French privacy regulator hits Google and Facebook with fines over deceptive UI design

Recently we’ve seen a huge push towards user privacy while on the internet. Aside from the General Data Protection Regulation (GDPR), European countries have pushed back in numerous cases where data collection and user tracking are concerned.

The latest in this privacy-focused effort comes out of France, where the Commission nationale de l’informatique et des libertés (CNIL) has fined Google 150 million euros ($170 million) and Facebook 60 million euros ($68 million) for making opting out of cookies too confusing for users. In addition to the fines, both companies have 90 days to make changes that allow cookies to be rejected more easily or face a €100,000 per day fine.

According to the CNIL, Facebook and Google use “dark patterns” to trick users into accepting tracking cookies. Dark patterns are methods of designing a user interface in a way that confuses the user or leads them to believe they have no choice in the matter—for example, presenting a dialog that forces users to accept cookies before accessing content then hiding the means to reject cookies behind other menus.

Google employs a dark pattern similar to the example given above. The watchdog says that Google websites, including YouTube, offer a way to accept all cookies with one click, but users have to navigate through several menus to reject all cookies. The CNIL says that Google intentionally makes rejecting cookies harder so that users will take the easier route and just accept them.

In the case of Facebook, the CNIL says the company also offers a one-click solution to accept all cookies but requires several clicks to refuse them. Additionally, Facebook deceptively labels the button to opt-out “Accept cookies,” leading people to believe they have no choice.

The CNIL says both instances break European law, requiring citizens to understand their decisions fully when consenting to data collection. Interestingly, the CNIL is not relying on current GDPR law in either case. Instead, it is employing an older piece of legislation called the ePrivacy Directive.

TechCrunch notes that Ireland’s privacy regulators enforce GDPR violations filed by any EU member but are very slow to act. Many US tech firms locate their European headquarters in Ireland, primarily because of the more relaxed taxation and regulation. However, the ePrivacy Directive allows European nations to carry out penalties in their own countries directly. So France is using it to be sure Facebook and Google are held accountable in a timely manner.