If you spend much time online, there’s a good chance you’ve visited a website that presented you with a convoluted, confusing menu about cookies. These menus have largely replaced the old banners that appeared at the top of sites that let users know the site used cookies, with the only option being “I accept.”
Most of these confusing menus include an option to reject cookies, which is an improvement over the old banners. However, the new cookie menus also bury those options under a myriad of settings while prominently displaying the ‘Accept’ button. It’s an all-too-common practice meant to drive people to click accept rather than spending their valuable time trying to find an option to reject cookies.
Well, France has fined Google and Facebook for doing just that.
The country’s data protection watchdog CNIL fined Google €150 million (about $215.8 million CAD) and Facebook €60 million (about $86.3 million CAD). Yes, that’s not nearly enough considering the insane amount of money these companies make, but hey, it’s a start.
CNIL says both companies hid options to reject cookies
With Google, CNIL notes that the company’s websites (including YouTube) let users accept all cookies with a single click. However, to reject cookies, users must click through several different menu items. As such, CNIL felt that it discouraged users from refusing cookies since it was significantly easier to accept them.
As The Verge explains, EU law says that when citizens hand over data online, they must do so freely and with a full understanding of the choice they’re making. CNIL believes Google and Facebook are effectively tricking users with the confusing cookie menus, thus breaking the law.
Both companies have three months to fix the cookie menus — failure to do so will risk additional fines of €100,000 (about $143,862 CAD) per day.
Fines will hopefully lead to clear, concise cookie menus
Another interesting tidbit is that CNIL acted under the authority of the EU’s older ePrivacy Directive rather than the General Data Protection Regulation (GDPR). TechCrunch has a much more detailed explanation of why CNIL went this route. The short version is that GDPR enforcement is funnelled through the data watchdog in Ireland, which also happens to be where many U.S. tech firms locate their European headquarters. The Irish watchdog tends to be slow when it comes to dealing with issues like this (as The Verge points out, perhaps because of a friendly regulatory environment designed to attract U.S. tech firms in the first place). You can read more about that here.
Obviously, fines in France won’t do much to benefit other places — for example, Canada. Still, it’s important to pay attention to these events since they can influence regulatory moves in other places. The CNIL fines may lead to better cookie menus for people who live in France and could pave the way for regulatory agencies in other countries to take similar action.
Ultimately, making it easier for people to reject cookies on websites is not the be-all and end-all of data privacy regulation. There is a lot more that can (and should) be done, but I’ll take the little victories along the way.
On another note, I am well aware that MobileSyrup does not currently give visitors a choice when it comes to cookies.