In February, we talked about the case of Google Analytics being illegal in France and Austria. Both the CNIL (Commission Nationale de l'Informatique et des Libertés) and the DSB (Datenschutzbehörde), the data protection agencies in those countries, found that the web service was sending IP addresses and other identifiers from users in Europe to the U.S., thus breaching the GDPR (General Data Protection Regulation).
Something we did not mention at that time was that in January the CNIL fined Google and Facebook because they were making it way too cumbersome for users to reject cookies. (These are character strings placed in a browser's memory in response to a requested resource to be used on any subsequent visits or requests.) Google and Facebook's fines were €150 million ($170 million) and €60 million ($68 million) respectively. Last week, Google introduced a button in their cookie banner that lets users in France reject all cookies without any further screens, as easily as they can accept all cookies. Let's look at the details.
CNIL to defend the freedom of consent
What happened is these companies' cookie banners were violating EU data privacy laws. The problem was simply something we users are all too familiar with. It's when there is a button that says "Accept all," or any variation of that, but then there is no option that makes it equally easy to reject cookies. Instead, the user has to go through a lengthy process of configuration. And sometimes, for example in the case of Facebook, users are presented with a button ambiguously labeled "Accept cookies" after they went through the whole process of configuring each cookie used individually, even disabling all of them.
In its article announcing the fines, the CNIL backed its argument by appealing to a psychological phenomenon. Namely, because users are interested in quickly consulting a website, the asymmetry of steps required for accepting and rejecting cookies influences their choice in favor of consent. This simple strategy was found to infringe Article 82 of the French Data Protection Act.
The companies not only had to pay the fines, but they were also ordered by the CNIL to provide Internet users located in France with an option to reject all cookies as simple as that to accept them all. Cue Google's new cookie consent option.
Reject all cookies upon the first click
The introduction of the "Reject all" button was announced last week in a blog post by Google's product manager Sammit Adhya. This button is presented next to the "Accept all" option and is designed to be equally weighted visually. This design choice is not negligible, as the companies are required to eliminate any variable that could make one option more salient than the other.
Both Google Search and YouTube now show the button to users in France while signed out or in Incognito Mode. According to Adhya, this option will be available soon to users across the rest of the European Economic Area, as well as those in the U.K. and Switzerland. Of course, users in France that are signed in can adjust their preferences from their Google account's data and privacy options.
noyb to end the "cookie banner terror"
The use of unlawful cookie banners has, of course, got the attention of the European Center for Digital Rights, known shortly as noyb (the meaning of this acronym is none of your business). In a news article they posted almost one year ago, they explained they developed a software that detects banners that make it more difficult to reject than to accept cookies and generates GDPR complaints.
Back then, noyb said they had sent complaint drafts to 560 websites from 33 countries. These drafts were more of a warning, giving companies one month to change their banner and software settings. What's more, they sent violators a guide showing every step to make the changes. But if the companies failed to comply, noyb officially notified the relevant authority.
noyb announced this year in March that they launched a second round, filing 270 draft complaints and extending the response deadline to two months. They also informed that 42% of all violations found last year were remedied within the deadline. But 82% of all companies failed to fully comply with the demand and were reported to the data protection authorities. Although most of the latter confirmed the receipt of complaints, what is next appears to be a lengthy process. Still, after Google's case, companies may feel encouraged to follow suit.
Just promote people's informed choice
Finally, if you are in charge of engineering how cookies work on your company's website or deciding on the content of the banner, make sure that you comply with standards such as the GDPR and the ePrivacy directive, especially if you have users in Europe.
Recommended blog posts
You might be interested in the following related posts.
Definition, implementation, importance and alternatives
Keep tabs on this proposal from the Biden-Harris Admin
Vulnerability scanning and pentesting for a safer web
Definitions, classifications and pros and cons
Is your security testing covering the right risks?
How this process works and what benefits come with it
Get an overview of vulnerability assessment
Benefits of continuous over point-in-time pentesting