Google sanctioned for breach of the Data Protection Act
Last December 7, the CNIL fined Google 100 million euros for breaching French cookie legislation:
On the Google search engine, the CNIL found 3 violations of article 82 of the Data Protection Act (which transposes the ePrivacy directive):
- Placing cookies without first obtaining the user's consent: several cookies serving an advertising purpose were placed automatically when the user visited google.fr (cookies that are not essential to the service).
- A failure to inform users of the google.fr search engine: the information banner provided no information about cookies.
- The partial failure of the “opt-out” mechanism: disabling ad personalization had no effect on one of the advertising cookies.
The search engine, Google's cash cow
While Google offers a multitude of services, its search engine still generates most of its revenue:
In the fourth quarter of 2020, Google Search generated 56% of its revenue. Partner sites, YouTube, Google Play and Google Cloud account for a significant share of revenue, but they are far less profitable.
Search is strategic for Google: it has let the company extend its surveillance capitalism into many areas:
- Dominating search let it become dominant in adtech, cf. "Google's dominance of the advertising markets".
- That dominance is fueled by the exploitation of your personal data, without genuine consent, cf. "Google associates your browsing data with your personal data, and it's hard to escape".
- Google also lets third parties track you even when you take precautions, cf. "Google Tag Manager, the new anti-adblock weapon".
- The revenue generated by its search engine has made Google dominant in many areas, cf. "Google services that capture your personal data, and alternatives".
Google versus the CNIL
We therefore have:
- On the one hand, the law, which is meant to protect users' privacy and is embodied here by a penalty from the CNIL.
- On the other hand, the exploitation of your personal data on Google's most strategic service, its search engine.
Who will win?
In its decision, the CNIL notes 2 points:
- Since an update in September 2020, Google has stopped automatically placing advertising cookies as soon as the user arrives on the google.fr page.
- The new information banner still does not allow users residing in France to understand the purposes for which cookies are used and does not inform them of the fact that they can refuse these cookies.
The CNIL states that Google has 3 months to inform users properly, on pain of a 100,000-euro fine for each day of delay. Now let's look at what happens on a first visit to google.fr.
Google keeps placing advertising cookies automatically
Let's start our investigation on google.fr:
- Disable your adblocker.
- Delete your cookies in Chrome (Settings > Advanced settings > Clear browsing data), which logs you out of your Google account.
- Open the Chrome console (⌘+Option+J on Mac, Ctrl+Shift+J on PC), “Network” tab, or launch Charles Proxy.
- Then go to google.fr.
As you can see, the information banner now provides information about cookies, but does not let you easily refuse non-essential cookies.
What does the law say? To quote the CNIL, consent is only valid if the person makes a genuine choice. In particular, "the user must be able to accept or refuse the placement and/or reading of cookies with the same degree of ease". That is clearly not the case here.
Does Google really stop placing advertising cookies automatically as soon as the user arrives on the google.fr page, as the CNIL claims? Let's look at the requests via Charles Proxy:
As we can see, Google places the NID cookie as soon as you land on google.fr. What is this cookie for? In Google's own words:
We use cookies, such as "NID" and "SID", to personalize ads on Google sites, such as Google search. For example, we use them to remember your most recent searches, your previous interactions with an advertiser's search results or ads, and your visits to an advertiser's website. This allows us to show you personalized ads on Google.
Google also told the CNIL that the NID cookie served an advertising purpose (cf. the decision, paragraph 99):
The select committee notes that GIL stated in its letter of April 30, 2020 that four of the seven cookies placed, namely the NID, IDE, ANID and 1P_JAR cookies, serve an advertising purpose.
And yet the CNIL points out that Google has stopped this practice (paragraph 102):
It nevertheless points out that, during the enforcement proceedings, the companies made changes to the google.fr page which, since September 10, 2020, ended the automatic placement of these four cookies as soon as the user arrives on the page.
Was the CNIL's audit carried out properly? Either way, Google continues to break the law, cf. the CNIL website:
Consent must be prior to placing and/or reading cookies. As long as the person has not given their consent, cookies cannot be placed or read on their terminal.
Traps along the way in Google's consent flow
The Google information banner tells us:
If you agree, we will personalize the content and ads you see based on your activity on Google services like Search, Maps and YouTube. [...] Click on "More information" to discover the options available to you
If I click on "More information", I am taken to a new information window:
Here Google sets out the personal data processed, the purposes, and the privacy settings. Note, once again, the "I accept" and "Other options" buttons: Google still does not let you refuse non-essential cookies.
At this point, you might get lost in Google's maze and click on "Other options", hoping to "quickly" find the option to refuse advertising tracking. You will see this screen:
Here Google offers several options:
- Adjust your privacy settings: this is the right option! You have to click on “Adjust your settings now”.
- Configure cookies in the browser: an option Google does not recommend: "You can block some or all cookies, but this may prevent certain features from working on the web. For example, many websites require cookies to be enabled when you want to log in to them.".
- Install an add-on to opt out of Google Analytics tracking: Google Analytics is unfortunately far from the only tool Google uses to track you on the web (Google tracks you through advertising first and foremost). Needless to say, anyone who cares about their privacy will rather use an adblocker.
- Log in to your Google account: so that you stop seeing this reminder! As Google puts it: “If you regularly clear cookies from your browser, you will continue to receive this privacy reminder, because we have no way of knowing that you have already seen it". Such is the downside of tracking you by default: with no cookies, Google assumes it has the right to track you!
What happens if you click "Adjust your settings now"? You go back to the previous step! But you weren't paying close enough attention: that step does contain links for changing your settings:
The obstacle course is not over.
16 additional clicks to opt out of tracking
So let's click on "Change search settings":
So let's uncheck "Search history", then click on "Back" and finally on "Change ad settings":
Here you need to uncheck “Ad personalization on Google Search” and “Ad personalization across the web”. With these settings checked by default, Google takes the liberty of tracking you across "more than two million websites that partner with Google for serving ads."
When you uncheck “Ad personalization on Google Search”, you get a little extra surprise:
Are you really sure? Google makes the task a little harder still: your searches say a lot about you...
And when you click "Disable", Google displays a message of rare beauty:
"It may take some time for our systems to apply this change."
Google clearly doesn't expect you to make it through the obstacle course! Same story if you click the “Disable” button for “Ad personalization across the web”:
Here too, you can see it's all rather difficult for Google:
If you want to install further "opt-out" cookies, which only disable ad personalization but still let adtech companies track you, Google redirects you to the advertising industry's website:
You can also opt out of ad personalization for over 100 other online ad networks.
Go back to the information banner once more and this time click on “Change YouTube settings”:
This time you are taken to the YouTube site, where you again have to uncheck “Videos you watch on YouTube” and click on “Clear watch history”:
Then you have to uncheck “Videos you search for on YouTube” and click on “Clear search history”:
And to top off this lovely process, when you return to the information banner you have to click on "I accept" (it remains the only way to get rid of the banner, even though you have just refused everything):
In total, if you take the quickest route, you need 17 clicks!
During the “non-consent” journey, tracking continues
What happens during this “non-consent” journey? If we look at the requests via Charles:
Google keeps feeding its advertising services, including Google Analytics and Doubleclick.
Despite your refusal, you continue to be monitored by Google on the web
After this obstacle course, let's visit Lemonde.fr (loaded with trackers, cf. "Consent: the worst of user experience and surveillance with Lemonde.fr") and filter the requests to Google:
As you can see, Lemonde.fr likes Google.
As luck would have it, Google did not delete the NID cookie. As a result, many requests are sent from Lemonde.fr to Google carrying your identifier stored in the NID cookie (a reminder: this is an advertising cookie). So the following violation still stands:
When a user disabled the personalization of ads on Google search using the mechanism made available to them via the “Consult now” button, one of the advertising cookies remained stored on their computer and kept reading information bound for the server to which it is attached.
The select committee therefore found that the “opposition” mechanism put in place by the companies was partially defective, in violation of article 82 of the Data Protection Act.
Will Google offer a real consent mechanism?
The CNIL sanctioned Google for obligations that pre-existed the GDPR (article 82 of the Data Protection Act, transposition of the “ePrivacy” directive).
Yet, on October 1, 2020, the CNIL published its revised guidelines along with a recommendation on the use of cookies and other trackers. The CNIL asked the industry to comply with the rules it had thus clarified, taking the view that this adjustment period should not exceed six months.
Refusing trackers should be as easy as accepting them. The CNIL recommends that the consent collection interface not only include an “accept all” button but also a “refuse all” button.
Users must be able to withdraw their consent easily and at any time.
So we are eagerly awaiting April 1st and Google's compliance, so that we can finally refuse its surveillance in 1 click (rather than 17)... In reality, even the pre-GDPR obligations are flouted:
- Google contested its 100 million euro fine before the Council of State.
- As we have seen, Google tracks you via the
NIDcookie, both before you have consented and after you have refused. - Trying to refuse Google's surveillance is an obstacle course.
- There is good reason to doubt how much of a deterrent the CNIL's penalties really are, assuming it even manages to collect them. 100 million euros, plus 100,000 euros a day (that is, 36 million euros a year), is not all that expensive for Google.
Google is the most striking example of this consent lie, but the French web is infested with sites that trample on your privacy, for example:
- "The great fire sale of your personal data on Le Bon Coin".
- "Collecting consent online: a pervasive lie".
It remains to be seen whether the CNIL will impose deterrent penalties from April 1 onward.
Your alternatives to avoid Google surveillance
If we limit ourselves to the Google search engine (the subject of this article), you have other options, such as:
- DuckDuckGo: an American search engine that does not track you. The interface is clean, the search engine is one of the default choices on Safari, and most of its results are based on Bing.
- Qwant: the French version, with a less polished interface; most of its results are also based on Bing.
- Ecosia: the German version; Ecosia donates 80% of its profits to non-profits working on reforestation programs, mostly in the global South. Ecosia is also based mainly on Bing.
- Startpage: the Dutch version; the interface is clean and the results are Google's. That is why it's my choice (Google's results are often far more relevant than Bing's). Startpage has become controversial since it was bought in 2019 by a company with adtech interests (you can form your own opinion by reading this article).
It is interesting to read why Google provides its search results to Startpage :
Why does Google let Startpage access their search results? Startpage.com has a contract with Google that allows us to use their official "Syndicated Web Search" feed, so we have to pay them to get those results.
Unlike Bing, which supplies its results to many meta-engines (DuckDuckGo, Qwant, Ecosia...), Google is stingy with its search results. Startpage seems to be the only one with access to them — but for how long?