The French data protection watchdog has hit Facebook and Google with fines of €150 million and €60 million respectively for violating EU privacy rules by failing to provide users with an easy option to reject cookie tracking technology. The Commission Nationale de l'Informatique et des Libertés (CNIL) said Facebook, Google France and YouTube offer a button allowing the user to immediately accept cookies. However, they do not provide an equivalent option for a user to easily refuse the cookies loading onto their device.

Specifically, CNIL found fault with the manner in which the two platforms require several clicks to reject all cookies, as opposed to having a single override click to refuse all of them, effectively making it harder to reject cookies than to accept them.

Along with imposing financial penalties on Google and Facebook, CNIL has also ordered the tech giants to alter how they currently present cookie choices and provide users with a simple means of refusing cookies within three months, or risk facing further fines of €100,000 for each day of delay.

Predictable patterns

While the fines won't make much of a dent in either company's revenues, this is not the first time European authorities have acted to punish Big Tech for contravening EU regulations. In December 2020, the regulator hit Google with a €100 million fine and Amazon Europe with a €35 million fine for placing advertising cookies on users' devices without seeking their consent.

In November 2021, Italy's competition authority, the Autorità Garante della Concorrenza e del Mercato (AGCM), fined Apple and Google €10 million each for not providing clear and immediate information on the acquisition and use of user data for commercial purposes when people were creating accounts.

Shady cookies
  • HTTP cookies are small pieces of data created while a user is browsing a website. They are placed on the user's computer, or other device, by the user's web browser.
  • Cookies are designed to track online activity across the web and store information about user’s browsing sessions, including logins and details entered in form fields such as names and addresses.
  • In many cases cookies are very useful. For instance, you don’t need to renter authentication details to sites you visit regularly or laboriously add in address and contact details. It makes browsing easier.
That said, there is a shady side to cookies.

5,000 data points… on you

The websites you visit, where and when you shop online, the products you buy, the map routes you use, the health concerns you have, the books you read, the TV programmes you watch, the sports you are interested in, the partners you seek and a lot more can be gathered up by cookies. On average, up to 5,000 data points can be accumulated for each individual.

And this information is a major source of revenue for companies like Facebook, Google and others who offer targeted advertising services based on the data. To date this level of data collection has largely been one way, but as CNIL as shown there is an increasing clamour about privacy violations and the will and means to do something about it.
  • An effective way of reclaiming your privacy is using a virtual private network (VPN). A VPN hides your identity when you’re online by masking your IP address. For instance, if you live in Glasgow you can connect to the internet from France, or other countries, using a VPN, so you essentially become anonymous online.
  • While a VPN is a great security tool for making you anonymous online, it does not prevent cookies from tracking you. That being said, because the VPN connects you with foreign servers and hide your IP address, it will give some false information to the tracking cookies.
Bowing to pressure

In a separate but related move after years of pressure to reign in data collection, Facebook is introducing more stringent privacy tools that allow you to take back control of your private data.
  • You can use it to find out exactly what the company knows about you, clean up old posts, and secure your profile from strangers and advertisers.
  • However, don't be shocked by how detailed the data is, as Facebook can almost know everything about you from which political party you vote for to what you bought for lunch online.
  • For now, this new ‘privacy center’, is a test available to some US-based Facebook desktop users for now. It will break data collected on you into five categories: Security, Sharing, Collection, Use and Ads.
Facebook is badging this moves as “privacy education.” On the surface it seems like a good step given that Facebook has historically offered users byzantine, difficult to navigate privacy controls, often with the most important settings buried in menus.

Vested interests, laborious data trawling

However, Facebook still very much has a vested interest in ensuring its users continue sharing as much data as possible. This is obvious by its recent and clear objections to Apple’s iOS ad tracking changes, which limited the ability of apps to follow user behaviour.

That said, Facebook’s new privacy center is more than a PR exercise but it won’t be realistic for most people to sift through the mountains of data. And there will be mountains of data. The social media giant collects enormous amounts of data on each person that uses the platform. It’s how it makes its money. Interestingly there appears to be a implicit message in the move towards privacy education and that is if you don’t go to the trouble of sorting through all of information then it’s your responsibility if the company uses your personal data.