France fines Google and Facebook for pushing tracking cookies on users with dark patterns


If you ever feel like websites have turned the simple task of rejecting tracking cookies into a maze-like task that involves careful reading of multiple dialogs, then the French data protection agency is here for you. . The watchdog (CNIL) fined Google 150 million euros ($ 170 million) and Facebook 60 million euros ($ 68 million) for making the refusal of cookies too confusing by the users. Companies now have three months to change their habits in France.

With Facebook, the CNIL notes that to refuse cookies, French users must first click on a button entitled “I accept cookies ”(emphasis added). Such labeling “necessarily generates confusion”, specifies the CNIL, letting users believe that they have no choice in the matter.

With Google, the problem is the asymmetry rather than the mislabelling. The CNIL reminds that the company’s websites (including YouTube) allow users to accept all cookies with a single click. But, to reject them, they have to click on several different menu items. Obviously, users are headed in a particular direction that precisely benefits Google. (I am well aware that The edge also does not offer a one-click ‘reject all’ cookie button.)

EU law states that when citizens transmit data online, they must do so freely and with a full understanding of the choice they are making. The CNIL’s judgment is that Google and Facebook are essentially fooling their users, deploying so-called “dark patterns” – a subtly coercive UI design style – to forge consent and thus break the law. Hence the fines and the requirement that companies change the design of the cookie user interface within three months. Failure to comply with this instruction risks additional fines of € 100,000 per day, specifies the CNIL.

For anyone who is particularly interested in the details of European internet regulation (poor fools), the case is also of interest as the CNIL acts under the authority of a part of the European legislation known as the ePrivacy directive, rather than the more recently introduced general directive. Data Protection Regulation (GDPR).

More than TechCrunch, Natasha Lomas offers an excellent explanation of the reason, which I’ll do my best to condense. The problem is, GDPR enforcement goes through the data watchdog of Ireland, where many US tech companies are setting up their European headquarters. This particular agency turned out to be a bit to slow down by resolving these complaints, which – only a cynic could suggest – is an integral part of the friendly regulatory environment cultivated by the Irish state to attract US tech money in the first place.

So in order to get a quick app (or any app), France’s data watchdog turned to the old ePrivacy directive, which allows national agencies to directly monitor their own territory. It’s an effective workaround, and the CNIL has already used ePrivacy to fine Google and Amazon on similar issues. Meanwhile, as Lomas points out, Google has yet to face a single regulatory sanction from the Irish data watchdog under GDPR.

What is the result of all this? Well if you live in France you might have a slightly easier option to reject cookies from Google and Facebook in the future. Which is good, sure, but it’s far from the kind of decisive action that – if you agree with the EU’s stated desire for fractured, multi-directional data regulation – is meant to be. correct the power imbalance between tech companies and average consumers. But that’s just the way cookies crumble.


About Author

Comments are closed.