose a banner template, add links to a privacy notice, and assume the matter is finished.
The real compliance question is whether the banner controls the website as represented.
A defensible consent implementation should be able to demonstrate that:
- Nonessential technologies remain blocked before consent
- The user can reject nonessential tracking without unnecessary friction
- Categories are accurately described
- Vendors are properly disclosed
- Consent choices are transmitted to the relevant tags
- The system records what the user selected
- Consent is associated with the correct policy and banner version
- Withdrawal is as accessible as granting consent
- Changes to website technology trigger renewed scanning and review
- Geographic rules reflect the law and organizational policy
- Tags introduced through a third-party tool do not bypass blocking
- The privacy and cookie notices match actual processing
A banner that looks compliant while trackers behave differently creates a more serious problem than an unattractive interface.
It may create inaccurate disclosures and invalid consent records while giving the organization false confidence.
“Reject All” Is Not the Entire Analysis
The presence of a rejection button is important, but it does not resolve every consent issue.
A website can include “reject all” and still create risk if:
- The button is visually obscured
- The wording is confusing
- Cookies are placed before the choice
- Rejection does not stop all nonessential requests
- The preference is forgotten too quickly
- The user is repeatedly asked until acceptance
- Withdrawal requires more effort than consent
- Vendor descriptions are incomplete
- Consent is bundled across unrelated purposes
- The banner categorizes advertising tools as essential
Similarly, the absence of a separate first-layer rejection option can create significant scrutiny, especially when acceptance is immediate and refusal requires navigating several screens.
Consent validity depends on the entire experience, not one label.
Cookie Complaints Can Be Repeated at Scale
The EDPB decision should also change how organizations think about enforcement probability.
A website may receive millions of visitors without any one person bringing a complaint. That can create the impression that a problematic banner presents limited risk.
Coordinated enforcement organizations alter that calculation.
They can:
- Scan large groups of websites
- Identify recurring banner configurations
- Recruit or assist affected users
- Standardize evidence collection
- File complaints through several national authorities
- Compare regulatory outcomes
- Challenge inconsistent dismissals
- Escalate disputes through the GDPR cooperation process
- Publish the results
The cost of bringing the next complaint decreases as the process becomes more standardized.
This is similar to what has occurred in other areas of privacy enforcement. Once technical testing, legal theories, and complaint templates become repeatable, practices that once escaped scrutiny can generate many related proceedings.
The appropriate response is not to attack the legitimacy of every organized complainant.
It is to eliminate the repeatable compliance defect.
What Companies Should Do Now
Organizations operating websites in Europe should review both the visible banner and the technologies operating behind it.
Run a Fresh Website Scan
Identify cookies, pixels, software development kits, local-storage objects, session-replay scripts, analytics tools, embedded media, chat functions, and advertising technologies.
Do not rely exclusively on an inventory created when the banner was installed.
Test Before Any Choice
Load the website in a clean browser and record every nonessential network request before the user interacts with the banner.
Repeat the test across relevant regions, devices, and pages.
Test Every Consent State
Review website behavior after:
- Accepting all
- Rejecting all
- Selecting individual categories
- Withdrawing consent
- Revisiting the site
- Clearing browser storage
- Entering through a deep link
- Navigating to embedded content
Compare Interface Prominence
Acceptance and rejection should not be presented through manipulative differences in visibility, wording, size, color, or number of steps.
Verify Withdrawal
Users should be able to reopen privacy controls and change their decision without searching through a lengthy notice or account menu.
Review the Tag Manager
A correctly configured consent platform can be undermined by tags added outside its control.
Marketing, analytics, development, and privacy teams need a change-management process governing new scripts.
Preserve Evidence
Maintain consent logs, scan results, configuration history, policy versions, vendor lists, remediation records, and screenshots.
When a complaint arrives, the organization should be able to demonstrate what the website did at the relevant time.
Cookie Compliance Is an Ongoing Control
The VRT dispute illustrates why cookie compliance cannot be reduced to publishing a banner.
The banner is only the control surface.
The underlying compliance program includes technical scanning, consent orchestration, disclosure management, vendor governance, records, regional logic, testing, and continuous monitoring.
Websites change constantly. Advertising agencies add tags. Content platforms introduce new integrations. Videos, chatbots, maps, forms, and social media embeds create new data flows. Consent-platform settings are modified. Vendors change names, purposes, and subprocessors.
A banner that was correct six months ago may no longer describe or control the website operating today.
The Captain Compliance Perspective
The EDPB’s decision does not determine whether VRT violated the GDPR.
It determines that a regulator cannot avoid that question by labeling the complaint abusive without satisfying a demanding legal and evidentiary test.
That matters for every organization operating a European-facing website.
Professional representation, coordinated testing, technical evidence collection, and repeat complaints are now firmly part of the enforcement environment. Companies should expect cookie-banner claims to be supported by network logs and structured evidence rather than by a user merely stating that the banner felt confusing.
Captain Compliance helps organizations move beyond cosmetic cookie banners through continuous website scanning, automated blocking, consent records, regional configuration, vendor transparency, preference management, and ongoing detection of newly introduced tracking technologies.
The objective is not simply to display the right buttons.
It is to ensure that the website honors the choice those buttons communicate.
The Belgian authority must now return to the VRT complaint and decide the merits.
Businesses should do the same with their own banners before a complainant, regulator, or privacy organization does it for them.
Frequently Asked Questions
What did the EDPB decide in the VRT cookie-banner case?
The EDPB instructed the Belgian Data Protection Authority not to dismiss the complaint as an abuse of Articles 77 and 80(1) GDPR. The authority must assess the complaint on its merits and prepare a new draft decision.
Did the EDPB find VRT’s cookie banner illegal?
No. The decision addressed whether the complaint could be dismissed as abusive. It did not determine whether VRT’s cookie practices violated the GDPR or ePrivacy rules.
Who filed the complaint?
An individual lodged the complaint through the Austrian Data Protection Authority and authorized NOYB to represent them under Article 80(1) GDPR.
What is Article 77 GDPR?
Article 77 gives individuals the right to lodge a complaint with a supervisory authority when they believe personal-data processing infringes the GDPR.
What is Article 80 GDPR?
Article 80 allows individuals to authorize qualifying nonprofit organizations to represent them in GDPR complaints and related proceedings.
Why did the Belgian authority consider the complaint abusive?
The draft dismissal raised concerns about the organized and technically assisted manner in which the complaint had been prepared. The EDPB found that the available evidence did not establish the objective and subjective elements required to prove abuse.
Are coordinated or test complaints allowed under the GDPR?
The EDPB found that professional assistance, organized evidence collection, and representation by a nonprofit can fit within the purposes of Articles 77 and 80. Those facts do not automatically make a complaint abusive.
What happens next?
The Belgian authority must assess the underlying cookie-banner allegations and submit a new draft decision through the GDPR cooperation process.
Does having a “reject all” button guarantee compliance?
No. The website must also avoid nonessential tracking before consent, accurately honor the user’s choice, provide sufficient information, allow accessible withdrawal, and ensure that the banner reflects actual tag behavior.
How can Captain Compliance help with European cookie compliance?
Captain Compliance supports website scanning, automatic pre-consent blocking, geographic consent rules, preference management, consent logging, vendor transparency, dynamic cookie disclosures, and ongoing monitoring for new tracking technologies.
Book a demo below and get a free privacy audit with one of our IAPP privacy experts to get started.