French privacy watchdog, the Commission Nationale de l'Informatique et des Libertés (CNIL), has hit Google with a 150 million euro fine and Facebook with a 60 million euro fine, because their websites—google.fr, youtube.com, and facebook.com—don't make refusing cookies as easy as accepting them.
The CNIL carried out an online investigation after receiving complaints from users about the way cookies were handled on these sites. It found that while the sites offered buttons for allowing immediate acceptance of cookies, the sites didn't implement an equivalent solution to let users refuse them. Several clicks were required to refuse all cookies, against a single one to accept them.
For example, YouTube's choice between "I agree" and "Customize" rather than "I agree" and "I don't agree" is a dark pattern, a design that subtly and deliberately nudges you in the direction of a choice that benefits the designer. They are everywhere on the web, and they're a problem.
This explains why the French watchdog objects to the skewed balance between accepting or rejecting cookies from these sites—the path to privacy is long and difficult.
How does this affect me?
If you have a website, you need to be sure that it complies with relevant laws.
The above ruling was made in terms of GDPR, which is the EU privacy law.
In South Africa, the equivalent law is the POPI Act, which requires all sites to:
- declare their cookie and privacy policies
- provide a way for user information to be "forgotten" if requested by the user.
To avoid issues, make sure that you have complied with all relevant laws for the countries you operate in (not just where your website is hosted).
We can help get you compliant.