France spanks Google $170M, Facebook $68M over cookie consent dark patterns

France's data protection watchdog has slapped fines on Facebook and Google for failing to respect local cookie consent rules.

The French privacy authority, the CNIL, said today that it had fined Facebook and Google 60 million and 170 million, respectively, for breaching French law.

After receiving a number of complaints, the regulator acted.

The pair do not offer an option for users to reject non-essential cookies as easily as they offer for them to accept all tracking, which is a clear violation of EU and French law.

The tech giants were trying to force consent.

Here is an example from the press release.

Internet users have to click on a button to reject cookies if the information given by the company is not clear. It considered that a title like that can cause confusion and that the user may not have a way to refuse the deposit of cookies.
>
The methods of collecting consent proposed to users, as well as the lack of clarity of information provided to them, constitute violations of the French Data Protection Act.

If consent is the legal basis for processing people's data there are strict standards that must be followed, and consent must be given in a way that is transparent.

The Irish Data Protection Commission (DPC) has been dealing with long running complaints against Facebook and other companies over problematic consent issues.

The DPC has been accused of dragging its feet on oversight of tech giants and creating a roadblock for effective enforcement of the regulation, as the OSS encourages forum shopping, and Ireland's low corporate tax economy appears only too happy to oblige client corporates with low resolution regulatory oversight too.

The ePrivacy Directive, which gives competence to national agencies in their own territories, is one of the reasons why the CNIL is taking action against Facebook and Google. Despite the Irish and OSS blocking, the French still find ways to apply the standards.

The irony is that the ePrivacy Directive would have been replaced with a regulation if regional lobbying efforts had been successful.

Analyzing the push to freeze ePrivacy.

The ePrivacy Regulation was proposed in 2017! There are inconsistencies between EU law. The ePrivacy Directive gives Member State-level regulators the power to enforce ePrivacy rules within their own jurisdiction, but also gives them the power to sanction big tech in their home turf. So, oopsy! It has turned into a fairly expensive mistake for both Facebook and Google in France.

France's regulator fined Google 100 million dollars in December of 2020 for dropping tracking cookies without consent. It stung Amazon 35 million dollars over the same issue.

Before the company realized its legal exposure and switched the legal entity handling EU users' data from the US to Ireland, it had gotten an early GDPR fine in against Google.

Despite a number of complaints filed against it, including over forced consent, and its adtech, the company has not faced a sanction under the EU's General Data Protection Regulation.

The European Commission itself is accused of failing in its enforcement of the EU data protection law, as well as in the case of the DPC for its thin record on enforcement, and even in the case of corruption against Ireland.

My reply to the European Justice Commissioner is public. The Commission has a duty to uphold the data protection law.
His recent letter to the European Parliament is puzzling.
>
January 5, 2022.

The Commission warned data protection agencies late last year that if they didn't act quickly, they would face being taken out of their hands by the EU executive.

Commissioner Vera Jourov warned that it was high time for those companies to take protection of personal data seriously, as the Commission accused adtech giants of choosing legal tricks over genuine compliance with the bloc's privacy standards. I want to see full compliance. It is time to tackle the challenges head on.

Despite firing a few shots, the Commission appears unwilling to sanction Ireland. It has been left to Member States like France to make the point that enforcement is possible.

For example, France's competition watchdog is taking tough action against Google.

In France, the company was fined $592 million for violating antitrust order to negotiate copyright fees for news snippets.

In addition to today's headline-grabbing fines, the CNIL has ordered Facebook and Google to change how they present cookie choices to users in France, giving the pair three months to provide local users with a means of refusing cookies that's as simple as the existing means of accepting them

Failure to comply with the order will result in fines of 100,000 per day of delay.

For some time, the CNIL has been looking at cookie consents.

The deadline for websites to comply with updated cookie guidance was set in March of 2021. Since the end of March, it has adopted nearly 100 "corrective measures" related to non-compliance with the legislation on cookies.

Ireland published updated cookie guidance back in April 2020, when it said it would give websites and data controllers six months to come into compliance before taking any enforcement action.

The DPC has once again shown itself to be all mouth and no trousers, failing to issue any public sanctions against commercial entities for violating cookie consent.

A DPC decision against the company focused on transparency.

Ireland had only suggested a fine of up to 50M for the penalty, but after intervention by other EU DPAs and the European Data Protection Board, the size was increased to $267M. Facebook is appealing against the sanction.

A Meta/ Facebook spokesman said that they had not heard of the spank for cookie consents.

We are reviewing the authority's decision and are committed to working with relevant authorities. Our cookie consent controls give people more control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls.

The tech giant made an announcement in September of last year about an update to its local cookie controls, which will give people in Europe more control over their cookie choices and information on what we use different kinds of cookies for.

The work is part of our ongoing efforts to give people greater control over their privacy and align with evolving privacy requirements, such as the General Data Protection Regulations (GDPR) and the ePrivacy Directive.

The changes made by Facebook didn't impress the French.

We will update this report if we get a response from the company about the sanction.

A person from the company said:

People trust us to keep them safe and respect their privacy. We understand that we have a responsibility to protect that trust and are committed to further changes and active work with the CNIL.

Europe's cookie consent is about to change.

The EU warns adtech giants over legal tricks.

Facebook's privacy supervisor was hit with a corruption complaint.