Google, Facebook Slapped With French Privacy Fines Over Cookies (bloomberg.com) 26
Alphabet's Google was slapped with a record French fine of 150 million euros ($170 million) by the nation's privacy watchdog, together with a 60 million-euro fine for Meta Platforms' Facebook, over the way the companies manage cookies. From a report: CNIL, France's data protection authority, on Thursday issued the companies with a three-month ultimatum "to provide internet users located in France with a means of refusing cookies as simple as the existing means of accepting them, in order to guarantee their freedom of consent." Failing to do so will come with the risk of an additional daily fine of 100,000 euros, CNIL said in the statement. The latest penalties follow probes by the watchdog looking at companies' compliance with new rules on cookies, which are tracking devices that are placed on people's computers. The watchdog in 2020 fined Google 100 million euros and online shopping giant Amazon.com Inc. 35 million euros for placing such cookies on people's computers without their consent.
Cost of doing business (Score:3)
Re: (Score:2)
I guess they are - Cookie Monsters! (Score:2)
Ignoring the DNT header should guarantee a fine (Score:5, Interesting)
The user has told you, in a standardized way: Do not track. If you ask the user for tracking-consent anyway, you're already in violation of the GDPR.
Re: (Score:2)
The problem that precipitated the downfall of "do not track" is browsers enabling it by default. In a typical Embrace Extend Extinguish fashion, Microsoft did it first with IE.
DNT was supposed to be a 3-way switch: yes, no, and unset, the latter was supposed to be the default, yes and no required user action. By enabling DNT by default, it stops being a user choice. The argument "we do what is best for our users" is besides the point, the point of DNT is to give the user a choice, not to do what's "best".
An
Re: (Score:2)
There are many settings that browser makers choose for their users. Which other ones are consistently ignored by web sites? If a web site wants to ask users for tracking consent despite a set preference for no tracking, it at the very least needs to make no tracking the clear, default and easy to choose option, without getting in the way of using the site according to the preference. If a browser is known to not set this preference without asking the user first, I'd argue the web site should treat this the
Re: (Score:2)
The problem that precipitated the downfall of "do not track" is browsers enabling it by default.
Bullshit. The problem that precipitated the downfall of "do not track" was that it was never intended to work. Hell, Google, the company that pushed the alleged "standard" never bothered to honor the flag, long before Microsoft made it default to no.
By enabling DNT by default, it stops being a user choice.
More bullshit. The user can always choose to disable it, if they feel they get enough benefits from being tracked. The fact that the standard interprets a null header as "yes" is a cynical ploy by Google and the advertising industry to profit from the lack of te
Re: (Score:2)
I agree, the only way for DNT is if it is managed by a higher authority taking into account both user and advertisers interests, like a government making a law. But DNT is not a law, advertisers have every reason to ignore it, and non-advertisers have every reason to force it on, there is no equilibrium, so the situation is what we have now: DNT is always on, advertisers ignore it, it is just pollution in HTTP headers.
As for list-based solutions, I find them even worse. You know the much maligned "acceptabl
Re: (Score:2)
I think web site operators will find that ignoring the DNT header is going to get them fined. The DNT header doesn't need to be law. The GDPR is law. There is no requirement for making your preference known in a particular form. If the user has already transmitted a preference, any attempt to get them to consent by blocking the user's view of the site with a cookie form overlay is clearly "unnecessarily disruptive" and therefore a violation of the GDPR.
While I agree with the French position (Score:1)
Are most internet users so utterly clueless that they don't know the basic browser functionality of how to delete cookies?
I suppose the answer is "yes".
Re:While I agree with the French position (Score:5, Insightful)
Taking the morning-after pill doesn't unfuck you.
Re: (Score:3)
The GDPR states that it must be as easy to withdraw consent as it is to give it. So, if a site asks to set a tracking cookie, the site must also offer a similar control to delete the tracking cookie. I implement this in all of my GDPR-compliant consent options.
I've dealt with customers who deliberately want to make this difficult for visitors, so they instead provide instructions for deleting cookies within the browser, knowing that most people won't bother. But I, as the developer, don't want people doing
The language is super simple (Score:2)
> a means of refusing cookies as simple as the existing means of accepting them, in order to guarantee their freedom of consent
It is super straight-forward. This is what I want and this is what the law requires. Non-compliance should actually be punished.
Re: (Score:2)
The specific rule is GDPR Recital 32: https://www.privacy-regulation... [privacy-regulation.eu]
As it states, the site must not do anything to opt the user in, like pre-ticking a box. It has been argued, and the French regulator agrees, that making it more effort to deny consent for non-essential cookies is covered by this rule.
Another important rule is that the request for consent shouldn't be "unnecessarily disruptive" to the user. Google's current pop-over request that blocks you from using the site until you dismiss it doesn't
Re: (Score:2)
Dark patterns (Score:5, Interesting)
Just wondering (Score:2)
How is a server supposed to keep track of who has refused to allow cookies?
Should it force a pop-up with every request?
Does the "simple wording" of the rule allow storing a non-session cookie that says, "don't use cookies"?
Does the server have to fall back to including session management information in the URL, so users can accidentally allow others to take over their session by forwarding a URL?
Re: (Score:2)
Therein is the problem. The GDPR is not concerned with cookies in general, only ones that can identify the individual. It is completely acceptable to set a cookie that simply stores "tracking_consent = NO".
Because of this, we really don't want people deleting cookies in their browser, otherwise they'll keep getting pestered for consent (which, on many sites, is a deliberate dark pattern). On my GDPR-compliant sites, once a person says "no", I honour that choice in a long-life cookie.
Re: Just wondering (Score:2)
Re: (Score:2)
Re: (Score:2)
> How is a server supposed to keep track of who has refused to allow cookies?
By saving a cookie noting this choice. This is allowable under GDPR and not some sort of stupid "gotcha".
Non! (Score:3)
No cookies for the French. Let them eat cake.
Re: (Score:2)
Cookies are NOT tracking devices (Score:1)
Unfortunately, due to their prominent use by big ad networks as tracking devices, that's the way the public (and technology-naive lawmakers) sees them. I would guess that most of the cookies on everyone's PC are not being used as "trackers". Cookies were around long before online ads started using them. Cookies are a convenient place to store login information, user preferences, and the like. They are especially useful for small websites that don't run a backend database and/or don't have user logins.
Eu nuisance (Score:2)