No more force-fed cookies: Google and Facebook face data privacy fines

By Eric Johansson

France’s data watchdog is back barking at Google and Facebook again. The Commission Nationale de l’Informatique et des Libertés, CNIL, has a long history of slamming internet giants for failing to protect people’s privacy. Now it’s calling out the Silicon Valley behemoths again – and this time it’s because of cookies.

Cookies are little identifying strings which can be placed in a user’s browser when they visit a website. The cookie can then be read by the website which placed it, by other websites and in many cases by third parties. Some cookies are there only to make platforms work better, such as helping them to remember shopping baskets and the like. The more controversial types of cookies enable tech giants to track users on other sites as well, usually in order to help advertisers better target potential customers.

It’s this latter form of cookies that CNIL is now up in arms about. The restricted committee, the body of the CNIL responsible for issuing sanctions, has taken issue with the sites facebook.com, google.fr and youtube.com offering visitors a button to automatically accept cookies, but not an equivalent button to reject the tracking.

CNIL argues that making it difficult to reject cookies affects users’ freedom of consent and constitutes an infringement of Article 82 of the French Data Protection Act. The regulator has therefore now slammed Google with a €150m fine and Facebook with a €60m fine.

Additionally, the market watchdog ordered Google and Facebook to introduce rejection buttons within three months for French users. Failing to introduce the buttons would see the tech giants ordered to pay a penalty of €100,000 per day that the new service is not up and running.

CNIL has issued almost 100 sanctions and orders since 31 March, 2021 when the deadline to comply with its new rules passed.

“People trust us to respect their right to privacy and keep them safe,” a Google spokesperson tells Verdict. “We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision under the ePrivacy Directive.”

Facebook, which rebranded as Meta at the end of 2021, responded that it is currently changing its cookie consent policies.

“We are reviewing the authority’s decision and remain committed to working with relevant authorities,” a Meta spokesperson tells Verdict. “Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls.”

The privacy concerns of Facebook and Google

Privacy concerns are nothing new for Facebook and Google. The two huge advertising companies have a long history of being criticised for shortcomings in protecting people’s privacy.

This is evident in GlobalData’s recent social media scorecard, where both companies received bottom scores when it came to data privacy. Microsoft, which was ranked as the second leading social media company after ByteDance, comparatively received a four for its data privacy efforts, the second highest score a company could receive.

Data privacy has jumped to the forefront of the concerns big business must consider. In a recent thematic research report from GlobalData, it’s identified as a key issue keeping CEOs up at night – and this is doubly true for Silicon Valley leviathans.

“Once deemed consumer champions, Big Tech now appears to be the new dark side of capitalism, arguably seen as presenting a bigger risk to society than bankers were in 2007,” GlobalData researchers wrote in a recent thematic research report. “Public outrage at their actions is now forcing regulators to act.”

The EU’s General Data Protection Regulation (GDPR), also adopted by post-Brexit Britain, France’s new rules and similar laws in the US have all appeared in response to this public outrage.

To some degree, this could also explain why companies like Facebook and Google are trying to diversify their business models, fearing that the pressure of these new rules could find them scraping for profits.

“Social media companies will increasingly diversify away from their ad-funded business model, which regulators have attacked,” GlobalData researchers wrote in a June report. “Companies like Facebook and Google stand accused of using ad-targeting techniques that prioritize profit over respect for the user’s privacy and content quality. They are also accused of acting as gatekeepers around access to personal data to the detriment of smaller players in the online advertising sector.”