EU ePrivacy Law

France is being very aggressive over enforcing the silly EU cookie law that nags and trains internet users to blindly click on website popups.

By announcing fines of euro 150 million for Google and euro 60 million for Facebook, the French privacy watchdog CNIL went much further than other EU data protection censors have gone to rein in the trackers, which allow advertisers to target people with tailored ads as they move around the internet.

Under the e-Privacy Directive, the CNIL is free to take direct action against companies that otherwise would be overseen by the Irish Data Protection Commission, because the GDPR gives prime enforcement power to the country where the company is legally established. Many tech companies have their EU bases in Dublin.

The French data protection censor has so far zoned in on two key violations: failing to allow users to refuse cookies as easily as it is to accept them, and automatically placing cookies on people's devices before they even have a chance to accept or refuse them. These are widespread violations across the web, but so far only the CNIL seems serious about tackling them.

France's data protection censor, the Commission Nationale de l'Informatique et des Libertés or CNIL, has fined Google and Amazon a total of 135 million euro between them for violating the country's data protection laws. Google was fined a total of 100 million euro, while Amazon was fined 35 million euro.

The companies were fined for the lack of user consent for cookies placed of their French websites. Although both have since updated their websites to require a user's consent before placing cookies, CNIL criticized their cookie information banners for not providing enough information, or for making it clear enough that visitors can turn down these cookies. The regulator gave both a deadline of three months to fix the outstanding issues.

A spokesperson from Amazon said the company disagreed with CNIL's decision. Google said it stands by its efforts to provide information about tracking and control to users.

Google is to restrict web pages from loading 3rd party profiling cookies when accessed via its Chrome browser. Many large websites, eg major newspapers make a call to hundreds of 3rd part profilers to allow them to build up a profile of people's browsing history, which then facilitates personalised advertising.

Now Google has said that it will block these third-party cookies within the next two years.

Tracking cookies are very much in the sights of the EU who are trying to put an end to the exploitative practise. However the EU is not willing to actually ban such practises, but instead has invented a silly game about websites obtaining consent for tracking cookies.

The issue is of course that a lot of 'free' access websites are funded by advertising and rely on the revenue from the targeted advertising. I have read estimates that if websites were to drop personalised ads, and fall back on contextual advertising (eg advertising cars on motoring pages), then they would lose about a third of their income. Surely a fall that magnitude would lead to many bankrupt or unviable websites.

Now the final position of the EU's cookie consent game is that a website would have to present two easy options before allowing access to a website:

• Do you want to allow tracking cookies to build up a database of your browsing history
• Do you NOT want to allow tracking cookies to build up a database of your browsing history

The simple outcome will be that virtually no one will opt for tracking, so the website will lose a third of its income. So it is rather unsurprising that websites would rather avoid offering such an easy option that would deprive them of so much of their income.

In reality the notion of consent it not practical. It would be more honest to think of the use of tracking cookies as a price for 'free' access to a website.

Perhaps when the dust has settled, a more honest and practical endgame would bea  choice more like:

• Do you want to allow tracking cookies to build up a database of your browsing history in return for 'free' access
• Do you want to pay a fee to enable access to the website without tracking cookies
• Sorry you may not access this website

The EU has been complaining about companies trying to avoid the revenue destroying official consent options. A study just published observes that nearly all cookie consent pop-ups are flouting EU privacy laws.

Researchers at the Massachusetts Institute of Technology, University College London (UCL) and Aarhus University have conducted a joint study into the use of cookies. They analysed five companies which offer consent management platforms (CMP) for cookies used by the UK's top 10,000 websites.

Despite EU privacy laws stating that consent for cookies must be informed, specific and freely given, the research suggests that only 12% of the sites met the minimal requirements of GDPR (General Data Protection Regulation) law. Instead they were found to blanket data consent options in complicated site design, such as:

• pre-ticked boxes burying decline buttons on later pages multiple clicks tracking users before consent and after pressing reject
• Just over half the sites studied did not have rejecting all tracking as an option.
• Of the sites which did, only 13% made it accessible through the same or fewer clicks as the option to accept all.

The researchers estimate it would take, on average, more than half an hour to read through what the third-party companies are doing with your data, and even longer to read all their privacy policies. It's a joke and there's no actual way you could do this realistically, said Dr Veale.

White Rabbit: The EU Council is now in session. Dormouse: Anyone for a magic cookie. If you accept it you will be devoured by evil giants, if you decline, your community will be visited by pestilence and famine. Alice: That is an impossible choice. Mad Hatter: Only if you believe it is. Everyone wants some magical solution for their problem and everyone refuses to believe in magic. Alice: Sometimes I've believed in as many as 6 impossible things before breakfast. Mad Hatter: And we've legislated them into EU law by lunch

European lawmakers (including judges) seem to live in an Alice in Wonderland world where laws are made up on the spur of the moment by either the Mad Hatter, or the Dormouse. No thought is given to how they are supposed to work in practice or how they will pan out in reality.

For some reason EU lawmakers decided that the technology of internet cookies personified all that was bad about the internet, particularly that it is largely offered for 'free' whilst in reality being funded by the invasive extraction and exploitation of people's personal data.

Justifiably there is something to be legislated against here. But why not follow the time honoured, and effective, route of directing laws against the large companies doing the exploiting. It would have been straightforward to legislate that internet companies must not retain user data that defines their behaviour and personal information. The authorities could back this up by putting people in prison, or wiping out companies that don't comply with the law. 

But no, the EU came up with some bizarre nonsensical requirement that does little but train people to tick consent boxes without ever reading what they are consenting to. How can they call this data protection? It's data endangerment.

And unsurprisingly the first wave of implementation by internet companies was to try and make the gaining of consent for tracking cookies a one sided question, with a default answer of yes and no mechanism to say no.

Well it didn't take long to see through this silly slice of chicanery, but that doesn't matter...it takes ages for the EU legal system to gear up and put a stop to such a ploy.

So several years on, the European Court of Justice has now ruled that companies should give real options and should not lead people down the garden path towards the option required by the companies.

In an excellent summary of this weeks court judgement, the main court findings are:

• pre-ticked boxes do not amount to valid consent,

• expiration date of cookies and third party sharing should be disclosed to users when obtaining consent,

• different purposes should not be bundled under the same consent ask,

• in order for consent to be valid 'an active behaviour with a clear view' (which I  read as 'intention') of consenting should be obtained (so claiming in notices that consent is obtained by having users continuing to use the website very likely does not meet this threshold) and,

• these rules apply to cookies regardless of whether the data accessed is personal or not.

pdpecho.com commented on what the court carefully decided was the elephant in the room, that would be better not mentioned. ie what will happen next.

The latest court judgement really says that websites should present the cookie consent question something like this.

Website cookie consent
☐ YES	I consent to this website building a detailed profile of my browsing history, personal information & preferences, financial standing and political leaning, to be used to monetise this website in whatever way this website sees fit.
☑ NO	No I  do not consent

Now it does not need an AI system the size of a planet to guess which way internet users will then vote given a clearly specified choice.

There is already a bit of discussion around the EU tea party table worrying about the very obvious outcome that websites will smply block out users who refuse to sign up for tracking cookies. The EU refers to this as a cookie wall, and there are rumblings that this approach will be banned by law.

This would lead to an Alice in Wonderland type of tea shop where customers have the right to decline consent to be charged the price of a chocolate chip cookie, and so can enjoy it for free.

Perfect in Wonderland, but in the real world, European internet businesses would soon be following in the footsteps of declining European high street businesses.

The so called cookie law, a moniker for the proposed new EU ePrivacy regulation due to come into play before the year is out, is expected to severely impact the use of cookies online and across digital marketing. As such, it could pose an even bigger test to businesses than GDPR . It's a regulation that will create a likely deficit in the customer information they collect even post-GDPR.

Current cookie banner notifications, where websites inform users of cookie collection, will make way for cookie request pop-ups that deny cookie collection until a user has opted in or out of different types of cookie collection. Such a pop-up is expected to cause a drop in web traffic as high as 40 per cent. The good news is that it will only appear should the user not have already set their cookie preferences at browser level.

The outcome for businesses whose marketing and advertising lies predominantly online is the inevitable reduction in their ability to track, re-target and optimise experiences for their visitors.

...

For any business with a website and dependent on cookies, the new regulations put them at severe risk of losing this vital source of consumer data . As a result, businesses must find a practical, effective and legal alternative to alleviate the burden on the shoulders of all teams involved and to offset any drastic shortfall in this crucial data.

....

Putting the power in the hands of consumers when it comes to setting browser-level cookie permissions will limit a business's ability to extensively track the actions users take on company websites and progress targeted cookie-based advertising. Millions of internet users will have the option to withdraw their dataset from the view of businesses, one of the biggest threats ePrivacy poses.

...Read the full article from smallbusiness.co.uk