The general public and government authorities are becoming increasingly conscientious about protecting data privacy online. In recent years, we’ve seen Big Tech companies slapped with heavy fines for some of how they handle consumer data.
In one of the most recent high-profile cases, France’s Commission Nationale de l’informatique et des Libertés (CNIL) has fined Facebook (now Meta Platforms) and Google for €150 million ($170 million) and €60 million ($68 million), respectively, due to violating E.U. privacy rules. Specifically, the data protection watchdog has found both entities guilty of not providing consumers with an easy way to opt-out of cookie tracking technology.
This is not the first time CNIL has issued massive data privacy fines against Big Tech companies. Amazon Europe Core was fined €35 million ($37 million), and Google was fined $100 million ($114 million) in December 2020 for failing to notify users of deploying cookies to their devices.
On the other hand, Italy’s Autorità Garante della Concorrenza e del Mercato (AGCM) fined Apple and Google both €10 million ($11 million) for not adequately warning new users how they would use their data for commercial purposes.
HTTP cookies are a ubiquitously-used form of online consumer tracking today. Handled by the browser, cookies collect and save information related to the user’s browsing session. This includes information like websites visited, log-in details, form entries, and more. In most cases, this information is supposed to be used to offer personalized online experiences, segment markets, and even for targeted advertising.
However, there are also concerns regarding where, why, and how this data can be used. For many, the very fact that various online entities track their information in the background like this is an unacceptable breach of privacy. At best, this information may be sold to other mavens and companies for marketing purposes without your consent. At worst, it can be leaked or stolen by threat actors to carry out attacks against data breach victims.
And, with good reasons, as Facebook alone has seen millions of user accounts compromised in data leaks.
In short, the CNIL stated in their ruling that they found Facebook and Google made it too easy to accept all cookies while making it too difficult to reject. In their own words:
“The websites facebook.com, google.fr, and youtube.com offer a button allowing the user to immediately accept cookies. However, they do not provide an equivalent solution (button or other) enabling the Internet user to easily refuse the deposit of these cookies.”
For example, in some cases, the user had to click multiple buttons and proceed through several steps before being able to disable cookies. In others, users would have to disable various tracking cookies one at a time, without the ability to disable all cookies with a single click.
Practices like these that often exploit human habits for self-gain are what’s typically called “dark patterns.” And, the committee set up by the CNIL to investigate these claims found it to violate Article 82 of the French Data Protection Act.
For example, in one of the more ironic cases, Facebook users would need to first click an “Accept Cookie” button to eventually reject cookies.
The CNIL judged that it must be just as easy to reject cookies than accept them. And, entities should not use these dark patterns to make consumers feel like disabling cookies is not possible.
As a result, the CNIL has given both parties three months to implement a simpler and clearer process to reject cookies. If they fail to do so, further fines of up to €100,000 per day may be issued.
References
Cookies: the CNIL fines GOOGLE a total of 150 million euros and FACEBOOK 60 million euros for non-compliance with French legislation
France spanks Google $170M, Facebook $68M over cookie consent dark patterns
