Another victory for decentralized law enforcement: For failing to follow local (and pan-EU) cookie consent laws, France’s data protection agency has levied headline-grabbing fines on M facebook and Google.
Following examinations into how they display monitoring choices to users of google.fr, youtube.com, and m facebook.com, the CNIL penalised Google €150 million ($170 million) and M facebook €60 million ($68 million) for breaking French legislation.
After receiving a number of complaints, the regulator stated it was taking action.
It was discovered that the pair do not provide an option for users to refuse non-essential cookies as easily as they do for them to allow all tracking, which is a clear violation of EU and French legislation.
In other words, the tech behemoths were attempting to coerce consent through the use of deceptive dark patterns.
Here’s an excerpt from the CNIL’s press release to illustrate the point:
“…the company’s information is unclear because, in order to refuse the deposit of cookies, Internet users must click on the “Accept cookies” option in the second window. It was thought that such a term would inevitably cause confusion, and that the user could get the impression that they can’t refuse the deposit of cookies and that they have no control over it.
According to the restricted committee, the ways of obtaining consent presented to users, as well as the lacks of clarity in the information provided to them, are in breach of Article 82 of the French Data Protection Act.
“If consent is claimed as the legal basis for processing people’s data under EU legislation, there are severe rules that must be followed – consent must be informed, precise, and freely supplied in order to be lawfully gained.”
Meanwhile, long-running complaints against M facebook and Google over similar problematic consent issues have languished on the desk of the Irish Data Base Protection Commission (DPC), which acts as a quasi-centralized enforcer for most of big tech under the EU’s General Data Protection Regulation (GDPRone-stop-shop )’s (OSS) mechanism.
As the OSS encourages forums shopping — and Ireland’s low corporate tax economy appears only too happy to obliges client corporates with low resolution regulatory oversight — the DPC has been accused of dragging its feets on GDPR oversight of tech giants and creating an bottleneck for effective enforcement of the regulation.
Notably, the CNIL is pursuing M facebook and Google on an older piece of EU legislation, the ePrivacy Directive, which delegated authority to national authorities in their respective jurisdictions. Despite the OSS and Irish GDPR blockade, the French continue to discover innovative solutions to implement GDPR data protection regulations on a national level.
The irony here is that, as we previously revealed, Google and M facebook were active in regional lobbying attempts to delay a planned update to the ePrivacy Directive, which would have replaced it with a law.
Despite being introduced in 2017, the ePrivacy Regulation has yet to be implemented! As a result, there are contradictions in EU law. However, under the ePrivacy Directive, Member State-level agencies such as the CNIL are free to implement ePrivacy standards inside their respective jurisdictions, keeping decentralised power to penalise big tech on its home territory. So, apologies! In France, at least, this has proven to be a costly blunder for M facebook and Google.
On this front, France’s regulator has been particularly active, fining Google €100 million in December 2020 for dropping tracking cookies without consent. At the same time, it fined Amazon €35 million for the same issue.
Before Google realised its legal exposure and switched the legal entity handling EU users’ data from the US to Ireland so that its regional business would fall under the DPC’s ‘less muscular’ oversight, the CNIL was able to get an early GDPR fine against it — all the way back in 2019 — before the company realised its legal exposure and switched the legal entity handling EU users’ data from the US to Ireland so that its regional business would fall under the DPC’s ‘less muscular’ oversight.
Despite a number of very serious and long-running complaints lodged against it, including around coerced consent, location data, and adtech, Google has yet to face a single consequence under GDPR outside of Ireland.
Complaints are piling up not only against tech giants for systemic breaches of EU data protection law and the DPC for its embarrassingly poor enforcement record — and even for alleged corruption, as in a recent charge against Ireland — but also against the European Commission, which is accused of failing to monitor GDPR enforcement at the Member State level.
Late last year, the Commission intervened verbally in favour of centralised enforcement by the EU executive, telling data protection agencies that GPDR enforcement must become “effective” quickly or DPAs’ powers will be taken away.
At the same time, the Commission slammed Google and M facebook, accusing them of preferring legal manoeuvring above true adherence to the bloc’s privacy laws, with commissioner Vera Jourová warning: “It is high time for those corporations to take personal data protection seriously.” I’m looking for complete compliance, not legal gimmicks. It’s time to stop hiding behind small print and face the difficulties squarely in the face.”
Despite taking a few potshots, the Commission appears to be hesitant to intervene and penalise Ireland. As a result, Member States like France have been left to convey the case in a different way, namely by having their enforcement authorities demonstrate that enforcement is not just conceivable but also occurring.
(See, for example, France’s competition watchdog pursuing action against Google.)
In addition to today’s headline-grabbing fines, the CNIL has ordered M facebook and Google to change how they present cookie choices to users in France, giving the two companies three months to “guarantee their freedom of consent” by providing local users with a method of refusing cookies that is as simple as the existing method of accepting them.
If the corporations do not comply with the order, they would face further penalties of €100,000 per day of delay.
For a long time, the CNIL has focused its attention on cookie consents.
Websites must comply with new cookie guidance by March 31, 2021, according to the regulator, which was published in October 2020. Since the end of March, it claims to have issued roughly 100 “corrective measures” (also known as directives and punishments) for non-compliance with cookie legislation.
Ireland likewise amended its cookie guidance in April 2020, stating that it will give websites and data controllers six months to comply before initiating any enforcement action.
However, the DPC has once again demonstrated that it is all talk and no action, failing to issue any public punishments against commercial firms for cookie consent violations (and certainly nothing against M facebook or Google on this front).
Late last year, a DPC verdict against M facebook owned WhatsApp focused on transparency violations.
After involvement by other EU DPAs and the European Data Protection Board, the final penalty for WhatsApp — $267 million — was significantly increased; Ireland’s original judgement had only indicated a punishment of up to €50 million. Meanwhile, M facebook is attempting to avoid the penalties by filing an appeal.)
“We are examining the authority’s decision and are committed to collaborating with appropriate authorities,” a Meta/M facebook representative stated when asked about the CNIL’s reprimand for false cookie consents. We continue to build and improve our cookie consent controls to give people more control over their data, including an new settings menu on M facebook & Instagram where people can return and manage their preferences at any time.”
The tech behemoth also referred to an announcement it made in September of last year about an update to its local “cookie controls,” in which it stated that it would give Europeans “a more granular level of control overs their cookie choices and more information on what we uses different kinds of cookies for, including what information we receive from other apps and websites.”
“This work is parts of our continuous efforts to give consumers more control over their privacy and align with growing privacy standards, such as the General Data Protection Regulations (GDPR) and the ePrivacy Directive (ePD),” the company explained at the time.
Whatever tweaks M facebook made at the time, the French do not appear to have been impressed.
Google had not reacted to a request for comment on the CNIL’s sanction at the time of writing, but we’ll update this post if we do.
“People trust us to respects their right to privacy and keep them secure,” a Google spokeswoman stated. In light of this ruling under the ePrivacy Directive, we recognise our obligation to protect that trust and have committed to further improvements and active collaboration with the CNIL.”
Also Read: Login to Paylution as a Merchant