Chalk another one up for decentralized enforcement: France's data protection watchdog has slapped headline-grabbing fines on Facebook and Google for failing to respect local (and pan-EU) cookie consent rules.
Today, the CNIL said it's fined Google €150M (~$170M) and Facebook €60M (~$68M) for breaching French law, following investigations of how they present tracking choices to users of google.fr, youtube.com and facebook.com.
The regulator said it was acting after receiving a number of complaints.
In a clear breach of EU and French law, it found the pair do not offer an option for users to reject non-essential cookies as easily as the option they offer for them to accept all tracking.
So, in short, the tech giants were using manipulative dark patterns to try to force consent.
Here's an illustrative snippet from the CNIL's press release:
" ... the information given by the company is not clear since, in order to refuse the deposit of cookies, Internet users must click on a button entitled "Accept cookies", displayed in the second window. It considered that such a title necessarily generates confusion and that the user may have the feeling that it is not possible to refuse the deposit of cookies and that they have no way to manage it.
The restricted committee judged that the methods of collecting consent proposed to users, as well as the lack of clarity of information provided to them, constitute violations of Article 82 of the French Data Protection Act."
Under EU law, if consent is the legal basis being claimed for processing people's data there are strict standards that must be adhered to -- consent must be informed, specific and freely given in order for it to be obtained legally.
Long running complaints against Facebook and Google over similarly problematic consent issues continue to languish on the desk of the Irish Data Protection Commission (DPC), meanwhile -- which under the EU's General Data Protection Regulation (GDPR)'s one-stop-shop (OSS) mechanism is a quasi centralized enforcer for most of big tech.
The DPC has been accused of dragging its feet on GDPR oversight of tech giants and creating a bottleneck for effective enforcement of the regulation, as the OSS encourages forum shopping -- and Ireland's low corporate tax economy appears only too happy to oblige client corporates with low resolution regulatory oversight too.
Notably, the CNIL is taking action against Facebook and Google under an earlier piece of EU legislation -- the ePrivacy Directive -- which gives competence to national agencies in their own territories. So the French continue to find creative ways to apply GDPR data protection standards nationally, despite the OSS and Irish GDPR blockage.
There's a particular irony here, in that Google and Facebook involved themselves in regional lobbying efforts to delay a planned update to the ePrivacy Directive -- which would have replaced it with a regulation, as we've reported before.
The ePrivacy Regulation still hasn't been adopted -- despite being proposed back in 2017! Which creates inconsistencies between EU law. But does also leaves Member State-level regulators such as CNIL free to enforce ePrivacy rules within their own jurisdictions, retaining decentralized power to sanction big tech on its home turf under the ePrivacy Directive. So, er, oopsy! That's turned into a fairly expensive mistake for Facebook and Google in France at least.
France's regulator has been especially busy on this front -- fining Google €100M back in December 2020 for dropping tracking cookies without consent. At the same time it also stung Amazon €35M over the same issue.
Earlier, the CNIL even managed to get an early GDPR fine in against Google -- all the way back in 2019 -- before the company realized its legal exposure and switched the legal entity handling EU users' data from the US to Ireland so that its regional business would fall under the DPC's 'less muscular' oversight.
To date, Google has not faced a single sanction under GDPR out of Ireland -- despite a number of very substantial and very long running complaints filed against it, including over forced consent; its handling of location data; and its adtech.
Complaints are not only continuing to stack up against tech giants over systemic breaches of EU data protection law and against the DPC for its embarrassingly thin record on enforcement -- and even for alleged corruption, in a more recent charge against Ireland -- but also against the European Commission itself which stands accused of failing in its duty to monitor GDPR enforcement at a Member State level.
My reply to Didier Reynders, European Justice Commissioner, on 14 December is now public. The Commission must act to uphold data protection law.
His recent letter to MEPs, covered by @vmanancourt, is perplexing. https://t.co/kt2nkfV8Se
— Johnny Ryan (@johnnyryan) January 5, 2022
The Commission did intervene verbally late last year -- with a direct warning to data protection agencies that GPDR enforcement must become "effective" fast or else it suggested DPAs would face having such power taken out of their hands -- in favor of centralized enforcement by the EU executive.
At the same time, Google and Facebook were also blasted by the Commission which accused adtech giants of choosing legal tricks over genuine compliance with the bloc's privacy standards, with commissioner Vera Jourová warning: "It is high time for those companies to take protection of personal data seriously. I want to see full compliance, not legal tricks. It’s time not to hide behind small print, but tackle the challenges head on.”
But despite firing a few pot-shots, the Commission appears reluctant to actually step in and sanction Ireland, though. So it's been left to Member States like France to make the point in another way -- i.e. by having its agencies illustrate that enforcement is not only possible but happening.
(See also: France's competition watchdog taking tough action against Google, for example.)
In addition to today's headline-grabbing fines, the CNIL has ordered Facebook and Google to change how they present cookie choices to users in France -- giving the pair three months to provide local users with a means of refusing cookies that's as simple as the existing means of accepting them -- "in order to guarantee their freedom of consent".
Failure to comply with the order will mean the companies face further penalties -- of €100,000 per day of delay.
The CNIL has been focusing its oversight on cookie consents for some time.
The regulator set a deadline of March 31, 2021 for websites to comply with updated cookie guidance which it published back in October 2020. And, since the end of March, says it has adopted nearly 100 "corrective measures" (aka, orders and sanctions) related to non-compliance with the legislation on cookies.
Ireland also published updated cookie guidance, back in April 2020 -- when it said it would give websites and data controllers six months to come into compliance before taking any enforcement action.
However the DPC has once again shown itself to be all mouth and no trousers: Failing to issue any public sanctions in relation to cookie consent violations against commercial entities (and certainly nothing against Facebook or Google on this front).
A DPC decision against Facebook-owned WhatsApp that was issued late last year focused on transparency breaches.
The size of that eventual penalty for WhatsApp -- $267M -- was also substantially inflated after interventions by other EU DPAs and the European Data Protection Board; Ireland's draft decision had only suggested a fine of up to €50M. Facebook, meanwhile, is seeking to evade the sanction by appealing against it.)
Reached for comment on the CNIL's spank for disingenuous cookie consents, a Meta/Facebook spokesperson said:
"We are reviewing the authority's decision and remain committed to working with relevant authorities. Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls.”
The tech giant also pointed to an announcement it made in September last year about an update to its local "cookie controls" -- when it said it would be giving people in Europe "a more granular level of control over their cookie choices and more information on what we use different kinds of cookies for, including what information we receive from other apps and websites".
"This work is part of our ongoing efforts to give people greater control over their privacy and align with evolving privacy requirements, such as the General Data Protection Regulations (GDPR) and the ePrivacy Directive (ePD)," it added at the time.
Whatever the specific fiddles Facebook made back then the changes don't seem to have impressed the French.
At the time of writing Google had not responded to a request for comment on CNIL's sanction but we'll update this report if we get one.
Update: A Google spokesperson said:
"People trust us to respect their right to privacy and keep them safe. We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision under the ePrivacy Directive."