Facebook, YouTube, and Google’s French site will be facing hefty fines after France’s lead data protection authority ruled that their cookie consent processes were too confusing and difficult. Central to the case was the use of “dark patterns” by each site, or elements that obscure the process of refusing cookies and intentionally steer users in another direction.
Dark patterns were commonly cited by European regulators as reasons for fines in 2020. In 2019, a study of a sampling of 1,000 German websites found that over 50% made use of dark patterns to attempt to mislead users into providing cookie consent or making unnecessary purchases.
Big fines for Google and Facebook in France as cookie consent called into question
Google is looking at a total fine of €150 million for its cookie consent troubles, and Facebook is slated to pay €60 million. The decision was handed down by CNIL, France’s chief data regulator. Failure to comply could cost the companies an additional €100,000 per day.
CNIL found that the sites failed an “equivalency” requirement that mandates opting out of cookie consent be just as easy as opting in. All of the fined sites required multiple clicks to opt out, but only one (usually via a pop-up banner) to opt in. The regulator said that it received multiple complaints about the issue.
This requirement is specific to France’s national data protection law (the French Data Protection Act) rather than the Europe-spanning General Data Protection Regulation. Fines are being levied to Google and Facebook’s Irish divisions, but a new requirement that these cookie consent procedures be changed will only apply to residents of France (and must be fulfilled within three months). GDPR complaints draw other nations into the process, and complaints involving the tech giants usually put Ireland’s data regulators at the forefront of everything.
France’s data protection authority has been one of the most active in Europe, and often leans on the country’s own internal regulations rather than relying on the GDPR process. Cookie consent has been a particular focus for the agency since early 2021, with about 100 corrective measures issued due to non-compliance. But the agency has been unafraid to take on Big Tech for any type of violation, hitting Google for 100 million Euros and Amazon for 35 million in December 2020 over a different cookie consent issue.
Google has yet to comment on the recent cookie consent fines. Meta, Facebook’s parent company, issued a statement to the media indicating that it is reviewing CNIL’s decision and that it continues to “develop and improve” its privacy controls.
France’s aggressiveness in pursuing fines highlights EU debate over regional enforcement
Actions such as these recent cookie consent fines highlight growing divisions in the EU over how data privacy laws should be enforced. The current regional focus is being questioned in no small part due to Ireland’s reticence to go after the Big Tech firms that make their EU headquarters in Dublin, something that increasingly has the appearance of a conflict of interest.
In December of 2021 some members of the European Commission addressed the issue directly, indicating that the GDPR enforcement model was fast becoming “ineffective” and that the path to putting teeth back in it might be centralized enforcement that strips the national DPAs of power. Justice Commissioner Didier Reynders recently followed up on these comments by saying that it was “too early” to assess whether the cooperation mechanism underpinning the GDPR is functioning as intended, and that Ireland’s “caution” to date has not yet merited an infringement procedure.
Some regions have strengthened internal laws in a bid to work around the shortcomings that have appeared in the GDPR process, France among them. CNIL beefed up its requirements for cookie consent for the purposes of ad tracking in 2020, requiring websites to provide an easy way to withdraw consent (via a clear link present on all of the website’s pages) and mandating that cookie opt-outs be logged for a period of at least six months. French companies were required to comply with these new standards by April 2021.
Google and Facebook have both faced EU complaints about their use of dark patterns before, but this is the first to come to something. A 2018 complaint initiated by the Norwegian Consumer Council (NCC) under the GDPR wound up being passed on to Ireland, where the DPA is continuing to slow-walk it.
Cookie consent enforcement may also be forthcoming in the United States, with the Federal Trade Commission (FTC) agreeing in October to ramp up enforcement against any sites found attempting to “trick or trap” users into cookie consent or into paying for services.