France spanks Google $170M, Facebook $68M over cookie consent dark patterns – TechCrunch

Another decentralization chalk: France’s data protection watchdog has fined Facebook and Google for failing to respect local cookie consent rules (and EU rules).

Today, CNIL said it has fined Google €150 million (~$170 million) and Facebook €60 million (~$68 million) for breaching French law, following investigations into how it provided tracking options to users of google.fr, youtube.com and facebook. com.

The authority said it acted after receiving a number of complaints.

In apparent breach of EU and French law, I found that the pair does not offer users an option to refuse non-essential cookies as easily as the option they give them to accept all tracking.

So, in short, the tech giants have been using manipulative dark patterns to try to force approval.

Here’s an explanatory excerpt from the CNIL press release:

“… the information provided by the company is unclear, because in order to refuse the deposit of cookies, Internet users must click on a button entitled “Accept cookies”, displayed in the second window. It considered that such an address necessarily leads to confusion and that The user may feel that it is not possible to refuse the deposit of cookies and that they have no way to manage them.

The restricted committee considered that the proposed consent collection methods for users, as well as the lack of clarity of the information provided to them, constitute a violation of Article 82 of the French Data Protection Act.”

Under EU law, if consent is the required legal basis for processing people’s data, there are strict criteria that must be adhered to – consent must be informed, specific and freely given in order to be lawfully obtained.

Long-running complaints against Facebook and Google about similar approval issues continue to surface at the Irish Data Protection Commission (DPC) office, meanwhile – which under the EU’s General Data Protection Regulation (GDPR), a one-stop-shop (OSS) mechanism Semi-centralized implementation of most large technology.

DPC has been accused of being slow in monitoring the GDP of tech giants and creating a bottleneck for effective enforcement of regulations, as OSS encourages forum shopping – and Ireland’s low corporate tax economy seems too happy to oblige client companies to rigorously low regulatory oversight as well.

Notably, CNIL is taking action against Facebook and Google under an earlier EU legislation – the Electronic Privacy Directive – which grants jurisdiction to national agencies in their territories. So the French continue to find innovative ways to implement GDPR data protection standards at the national level, despite the Irish OSS and GDPR ban.

There is a particular irony here, as both Google and Facebook themselves have engaged in regional lobbying efforts to delay a planned update to the Electronic Privacy Directive – which would have been superseded by regulation, as we previously reported.

The e-Privacy Regulation has not yet been adopted – although it was proposed back in 2017! Which creates inconsistencies between EU law. But it also leaves member-state regulators like CNIL free to enforce electronic privacy rules within their jurisdictions, while retaining the decentralized power to sanction big technology on their home soil under the Electronic Privacy Directive. So, eh, oops! This turned out to be a rather costly bug for Facebook and Google in France at least.

The regulator in France has been particularly busy on this front – it fined Google €100 million in December 2020 for dropping tracking cookies without consent. At the same time, it also caused Amazon to hit €35 million due to the same issue.

Earlier, CNIL was able to impose an early GDP fine against Google – all the way in 2019 – before the company realized its legal exposure and shifted the legal entity that handles EU user data from the US to Ireland so that its regional business would be located Under the direction of the “least powerful” DPC.

So far, Google has not faced a single penalty under the GDPR outside Ireland – despite the number of very large and long-running complaints lodged against it, including forced consent; its processing of location data; and adtech.

Complaints not only continue to pile up against the tech giants over systematic violations of EU data protection law and against the DPC for its embarrassingly poor track record in enforcement – and even for alleged corruption, in a more recent indictment against Ireland – but also against the EU commission itself that stand accused Failing to perform its duty to monitor GDPR enforcement at the Member State level.

The Commission intervened orally late last year – with a direct warning to data protection agencies that GPDR enforcement must become “effective” quickly or else it suggested that DPAs would face such power being taken from their hands – in favor of central enforcement by an EU executive.

At the same time, the panel also criticized Google and Facebook which accused the tech giants of choosing legal scams rather than genuine compliance with the block’s privacy standards, with Commissioner Vera Jourova warning: “It is time for these companies to take personal data protection seriously. I want to see full compliance, not legal scams. It’s time not to hide behind small print, but to face the challenges head on.”

But despite some strikes being launched, the commission appears reluctant to step in and impose sanctions on Ireland. So it has been left to member states like France to make the point another way – that is, by having their agencies make it clear that implementation is not only possible, but also happening.

(See also: French competition watchdog takes crackdown on Google, for example).

In addition to the fines that made headlines today, CNIL ordered Facebook and Google to change how they present cookie options to users in France – giving the couple three months to provide local users with a way to refuse cookies that are as simple as current means of accepting them – “in order to guarantee their freedom.” in approval.”

Failure to comply with the order will mean that companies will face additional penalties – 100,000 euros for each day of delay.

CNIL has been focusing its oversight on cookie consents for some time.

The regulator has set a March 31, 2021 deadline for websites to comply with the updated cookie guidelines it published in October 2020. Since the end of March, it says it has adopted nearly 100 “corrective actions” (also known as orders and penalties) related to non-compliance with specific legislation. with cookies.

Ireland also published updated cookie guidelines, in April 2020 – when it said it would give websites and data controllers six months to comply before taking any enforcement action.

However, the DPC has shown once again that it’s nothing and no pants: issuing no general penalties for cookie consent violations against commercial entities (and certainly nothing against Facebook or Google on that front).

The DPC’s decision against Facebook-owned WhatsApp that was passed late last year focused on transparency violations.

The size of that final WhatsApp penalty – $267 million – has also been significantly inflated after the interventions of other DPAs in the EU and the European Data Protection Council; Ireland’s draft resolution proposed a fine of only 50 million euros. Meanwhile, Facebook is seeking to evade punishment by appealing against it).

A Meta/Facebook spokesperson, reached for comment on the CNIL slap due to spoofed cookie endorsements, said:

“We are reviewing the authority’s decision and remain committed to working with the relevant authorities. Cookie consent controls give people greater control over their data, including a new settings menu on Facebook and Instagram where people can reconsider and manage their decisions at any time, and we continue to develop and improve these controls.”

The tech giant also pointed to an announcement it made in September last year about updating its local “cookie controls” – when it said it would give people in Europe “a more granular level of control over their cookie choices and more information about what we use.” different types of cookies for it, including information we receive from other apps and websites.”

“This work is part of our ongoing efforts to give people greater control over their privacy and align with evolving privacy requirements, such as the General Data Protection Regulation (GDPR) and the Electronic Privacy Directive (ePD),” she added at the time.

Whatever specific mess Facebook did at the time, the changes didn’t seem to impress the French.

At the time of writing, Google has not responded to a request for comment on the CNIL penalty but we will update this report if we get one.

Leave a Comment