Cookie Consent Dark Pattern: Privacy Zuckering
In a NutShell “Following investigations, the CNIL noted that the websites facebook.com, google.fr and youtube.com do not make refusing cookies as easy as to accept them. It thus fines FACEBOOK 60 million euros and GOOGLE 150 million euros and orders them to comply within three months.“
“The websites facebook.com, google.fr and youtube.com offer a button allowing the user to immediately accept cookies,” the authority said. “However, they do not provide an equivalent solution (button or other) enabling the Internet user to easily refuse the deposit of these cookies.
HTTP cookies are small pieces of data created while a user is browsing a website and placed on the user’s computer or other device by the user’s web browser to track online activity across the web and store information about the browsing sessions, including logins and details entered in form fields such as names and addresses.
Specifically, the CNIL found fault with the manner in which the two platforms require several clicks to reject all cookies, as opposed to having a single override to refuse all of them, effectively making it harder to reject cookies than to accept them.
Under EU law, if consent is the legal basis being claimed for processing people’s data there are strict standards that must be adhered to — consent must be informed, specific and freely given in order for it to be obtained legally.
Long running complaints against Facebook and Google over similarly problematic consent issues continue to languish on the desk of the Irish Data Protection Commission (DPC), meanwhile — which under the EU’s General Data Protection Regulation (GDPR)’s one-stop-shop (OSS) mechanism is a quasi centralized enforcer for most of big tech.
The DPC has been accused of dragging its feet on GDPR oversight of tech giants and creating a bottleneck for effective enforcement of the regulation, as the OSS encourages forum shopping — and Ireland’s low corporate tax economy appears only too happy to oblige client corporates with low resolution regulatory oversight too.
Notably, the CNIL is taking action against Facebook and Google under an earlier piece of EU legislation — the ePrivacy Directive — which gives competence to national agencies in their own territories. So the French continue to find creative ways to apply GDPR data protection standards nationally, despite the OSS and Irish GDPR blockage.
In the past Google and Facebook has involved themselves in regional lobbying efforts to delay a planned update to the ePrivacy Directive — which would have replaced it with a regulation, as we’ve reported before.
In such a geopolitical mess and Colonial Attitude of the BigTech government of Indian and Agencies judiciary have taken title to no action and have been seen as either unaware or heavily influenced by such lobbying.