Dr Asress Adimi Gikay (PhD, SJD, LLM), Lecturer in AI, Disruptive Innovation, Law Brunel Law School (Brunel University London); Twitter: @DrAsressGikay
Consent and Data Protection in the European Union
The foundation of data protection law in the European Union lies in the concept of data privacy as a basic human right, a principle reinforced by the General Data Protection Regulation (GDPR). Consequently, handling personal data requires strict adherence to legal standards. The GDPR outlines that consent for data processing must be specific, informed, unambiguous, and willingly given, necessitating a clear action from the individual. However, over time, companies have employed various strategies to bypass this need for explicit consent.
In December 2021, France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), levied fines against Facebook (€60 million) and Google (€150 million) for their improper use of cookies, which violated these consent requirements. If Facebook and Google fail to rectify their practices within three months of the ruling, they face daily penalties of €100,000. These decisions, made under the ePrivacy Directive, are not subject to the GDPR’s one-stop-shop mechanism. This means the French rulings apply solely to these companies’ operations within France, potentially influencing cookie practices in other French industries but not automatically extending to the entire EU or UK. However, the issue is widespread, as many websites across the EU and UK continue to utilize cookies without obtaining proper consent.
First Rule of Cookies— Consent— has Always Been Tricky
While data protection laws aim to empower individuals with control over their personal data through consent, researchers argue that various obstacles undermine this control. The complexity of privacy policies, intricate data collection systems, and individuals’ limited capacity to process such large amounts of information hinder meaningful control. In many instances, consent forms for data collection or privacy policies resemble adhesion contracts where individuals lack bargaining power. This persists despite regulations requiring that consent should not be a prerequisite for accessing goods and services or imposed on individuals. Furthermore, even if privacy agreements were negotiable, individuals often lack the time and resources to thoroughly examine them due to information overload and technical jargon.
A 2020 Eurobarometer survey across EU member states found that 37% of participants didn’t read online privacy policies, 47% read them partially, and only 13% read them fully. Reasons for not reading included policies being too long (66%) or unclear and difficult to comprehend (31%). Some felt it was sufficient to know the entity had a policy (17%), some believed existing laws offered protection (15%), while others doubted websites would honor their policies (10%). The survey underscores that only a small fraction of internet users scrutinize privacy policies, leaving the majority inadequately protected by the consent requirement, even without the added complexity of cookie technology.
Second Rule of Cookies—No Preselected Tick Boxes
As traditional data collection practices, where individuals knowingly provide and consent to data processing, face tighter regulation, companies have shifted towards more effective methods—cookies. Cookies are small text files websites store on users’ devices during browsing to remember the device and gather information about browsing habits. While cookies have various uses, including ensuring website functionality, they are notably used to analyze browsing behaviors for delivering personalized advertising (marketing cookies). Given their capacity to collect personal data, cookie usage should comply with data protection laws like the ePrivacy Directive and GDPR.
While the ePrivacy Directive primarily governs cookies, the consent requirements under this Directive are informed by the GDPR. Despite these legal frameworks, companies have been employing questionable techniques to place cookies on the devices of countless users. Until a 2019 judgment by the Court of Justice of the European Union (CJEU) in the Planet49 case, most web-based data controllers utilized preselected tick boxes, effectively making individuals unknowingly accept cookies from the visited website and potentially third-party sites. This judgment clarified that websites could no longer rely on pre-ticked boxes for cookie-based tracking, requiring users to actively opt-in. This ruling intended to curb the widespread tracking of user behavior for marketing by forcing individuals to consciously untick boxes if they wished to opt-out. Pre-ticked boxes directly contradict GDPR consent rules that necessitate active consent. However, the CJEU’s judgment hasn’t completely solved the issue, as many websites simply adapted their tactics.
Third Rule of Cookies—Two Clicks are Too Many
In December 2021, the CNIL sanctioned Facebook and Google for improper cookie usage. The decision against Facebook France highlighted the company’s practice of making cookie refusal more cumbersome than acceptance. Users logging into Facebook France encountered a pop-up window (“Accept Facebook cookies in this browser”) with two buttons: “Manage Data Settings" and “Accept Cookies.” Choosing “Accept Cookies” instantly stored cookies on their devices. However, refusal required navigating to a second window by clicking “Manage Cookies,” where they faced another set of “Accept Cookies” and “Reject Cookies” buttons. The CNIL argued that while this second window offered options for managing cookie preferences, requiring users to reach this second step for refusal, while acceptance was a single click away, was unjust. Essentially, the decision emphasizes that refusing cookies should be as straightforward as accepting them.
The CNIL reached a similar verdict regarding Google’s cookie practices. In response, Facebook presented a screenshot demonstrating a planned update to their cookie consent process for Europe, including France, implemented in January 2022. The update changed the button labels from “Manage Data Settings” and “Accept all” to “Other options” and “Allow all cookies” respectively. However, the CNIL committee deemed these modifications inadequate in ensuring valid cookie consent.
Facebook’s argument that the GDPR doesn’t necessitate equal ease between accepting and rejecting cookies was dismissed. The CNIL clarified that the GDPR mandates freely given consent, and making acceptance easier than refusal could sway individuals towards consent rather than a genuine choice. This aligns with a 2020 study (cited in the CNIL decision) indicating that 93.1% of users presented with a secondary option to manage cookie settings accepted cookies without investigating further. This highlights how companies capitalize on user fatigue from constant consent requests, leading individuals to accept cookies without exploring options.
What Happens in the other EU Member States & the UK?
As the CNIL’s decision falls under the ePrivacy Directive, it doesn’t fall under the GDPR’s one-stop-shop mechanism. Therefore, it is legally binding only for Facebook and Google within France. Until similar measures are adopted across all EU member states and the UK, it is improbable that these companies will globally alter their cookie practices. Many other companies continue to use questionable cookie policies, making cookie refusal a two-click process while acceptance remains a single click away.
This practice is prevalent among social media giants like Twitter and Instagram, news outlets like the New York Times and The Washington Post, traditional businesses like Barclays UK, and even public institutions, including universities. All these entities utilize cookie practices that, as interpreted by the French DPA, fail to comply with the GDPR and ePrivacy Directive. It’s likely only a matter of time before other data protection authorities follow the CNIL’s lead.
Photo credit: Eran Sandler, via wikimedia commons