If you ever feel like websites have turned the simple business of rejecting tracking cookies into a labyrinthine task that involves close-reading of multiple dialog boxes, then France’s data protection agency has your back. The watchdog (CNIL) has fined Google €150 million ($170 million) and Facebook €60 million ($68 million) for making it too confusing for users to reject cookies. The companies now have three months to change their ways in France.
With Google, the problem is one of asymmetry rather than mislabeling. CNIL notes that the company’s websites (including YouTube) allow users to accept all cookies with a single click. But, to reject them, they have to click through several different menu items. Clearly, users are being steered in a particular direction that just so happens to benefit Google. (I’m well aware that The Verge doesn’t offer a single-click “reject all” cookie button either.)
EU law states that when citizens hand over data online, they must do so freely and with a full understanding of the choice they are making. CNIL’s judgement is that Google and Facebook are essentially tricking their users, deploying what are known as “dark patterns” — a style of subtly coercive user interface design — to wangle consent and so breaking the law. Hence the fines and the demand that the companies change their cookie UI design within three months. Failure to do so risks additional fines of €100,000 per day, says CNIL.
For anyone particularly interested in the details of European internet regulation (you poor fools), the case is also interesting in that CNIL is acting under the authority of a bit of EU legislation known as the ePrivacy Directive, rather than the more recently-introduced General Data Protection Regulation (GDPR).
Over at TechCrunch, Natasha Lomas offers a great explanation as to why this is, which I’ll do my best to condense. The problem is that GDPR enforcement is funneled through the data watchdog of Ireland, where many US tech firms locate their European headquarters. That particular agency has proved itself to be a little slow in running down such complaints, which — only a cynic might suggest — is part and parcel of the friendly regulatory environment cultivated by the Irish state to attract US tech money in the first place.
So, in order to get some timely enforcement (or any enforcement) France’s data watchdog has turned to the older ePrivacy Directive, which allows national agencies direct oversight in their own territories. It’s an effective workaround, and CNIL has previously used ePrivacy to fine Google and Amazon on similar issues. Meanwhile, as Lomas points out, Google has yet to face a single regulatory sanction from Ireland’s data watchdog under GDPR.
What’s the upshot of all this? Well, if you live in France, you may get a slightly easier option to reject cookies from Google and Facebook sometime in the future. Which is nice, sure, but hardly the sort of decisive action that — if you agree with the stated desire of EU’s fractured, multi-headed data regulation — is supposed to redress the imbalance of power between tech firms and average consumers. But that’s just the way the cookies crumble.