Google Cookie Banner Unlawful in EU

Google is forced to give EU users a 'Reject all' option

Blog Google Cookie Banner Unlawful in EU

| 3 min read

Contact us

In February, we talked about the case of Google Analytics being illegal in France and Austria. Both the CNIL (Commission Nationale de l'Informatique et des Libertés) and the DSB (Datenschutzbehörde), the data protection agencies in those countries, found that the web service was sending IP addresses and other identifiers from users in Europe to the U.S., thus breaching the GDPR (General Data Protection Regulation).

Something we did not mention at that time was that in January the CNIL fined Google and Facebook because they were making it way too cumbersome for users to reject cookies. (These are character strings placed in a browser's memory in response to a requested resource to be used on any subsequent visits or requests.) Google and Facebook's fines were €150 million ($170 million) and €60 million ($68 million) respectively. Last week, Google introduced a button in their cookie banner that lets users in France reject all cookies without any further screens, as easily as they can accept all cookies. Let's look at the details.

What happened is these companies' cookie banners were violating EU data privacy laws. The problem was simply something we users are all too familiar with. It's when there is a button that says "Accept all," or any variation of that, but then there is no option that makes it equally easy to reject cookies. Instead, the user has to go through a lengthy process of configuration. And sometimes, for example in the case of Facebook, users are presented with a button ambiguously labeled "Accept cookies" after they went through the whole process of configuring each cookie used individually, even disabling all of them.

In its article announcing the fines, the CNIL backed its argument by appealing to a psychological phenomenon. Namely, because users are interested in quickly consulting a website, the asymmetry of steps required for accepting and rejecting cookies influences their choice in favor of consent. This simple strategy was found to infringe Article 82 of the French Data Protection Act.

The companies not only had to pay the fines, but they were also ordered by the CNIL to provide Internet users located in France with an option to reject all cookies as simple as that to accept them all. Cue Google's new cookie consent option.

Get started with Fluid Attacks' Security Testing solution right now

Reject all cookies upon the first click

The introduction of the "Reject all" button was announced last week in a blog post by Google's product manager Sammit Adhya. This button is presented next to the "Accept all" option and is designed to be equally weighted visually. This design choice is not negligible, as the companies are required to eliminate any variable that could make one option more salient than the other.

Both Google Search and YouTube now show the button to users in France while signed out or in Incognito Mode. According to Adhya, this option will be available soon to users across the rest of the European Economic Area, as well as those in the U.K. and Switzerland. Of course, users in France that are signed in can adjust their preferences from their Google account's data and privacy options.

New cookie banner on YouTube

The use of unlawful cookie banners has, of course, got the attention of the European Center for Digital Rights, known shortly as noyb (the meaning of this acronym is none of your business). In a news article they posted almost one year ago, they explained they developed a software that detects banners that make it more difficult to reject than to accept cookies and generates GDPR complaints.

Back then, noyb said they had sent complaint drafts to 560 websites from 33 countries. These drafts were more of a warning, giving companies one month to change their banner and software settings. What's more, they sent violators a guide showing every step to make the changes. But if the companies failed to comply, noyb officially notified the relevant authority.

noyb announced this year in March that they launched a second round, filing 270 draft complaints and extending the response deadline to two months. They also informed that 42% of all violations found last year were remedied within the deadline. But 82% of all companies failed to fully comply with the demand and were reported to the data protection authorities. Although most of the latter confirmed the receipt of complaints, what is next appears to be a lengthy process. Still, after Google's case, companies may feel encouraged to follow suit.

Just promote people's informed choice

Up until this point, we talked about cookies like they are an unwanted thing. Still, websites normally tell you that they use cookies "to provide you with a better user experience." We are not about to discuss whether this is always the case. You probably know that necessary cookies include those that detect errors, store your consent state or help the website know that you are not a bot. Other kinds track your surfing behavior, some of their purposes being user profiling and selling for further advertising. What's key here is that you know what you are agreeing to and know that you can complain when that's not made clear.

Finally, if you are in charge of engineering how cookies work on your company's website or deciding on the content of the banner, make sure that you comply with standards such as the GDPR and the ePrivacy directive, especially if you have users in Europe.

Subscribe to our blog

Sign up for Fluid Attacks' weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by Jasmin Egger on Unsplash

If the essential security layer is flawed, you're toast

Photo by Christian Wiediger on Unsplash

The need to enhance security within the fintech sector

Photo by Claudio Schwarz on Unsplash

Is your financial service as secure as you think?

Photo by mitchell kavan on Unsplash

Bringing the zero trust model to life

Photo by Brian Kelly on Unsplash

We need you, but we can't give you any money

Photo by Sean Pollock on Unsplash

Data breaches that left their mark on time

Photo by Roy Muz on Unsplash

Lessons learned from black swans

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial
Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.