3 years to prepare
In application of the ePrivacy directive, Internet users must be informed and give their consent prior to depositing and reading "non-essential" tracers. Since the entry into force of GDPR Already 3 years ago, the requirements regarding the validity of consent were strengthened.
On October 1, 2020, the CNIL published amending guidelines and its recommendation on cookies and other tracers. She also granted 6 months to publishers to comply with the rules.
As we could see on this blog, the old guidelines, although lax, were already not respected. Here are some articles to illustrate impunity:
- "Collecting consent on the internet: a widespread lie".
- "Le Figaro, emblem of invasive advertising tracking on French media sites".
- "The big sale of your personal data on Le Bon Coin".
What about the new guidelines?
The CNIL recommends a “Dark pattern” to “optimize” the consent rate
By reading the CNIL recommendation, we discover a first design proposal for the consent interface:
Page 9, Figure 4: a clear interface, easy choice for the user.
As well as general considerations on the interface (I put the key passages in bold):
- "The data controller must offer users both the possibility of accepting and refusing read and/or write operations with the same degree of simplicity."
- "Therefore, the Commission strongly recommends that the mechanism allowing you to express a refusal to consent to reading and/or writing operations be accessible on the same screen and with the same ease as the mechanism for expressing consent."
- "For example, at the first level of information stage, users may have the choice between two buttons presented at the same level and in the same format, on which are written respectively “accept all” and “refuse all”, “authorize” and “prohibit”, or “consent” and “not consent”, or any other equivalent and sufficiently clear wording."
When we continue reading the document, we see a second design proposal:
Page 10, Figure 5: CNIL recommendation! The “Continue without accepting” can easily be missed.
Just below this misleading design, the CNIL contradicts itself:
- "In order not to mislead users, the Commission recommends that data controllers ensure that interfaces for collecting choices do not include potentially misleading design practices leading users to believe that their consent is mandatory or which visually highlight one choice more than another."
- "It is recommended to use buttons and font of the same size, offering the same ease of reading, and highlighted in the same way."
This “Dark pattern” was quickly “evangelized” among publishers :
Advice from Converteo (data and technology consulting agency) to publishers: follow the “room for maneuver” proposed by the CNIL!
April 1, 2021 is the big day, sites and applications must finally be in compliance as the CNIL reminds us :
She spared no effort in education, as recalled on its site :
- Eighteen webinars for professionals in the private and public sector.
- Numerous practical tips and tools available on the CNIL website.
- An awareness campaign for public and private organizations.
For what results? This is what we are going to look at via a few Twitter threads (click on the links to view the many examples).
The consent interface, a calamity
Most publishers have understood how to “optimize consent rates”, with the help of the CNIL :
The CNIL “Dark pattern”, standard interface on media sites.
Are you asking for more? Here is the CNIL’s “Dark pattern” in App version :
Watch out for big fingers!
Another option, quite widely adopted, is to make fun of the regulations :
Facebook doesn't care about the law, but it's not alone.
5 steps to refuse surveillance, but obviously it doesn't work.
A bet on the fact that the CNIL does not audit Apps?
If you refuse to give your consent, some sites decide to ruin your reading experience :
Our editors are talented.
Another option to monitor you, claim "legitimate interest" :
Of course, the practice is illegal.
It must be emphasized that some editors offer a respectful interface :
A clean interface, your choices still need to be respected.
Some rare exceptions also on Apps :
Long message, but clear choice (go to Twitter for the full screenshot).
Cookie walls, blackmail of personal data
Blackmail of personal data, hello.
We also find the cookie wall on Apps :
Blackmail of personal data, continued.
Is the cookie wall legal? The CNIL wanted to ban it, without success :
The “cookie wall” consists of blocking access to a website or a mobile application for users who do not give their consent. In certain cases, this practice, also called “pay wall”, conditions this access to a financial compensation, such as a subscription.
The Council of State considered, on June 19, 2020, that the CNIL could not prohibit, in principle, this practice.
Pending lasting clarification on this issue from the European legislator, the CNIL will apply the texts in force, as clarified by case law, to determine on a case by case basis if the consent of people is free and whether a cookie wall is legal or not. In this context, it will be very attentive to the existence of real and satisfactory alternatives, in particular provided by the same publisher, when the refusal of unnecessary trackers blocks access to the service offered.
We are therefore impatiently awaiting the first decisions from the CNIL... Until then, you can read these excellent articles:
- "Cookie wall: when will they stop taking us for idiots?" by Numendil.
- "Consent Wall and Cookie Wall" by Romain Bessuges-Meusy, CEO of CMP Axeptio.
- "Cookie walls and other tracking walls: legal, not legal?" by Marc Rees.
A fictitious consent
You might say to yourself: OK, it's not so easy to refuse surveillance, but now I have a choice. Publishers still need to respect this choice... In real life, this is rarely the case:
- Many publishers leak your personal data even before you have given (or refused) your consent.
- Many publishers leak your personal data even though you have refused to give your consent.
The hypocrisy of publishers who pretend to respect the law.
On Apps, often the Wild West.
Let's look at leaked personal data :
Via the Charles Proxy software, it is possible to observe all requests.
Note thatApple ATT does not prevent the leak of personal data, only tracking (multi-App monitoring).
Apple protects you much better than Google against advertising surveillance, but if you want to avoid all personal data leaks, you will need to use a tracker blocker such as NextDNS.
How to enforce the law?
The CNIL recently announced around twenty formal notices :
Given the history of the organization, I am cautious. Read for example the feedback from Quadrature du Net: "GAFAM escapes the GDPR, the CNIL complicit".
Noyb will nevertheless try the adventure with the various European data protection authorities :
While the CNIL painfully sends around twenty formal notices, Noyb plans to send 10,000 complaints. We are talking here about a small association with a few volunteers: proof that the CNIL does not lack resources but above all political will.
So, no hope? Not so sure, the most important advances could come from the competition authorities, as well described in this article. Fingers crossed and until then, protect yourself.