Google, known for its search engine and analytics services, found out in a costly fashion just how the cookie crumbles in Europe regarding privacy compliance. The company received a severe penalty of 150 million euros ($169 million) for making it difficult for internet users to refuse online trackers known as cookies in violation of article 82 of the French Data Protection Act. The fines could escalate to 100,000 million euros per day if Google does not comply with CNIL orders.
France is not the only country where Google has received economic sanctions related to violations of data privacy regulations. For example, Spain fined the company for combining data and failing to inform users public how they used their data. Germany also fined the search engine giant “the systematic, illegal collection of personal data while creating the Street View mapping service.”
L’Commission Nationale de l’informatique et des Libertés
What is the Commission Nationale de l’informatique et des Libertés, and why does it have jurisdiction over an American company?
The National Commission for Information Technology and Civil Liberties, or CNIL, is an independent administrative body that functions as the data protection agency in France. The agency was created under Act N°78-17 of January 6, 1978, entitled “On Information Technology, Data Files and Civil Liberties.”
The agency published its sanction to Google on January 6, 2022, stating their jurisdiction for investigating and sanctioning the company. CNIL claims that they are materially competent because they are lawfully authorized to verify and approve operations related to cookies deposited by Google in French users’ computer terminals. They also base their jurisdiction to intervene on a territorial competency, i.e., Google’s “use of cookies is carried out within the framework of the activities of the company Facebook France, which constitutes the “establishment” of the Facebook group on French territory.”
Companies must know the legal framework in which they operate. Privacy compliance professionals must familiarize themselves with state, federal, and international agencies overseeing compliance and study their bodies of decisions.
What is a Cookie?
Cookies, morsels of the user’s data stored in their computer, are almost inescapable if you browse the internet. Initially, they were intended to save information of returning users to expedite processes such as uploading the web page, storing items in your cart for easier checkout, or login into web accounts without inputting the username and password every time.
When a user logs in or visits a website, the webserver authenticates the information and stores a cookie in the user’s computer. That cookie has a unique identifier that allows the website to recognize them every time they visit it. These are known as first-party cookies and are designed to enhance the user’s experience.
Although cookies attempted to make our lives easier, the ability to “recognize” a particular user ultimately makes it an ideal tracking tool. Companies like Google have based their empire on analyzing our web surfing behaviors to send target advertisements and push sales and services.
Why did something so useful become so dreadful?
One could argue that the interaction between users and web servers hosts described above is what the internet is all about, much like saying that you are implicitly consenting to the use of cookies when you call a web page to your screen. But, that is not how things work from a privacy compliance standpoint in Europe. GDPR and country laws emanating from it require controllers and data processors to respect users’ consent to collect data.
Consent
Legal frameworks worldwide drew on the principle of consent to prevent the use and abuse of personal data. For instance, Under Article 4 (11), GDPR defines consent as “any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
On the other hand, act N°78-17 of January 6, 1978 (France) defines personal data as “any information relating to an identified or identifiable natural person.” Furthermore, the law enumerates IP addresses, cookies, and RFID tags as examples of online personal identifiers. When a law qualifies an item as personal data, it should immediately sound the alarm to require consent. Privacy professionals play a critical role in identifying the data type that will need permission to collect to avoid costly mistakes.
According to CNIL’s investigation, Google’s practices regarding the use of cookies were less than transparent and not as user-friendly as the regulation aspires. One of the findings regarding the issue was that “while they (Google) offer a button allowing immediate acceptance of cookies, the sites do not implement an equivalent solution (button or other) enabling the user to refuse the deposit of cookies equally easily. Several clicks are required to refuse all cookies, against a single one to accept them.” The Commission ruled that the users will accept the cookies by default by having a complex refusal process. Consent is thus vitiated.
One aspect that stands out from the French Regulatory Agency’s ruling is that companies should also provide users with a conspicuous web link or an icon to reconsider their initial agreement without effort. Consent is not set in stone, and it shouldn’t be difficult for users to revoke it.
Compliance Is Not a One Size Fits All Approach
The judgment against Google is a cautionary tale to any company doing business in Europe that is not enough to comply with the regulatory framework in the country you are established but to be aware of the different or additional requirements when doing business abroad.
Relying upon compliance structures tailored for the United States market, where there is no general privacy law regulating cookies, will set your company for failure and fines. Additional compliance requirements may apply at the state level. Privacy professionals must be thorough and study state laws to see if cookies are regulated. The California Consumer Privacy Act, for instance, considers data collected by cookies to be personal data.
Contrary to its counterpart, GDPR, and the French Law, CCPA does not require opt-in consent from users. It merely requires to notify users of their cookie policy. That policy in itself must fulfill the requirement of transparency. Companies must disclose the use of cookies, the purpose for collecting the data, and also if there are any third parties collecting data as well.
In Europe, under GDPR and other local privacy laws, a privacy policy notice is not enough. According to The refusing cookies should be as easy as accepting them. They broke the French Privacy Law by not providing a similar mechanism for users to refuse the cookies.
The transnational characteristic of internet business pushes geographical and legal boundaries, and cookie-cutter policies will not suffice.
How a Master of Legal Studies Can Benefit Your Career
A Master of Legal Studies in Cybersecurity and Privacy Compliance has the right ingredients to form privacy professionals, conscious of the many layers of privacy regulations in the United States and abroad.
The Master of Legal Studies in Cybersecurity and Privacy Compliance at CSU College of Law prepares students to analyze privacy compliance from different flanks.
The Corporate Compliance courses give Privacy Professionals an overview of the importance of adhering to regulatory frameworks and the consequences of failing to do so.
The Privacy Management Course will then go into the granularity of the critical federal, state, and international privacy laws. A thorough study of these laws will produce the most competent privacy compliance professionals.
Legal Writing is a foundational course that will furnish students with critical skills—for example, knowing which law regulates your industry and where to find the latest developments. Privacy is a fast-developing field and knowing where to search for the most up-to-date regulation is the difference between compliance and a penalty.
Furthermore, a straightforward cookie policy is the best line of defense against consent arguments. The Legal Writing Course will prepare students to write cohesive and simple privacy policies that web users can understand.