Consumer rights groups in Europe are accusing the advertising giant of deceptive design around the account creation process that they say steers users into agreeing to extensive and intrusive processing of their data
The tech giant uses user consent to profile account holders for ad targeting purposes. The EU's flagship data protection law, the General Data Protection Regulation, bakes in a requirement for privacy by design and default, as well as setting clear conditions about how consent must be gathered for it to be lawful.
If deceptive design is tricking users into accepting its tracking.
The design choices the tech giant deploys around account creation make it easier for users to agree to their data being used to target them with ads.
The Web Foundation is taking on deceptive design
The complaints show how more privacy-friendly options require users to take five steps and ten clicks, whereas it offers a one-click option.
They pointed out that consumers don't have the option to turn all tracking off in one click, as well as that they need to create an account to use certain products.
The tech giant still presents skewed options nudging consumers to agree to its tracking of them in other cases.
Regardless of the path the consumer chooses, data processing is un- transparent and unfair, with consumers' personal data being used for purposes which are vague and far reaching.
The European Consumer Organisation is coordinating the complaints.
The complaints have been filed by organizations in France, the Czech Republic, Norway, Greece and Slovenia.
While consumer groups in the Netherlands,Denmark and Sweden have written to their national DPAs to alert them to the practices, a German member of the vzbv has written a warning letter to Google.
The deputy director of BEUC commented on the action.
“Contrary to what Google claims about protecting consumers’ privacy, tens of millions of Europeans have been placed on a fast track to surveillance when they signed up to a Google account. It takes one simple step to let Google monitor and exploit everything you do. If you want to benefit from privacy-friendly settings, you must navigate through a longer process and a mix of unclear and misleading options. In short, when you create a Google account, you are subjected to surveillance by design and by default. Instead, privacy protection should be the default and easiest choice for consumers.”
This is not the first privacy complaint the EU consumer rights have made. It took until February 2020 for Ireland's Data Protection Commission to begin an inquiry after they raised a complaint about location data. More than 2 years have passed since that data probe began.
The DPC was expecting to submit a draft decision on the location data inquiry to other agencies in the coming months. If there is disagreement over Ireland's approach, it could take many more months to reach a final decision. A resolution of that complaint may not come this year.
The DPC has yet to make a decision on other complaints against the internet giant. It is being sued for failing to investigate a major complaint about its adtech.
It is not clear if the DPC ever opened an inquiry in the case of the forced consent complaint. In January of this year, France's data protection watchdog, the CNIL, fined the internet giant $57 million for violating data protection laws. Since there were likely decisions made in the U.S. rather than in Dublin, where the regional HQ is located, the CNIL had competence in that case.
Ireland hasn't issued a single decision against the internet giant.
The DPC doesn't enforce complaints against the tech giant.
The person said that the search engine is a repeat offenders. More than three years have passed since we filed a complaint with the Irish DPC against the location- tracking practices of the internet giant. The practices of the company have not changed in any significant way. The tech giant's practices set the tone for the rest of the market as it continues to carry out continuous tracking and profiling of consumers.
It's unacceptable that one of the biggest players ignores the law. The European Data Protection Board must support this case in order for it to be important.
There are issues around the tracking of account users that are not related to the cookie-based tracking that the advertising giant uses.
The latter process has been the subject of other EU complaints that have led to some enforcements in recent years.
The BEUC hopes that the case will lead to the launch of a procedure under the EU's cooperation mechanism, which it hopes will work more smoothly.
The Vienna declaration is the reason why BEUC is hoping for a smooth sailing now.
There is a complaint against a tech giant. There are a number of cooperation-related issues that have contributed to slowing down the investigation of the older complaint.
The team leader for digital policy at the organization told us that they expect the treatment of the complaints to be prioritised as it relates to practices by a major market. It took 6 months for the authority to be named. We expect better cooperation among the authorities in terms of checking the admissibility of the complaints, and that this is done only once by the authority which gets the complaints. We expect that closer cooperation and strategic prioritisation by the authorities will lead to a swift investigation of the complaints.
It's hard to say how fast the revised cooperation procedure will be able to deliver enforcement against the company, but we hope it takes less than three years.
The European Commission, which has been critical of adtech giants approach to compliance with EU privacy laws, recently defended slower regulatory enforcement.
In a letter to the Europeanbudsperson, the justice commissioner likened the level of complexity involved in these big investigations to antitrust cases.
” … it is important to make a distinction between cases which are relatively straightforward and do not require extensive investigations and cases which require complex legal and economic assessment or pose novel issues. Those complex cases, for instance those touching on issues relating to the business model of big tech multinational companies, might require several months or years of investigations, similarly to what happens for competition law investigations. This is particularly relevant for Ireland since many of such companies have their main establishment in this Member State.”
The authorities need time to build strong cases when it comes to complex issues. There have been problems that go beyond the time it takes to investigate these cases. A lot of the big complaints that are taking years are actually not normal complaints in that they come with a lot of legal analysis and factual evidence in order to facilitate the tasks of theDPAs. The time it takes to resolve these cases is an example of a lack of enough resources. The time it takes to investigate these cases will hopefully be reduced by strengthened cooperation and strategic prioritisation. The time it takes to investigate can't be an excuse for not taking action.
The problem of timely enforcement against Big Tech isn't being solved by BEUC. The problem of forum shopping has been caused by the one-stop-shop/lead data supervisor structure of the regulation.
The first step in stopping Big Tech is stopping thebottleneck. The decisions on the open cases need to be delivered by the DPA which has oversight over many of the Big Tech companies. Both the lead DPA and the rest of the DPAs need to be ambitious in their interpretation of the rules. The others must use their powers if the lead is not delivering the decisions. Big Tech needs to be made aware that window dressing and transparency measures are no longer necessary. They have some fundamental issues in their core business practices that need to be fixed.
It's a concern that enforcement doesn't move as quickly as market practices, and companies are changing things all the time. It is important to point out that a company tweaking and correcting something shouldn't wipe out past violations, especially if they have been going on for years and have affected millions of people. It's a very dangerous signal to send to companies. We would tell them that if they are caught, just fix it quickly and there will be no repercussions. This is not the way to go about things. The consequences ofinfringements must be known. There is no deterrent effect unless there is justice.
Google’s location tracking finally under formal probe in Europe
GDPR enforcement must level up to catch big tech, report warns