Google, known for its search engine and analytics services, found out in a costly fashion just how the cookie crumbles in Europe regarding privacy compliance. The company received a severe penalty of 150 million euros ($169 million) for making it difficult for internet users to refuse online trackers known as cookies in violation of article 82 of the French Data Protection Act. The fines could escalate to 100,000 million euros per day if Google does not comply with CNIL orders.
France is not the only country where Google has received economic sanctions related to violations of data privacy regulations. For example, Spain fined the company for combining data and failing to inform users public how they used their data. Germany also fined the search engine giant “the systematic, illegal collection of personal data while creating the Street View mapping service.”
L’Commission Nationale de l’informatique et des Libertés
What is the Commission Nationale de l’informatique et des Libertés, and why does it have jurisdiction over an American company?
The National Commission for Information Technology and Civil Liberties, or CNIL, is an independent administrative body that functions as the data protection agency in France. The agency was created under Act N°78-17 of January 6, 1978, entitled “On Information Technology, Data Files and Civil Liberties.”
Companies must know the legal framework in which they operate. Privacy compliance professionals must familiarize themselves with state, federal, and international agencies overseeing compliance and study their bodies of decisions.
What is a Cookie?
Cookies, morsels of the user’s data stored in their computer, are almost inescapable if you browse the internet. Initially, they were intended to save information of returning users to expedite processes such as uploading the web page, storing items in your cart for easier checkout, or login into web accounts without inputting the username and password every time.
When a user logs in or visits a website, the webserver authenticates the information and stores a cookie in the user’s computer. That cookie has a unique identifier that allows the website to recognize them every time they visit it. These are known as first-party cookies and are designed to enhance the user’s experience.
Although cookies attempted to make our lives easier, the ability to “recognize” a particular user ultimately makes it an ideal tracking tool. Companies like Google have based their empire on analyzing our web surfing behaviors to send target advertisements and push sales and services.
Why did something so useful become so dreadful?
Legal frameworks worldwide drew on the principle of consent to prevent the use and abuse of personal data. For instance, Under Article 4 (11), GDPR defines consent as “any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
On the other hand, act N°78-17 of January 6, 1978 (France) defines personal data as “any information relating to an identified or identifiable natural person.” Furthermore, the law enumerates IP addresses, cookies, and RFID tags as examples of online personal identifiers. When a law qualifies an item as personal data, it should immediately sound the alarm to require consent. Privacy professionals play a critical role in identifying the data type that will need permission to collect to avoid costly mistakes.
One aspect that stands out from the French Regulatory Agency’s ruling is that companies should also provide users with a conspicuous web link or an icon to reconsider their initial agreement without effort. Consent is not set in stone, and it shouldn’t be difficult for users to revoke it.
Compliance Is Not a One Size Fits All Approach
The judgment against Google is a cautionary tale to any company doing business in Europe that is not enough to comply with the regulatory framework in the country you are established but to be aware of the different or additional requirements when doing business abroad.
Relying upon compliance structures tailored for the United States market, where there is no general privacy law regulating cookies, will set your company for failure and fines. Additional compliance requirements may apply at the state level. Privacy professionals must be thorough and study state laws to see if cookies are regulated. The California Consumer Privacy Act, for instance, considers data collected by cookies to be personal data.
The transnational characteristic of internet business pushes geographical and legal boundaries, and cookie-cutter policies will not suffice.
How a Master of Legal Studies Can Benefit Your Career
A Master of Legal Studies in Cybersecurity and Privacy Compliance has the right ingredients to form privacy professionals, conscious of the many layers of privacy regulations in the United States and abroad.
The Master of Legal Studies in Cybersecurity and Privacy Compliance at CSU College of Law prepares students to analyze privacy compliance from different flanks.
The Corporate Compliance courses give Privacy Professionals an overview of the importance of adhering to regulatory frameworks and the consequences of failing to do so.
The Privacy Management Course will then go into the granularity of the critical federal, state, and international privacy laws. A thorough study of these laws will produce the most competent privacy compliance professionals.
Legal Writing is a foundational course that will furnish students with critical skills—for example, knowing which law regulates your industry and where to find the latest developments. Privacy is a fast-developing field and knowing where to search for the most up-to-date regulation is the difference between compliance and a penalty.
Want to Learn More?
December 19, 2022
Spring Session Starts
January 09, 2023
Online MLS Webinar
December 14, 2022 12:00 pmWebinar Registration