French privacy watchdog, the Commission Nationale de l'Informatique et des Libertés (CNIL), has hit Google with a 150 million euro fine and Facebook with a 60 million euro fine, because their websites—google.fr, youtube.com, and facebook.com—don't make refusing cookies as easy as accepting them.
The CNIL carried out an online investigation after receiving complaints from users about the way cookies were handled on these sites. It found that while the sites offered buttons for allowing immediate acceptance of cookies, the sites didn't implement an equivalent solution to let users refuse them. Several clicks were required to refuse all cookies, against a single one to accept them.
In addition to the fines, the companies have been given three months to provide Internet users in France with a way to refuse cookies that's as simple as accepting them. If they don't, the companies will have to pay a penalty of 100,000 euros for each day they delay.
One of the reasons given for the fines is the use of dark patterns, which make it difficult for users to reject the use of cookies.
Dark patterns
For example, YouTube's choice between "I agree" and "Customize" rather than "I agree" and "I don't agree" is a dark pattern, a design that subtly and deliberately nudges you in the direction of a choice that benefits the designer. They are everywhere on the web, and they're a problem.
This explains why the French watchdog objects to the skewed balance between accepting or rejecting cookies from these sites—the path to privacy is long and difficult.
Google and Facebook fined $240 million for making cookies hard to refuse
How does this affect me?
If you have a website, you need to be sure that it complies with relevant laws.
The above ruling was made in terms of GDPR, which is the EU privacy law.
In South Africa, the equivalent law is the POPI Act, which requires all sites to:
- declare their cookie and privacy policies
- allow user to accept or reject the use of cookies
- provide a way for user information to be "forgotten" if requested by the user.
To avoid issues, make sure that you have complied with all relevant laws for the countries you operate in (not just where your website is hosted).
If you don't have a privacy policy in place, or you are uncertain if you comply, give us a call.
We can help get you compliant.