Google, Facebook Slapped With French Privacy Fines Over Cookies

Alphabet's Google was slapped with a record French fine of 150 million euros ($170 million) by the nation's privacy watchdog, together with a 60 million-euro fine for Meta Platforms' Facebook, over the way the companies manage cookies. From a report: CNIL, France's data protection authority, on Thursday issued the companies with a three-month ultimatum "to provide internet users located in France with a means of refusing cookies as simple as the existing means of accepting them, in order to guarantee their freedom of consent." Failing to do so will come with the risk of an additional daily fine of 100,000 euros, CNIL said in the statement. The latest penalties follow probes by the watchdog looking at companies' compliance with new rules on cookies, which are tracking devices that are placed on people's computers. The watchdog in 2020 fined Google 100 million euros and online shopping giant Amazon.com Inc. 35 million euros for placing such cookies on people's computers without their consent.

Cost of doing business

[dfm3]

I guess now we know how much profit they get from ignoring the law and using these cookies: at least 100,000 euros per day.

Re:

[Otis B. Dilroy III]

Any fine which is less than one percent of a corporation's gross earnings will be ignored. This is just political grandstanding to impress the ignorant masses.

I guess they are - Cookie Monsters!

[jfdavis668]

They ARE feeling pretty blue.

Ignoring the DNT header should guarantee a fine

[TheNameOfNick]

The user has told you, in a standardized way: Do not track. If you ask the user for tracking-consent anyway, you're already in violation of the GDPR.

Re:

[GuB-42]

The problem that precipitated the downfall of "do not track" is browsers enabling it by default. In a typical Embrace Extend Extinguish fashion, Microsoft did it first with IE.

DNT was supposed to be a 3-way switch: yes, no, and unset, the latter was supposed to be the default, yes and no required user action. By enabling DNT by default, it stops being a user choice. The argument "we do what is best for our users" is besides the point, the point of DNT is to give the user a choice, not to do what's "best".

An

Re:

[TheNameOfNick]

There are many settings that browser makers choose for their users. Which other ones are consistently ignored by web sites? If a web site wants to ask users for tracking consent despite a set preference for no tracking, it at the very least needs to make no tracking the clear, default and easy to choose option, without getting in the way of using the site according to the preference. If a browser is known to not set this preference without asking the user first, I'd argue the web site should treat this the

Re:

[ChatHuant]

The problem that precipitated the downfall of "do not track" is browsers enabling it by default.

Bullshit. The problem that precipitated the downfall of "do not track" was that it was never intended to work. Hell, Google, the company that pushed the alleged "standard" never bothered to honor the flag, long before Microsoft made it default to no.

By enabling DNT by default, it stops being a user choice.

More bullshit. The user can always choose to disable it, if they feel they get enough benefits from being tracked. The fact that the standard interprets a null header as "yes" is a cynical ploy by Google and the advertising industry to profit from the lack of te

Re:

[GuB-42]

I agree, the only way for DNT is if it is managed by a higher authority taking into account both user and advertisers interests, like a government making a law. But DNT is not a law, advertisers have every reason to ignore it, and non-advertisers have every reason to force it on, there is no equilibrium, so the situation is what we have now: DNT is always on, advertisers ignore it, it is just pollution in HTTP headers.

As for list-based solutions, I find them even worse. You know the much maligned "acceptabl

Re:

[TheNameOfNick]

I think web site operators will find that ignoring the DNT header is going to get them fined. The DNT header doesn't need to be law. The GDPR is law. There is no requirement for making your preference known in a particular form. If the user has already transmitted a preference, any attempt to get them to consent by blocking the user's view of the site with a cookie form overlay is clearly "unnecessarily disruptive" and therefore a violation of the GDPR.

While I agree with the French position

[Viol8]

Are most internet users so utterly clueless that they don't know the basic browser functionality of how to delete cookies?

I suppose the answer is "yes".

Re:While I agree with the French position

[TheNameOfNick]

Taking the morning-after pill doesn't unfuck you.

Re:

[LucasBC]

The GDPR states that it must be as easy to withdraw consent as it is to give it. So, if a site asks to set a tracking cookie, the site must also offer a similar control to delete the tracking cookie. I implement this in all of my GDPR-compliant consent options.

I've dealt with customers who deliberately want to make this difficult for visitors, so they instead provide instructions for deleting cookies within the browser, knowing that most people won't bother. But I, as the developer, don't want people doing

The language is super simple

[VMaN]

> a means of refusing cookies as simple as the existing means of accepting them, in order to guarantee their freedom of consent

It is super straight-forward. This is what I want and this is what the law requires. Non-compliance should actually be punished.

Re:

[AmiMoJo]

The specific rule is GDPR Recital 32: https://www.privacy-regulation... [privacy-regulation.eu]

As it states, the site must not do anything to opt the user in, like pre-ticking a box. It has been argued, and the French regulator agrees, that making it more effort to deny consent for non-essential cookies is covered by this rule.

Another important rule is that the request for consent shouldn't be "unnecessarily disruptive" to the user. Google's current pop-over request that blocks you from using the site until you dismiss it doesn't

Re:

[vlad30]

Is it google Popover or the sites Popover? It seems many sites I go to gives me a popover request that presents me with my current cookie settings (disabled for all but a few trusted sites) which I have to sometimes confirm, sometimes with more than a few clicks, occasionally I can dismiss. The popovers are similar but have different T&C's and layout even the settings page can be different. So they appear to be the sites. or is this something google customises for the sites?

Dark patterns

[rantrantrant]

Currently, the majority of websites I visit have 3rd party cookie consent popups that have 'dark pattern' agreement terms, usually a quick & easy 'Consent to everything including sacrificing your first born' vs. a complicated, laborious 'Manage cookies/preferences'. It's much easier to install a browser extension that automatically deletes cookies than to go through the 'manage' options. My bet is that the vast majority of users don't know about such browser extensions & so just consent to all. The only reason for cookies should be for logins. Everything else should be explicitly opt in for every single function of each cookie. That would get closer to ensuring 'informed consent.'

Just wondering

[WoodstockJeff]

How is a server supposed to keep track of who has refused to allow cookies?

Should it force a pop-up with every request?

Does the "simple wording" of the rule allow storing a non-session cookie that says, "don't use cookies"?

Does the server have to fall back to including session management information in the URL, so users can accidentally allow others to take over their session by forwarding a URL?

Re:

[LucasBC]

Therein is the problem. The GDPR is not concerned with cookies in general, only ones that can identify the individual. It is completely acceptable to set a cookie that simply stores "tracking_consent = NO".

Because of this, we really don't want people deleting cookies in their browser, otherwise they'll keep getting pestered for consent (which, on many sites, is a deliberate dark pattern). On my GDPR-compliant sites, once a person says "no", I honour that choice in a long-life cookie.

Re: Just wondering

[sectokia]

Then you are in violation as you are tracking them across sessions.

Re:

[LucasBC]

Nope, not at all. If I was storing a session ID or some other ID that identifies them as a specific individual, that would be a problem. But it's not a violation under the GDPR to store a state value anonymously.

Re:

[VMaN]

> How is a server supposed to keep track of who has refused to allow cookies?

By saving a cookie noting this choice. This is allowable under GDPR and not some sort of stupid "gotcha".

Non!

[PPH]

No cookies for the French. Let them eat cake.

Re:

[Baconsmoke]

Tea and cake or death?

Cookies are NOT tracking devices

[dnwheeler]

Unfortunately, due to their prominent use by big ad networks as tracking devices, that's the way the public (and technology-naive lawmakers) sees them. I would guess that most of the cookies on everyone's PC are not being used as "trackers". Cookies were around long before online ads started using them. Cookies are a convenient place to store login information, user preferences, and the like. They are especially useful for small websites that don't run a backend database and/or don't have user logins.

Eu nuisance

[Fons_de_spons]

I am pretty patriotic regarding the EU. But having to specify if I like cookies on each ... new ... site ... I visit is just a big nuisance and pointless. Trained myself to find the accept all button as fast as I can. It has become a reflex. Pretty sure a lot of people use a similar approach. A standardized framework would be nice. Set your cookiepreferences once in a plugin and ride the waves of the web.