French privacy regulator hits Google and Facebook with fines over deceptive UI design

Cal Jeffrey

Posts: 3,454   +1,031
Staff member
In context: Recently we've seen a huge push towards user privacy while on the internet. Aside from the General Data Protection Regulation (GDPR), European countries have pushed back in numerous cases where data collection and user tracking are concerned.

The latest in this privacy-focused effort comes out of France, where the Commission nationale de l'informatique et des libertés (CNIL) has fined Google 150 million euros ($170 million) and Facebook 60 million euros ($68 million) for making opting out of cookies too confusing for users. In addition to the fines, both companies have 90 days to make changes that allow cookies to be rejected more easily or face a €100,000 per day fine.

According to the CNIL, Facebook and Google use "dark patterns" to trick users into accepting tracking cookies. Dark patterns are methods of designing a user interface in a way that confuses the user or leads them to believe they have no choice in the matter—for example, presenting a dialog that forces users to accept cookies before accessing content then hiding the means to reject cookies behind other menus.

Google employs a dark pattern similar to the example given above. The watchdog says that Google websites, including YouTube, offer a way to accept all cookies with one click, but users have to navigate through several menus to reject all cookies. The CNIL says that Google intentionally makes rejecting cookies harder so that users will take the easier route and just accept them.

In the case of Facebook, the CNIL says the company also offers a one-click solution to accept all cookies but requires several clicks to refuse them. Additionally, Facebook deceptively labels the button to opt-out "Accept cookies," leading people to believe they have no choice.

The CNIL says both instances break European law, requiring citizens to understand their decisions fully when consenting to data collection. Interestingly, the CNIL is not relying on current GDPR law in either case. Instead, it is employing an older piece of legislation called the ePrivacy Directive.

TechCrunch notes that Ireland's privacy regulators enforce GDPR violations filed by any EU member but are very slow to act. Many US tech firms locate their European headquarters in Ireland, primarily because of the more relaxed taxation and regulation. However, the ePrivacy Directive allows European nations to carry out penalties in their own countries directly. So France is using it to be sure Facebook and Google are held accountable in a timely manner.

Permalink to story.

 

ypsylon

Posts: 492   +489
Well it's not only G and FB. All websites use same tricks to screw the user. Imgur is basically useless when you click Reject All and refuse everything - no data coming. It's easy to go after both of biggest players for news headlines. Nobody would care about some local website in south of France for example.

As a curiosity. Running browser in stealth mode by actively removing all headers and referrers, preventing cookies storage and other spyware bloat makes browsing a real chore. Basically every single time I have to confirm once that I reject all crap, then G/YT throws me back to the previous page with an error, so just closing the tab, opening same video page and voila it works, but you need so many more hoops to keep surveillance scumbags at bay. That's just for ordinary web browsing, not even mentioning Pegasus and other web-criminals where you don't even know when they gonna order hit on you.
 

amghwk

Posts: 1,176   +1,096
Move on. Nothing to see here. Whatever fines Google or Facebook are imposed on, they are nothing but pocket money for them. Both will carry on with whatever they are doing.
 

Vanderlinde

Posts: 118   +81
Well it's not only G and FB. All websites use same tricks to screw the user. Imgur is basically useless when you click Reject All and refuse everything - no data coming. It's easy to go after both of biggest players for news headlines. Nobody would care about some local website in south of France for example.

As a curiosity. Running browser in stealth mode by actively removing all headers and referrers, preventing cookies storage and other spyware bloat makes browsing a real chore. Basically every single time I have to confirm once that I reject all crap, then G/YT throws me back to the previous page with an error, so just closing the tab, opening same video page and voila it works, but you need so many more hoops to keep surveillance scumbags at bay. That's just for ordinary web browsing, not even mentioning Pegasus and other web-criminals where you don't even know when they gonna order hit on you.

I suggest you google for Adguard, Pi-hole or any other service like this.

Thank me later.
 

Raunchy

Posts: 46   +12
Condé Nast was even worse. They actually had a button labeled "Don't sell my information" but it meant just the opposite: The "on" state meant "yes, sell my information."

This appeared on numerous Web sites (like Ars Technica). After I called them out on it repeatedly and pointed out that it was illegal, they finally changed it.