3 years to prepare
Under the ePrivacy directive, internet users must be informed and give their consent before "non-essential" trackers are placed or read. Since the GDPR came into force, already 3 years ago, the requirements for valid consent have been strengthened.
On October 1, 2020, the CNIL published amending guidelines and its recommendation on cookies and other trackers. It also gave publishers 6 months to comply with the rules.
As we have seen on this blog, the old guidelines, lax as they were, were already being ignored. Here are a few articles that illustrate the impunity:
- "Collecting consent on the internet: a widespread lie".
- "Le Figaro, emblem of invasive advertising tracking on French media sites".
- "The big sale of your personal data on Le Bon Coin".
What about the new guidelines?
The CNIL recommends a “Dark pattern” to “optimize” the consent rate
The CNIL recommendation opens with a first design proposal for the consent interface:
Page 9, Figure 4: a clear interface, easy choice for the user.
As well as general considerations on the interface (I put the key passages in bold):
- "The data controller must offer users both the possibility of accepting and refusing read and/or write operations with the same degree of simplicity."
- "Therefore, the Commission strongly recommends that the mechanism for expressing a refusal to consent to read and/or write operations be accessible on the same screen and with the same ease as the mechanism for expressing consent."
- "For example, at the first level of information stage, users may have the choice between two buttons presented at the same level and in the same format, on which are written respectively “accept all” and “refuse all”, “authorize” and “prohibit”, or “consent” and “not consent”, or any other equivalent and sufficiently clear wording."
Read on, and a second design proposal appears:
Page 10, Figure 5: a CNIL recommendation! The “Continue without accepting” option is easy to miss.
Just below this misleading design, the CNIL contradicts itself:
- "In order not to mislead users, the Commission recommends that data controllers ensure that interfaces for collecting choices do not include potentially misleading design practices leading users to believe that their consent is mandatory or which visually highlight one choice more than another."
- "It is recommended to use buttons and font of the same size, offering the same ease of reading, and highlighted in the same way."
This “Dark pattern” was quickly “evangelized” among publishers:
Advice from Converteo (data and technology consulting agency) to publishers: follow the “room for maneuver” proposed by the CNIL!
April 1, 2021 is the big day: sites and apps must finally be compliant, as the CNIL reminds us:
It spared no effort on the education front, as noted on its website:
- Eighteen webinars for professionals in the private and public sectors.
- Numerous practical tips and tools available on the CNIL website.
- An awareness campaign for public and private organizations.
With what results? Let's take a look through a few Twitter threads (click the links to expand the many examples).
The consent interface, a calamity
Most publishers have figured out how to “optimize consent rates”, with the CNIL's help:
The CNIL “Dark pattern”, standard interface on media sites.
Want more? Here is the CNIL's “Dark pattern”, app edition:
Watch out for big fingers!
Another option, quite widely adopted, is to flout the rules altogether:
Facebook couldn't care less about the law, and it's not alone.
5 steps to refuse surveillance, but obviously it doesn't work.
Betting that the CNIL doesn't audit apps?
If you refuse to give your consent, some sites decide to ruin your reading experience:
Our publishers are so talented.
Yet another way to keep watching you: invoke "legitimate interest":
Of course, the practice is illegal.
It's worth pointing out that a few publishers do offer a respectful interface:
A clean interface; now your choices just need to be honored.
A few rare exceptions on apps too:
Long message, but clear choice (go to Twitter for the full screenshot).
Cookie walls: holding your personal data to ransom
Adopted by publishers such as Webedia and Prisma Media, the cookie wall has riled quite a few people:
Personal-data blackmail, hello.
The cookie wall shows up on apps too:
Personal-data blackmail, continued.
Is the cookie wall legal? The CNIL wanted to ban it, without success:
The “cookie wall” consists of blocking access to a website or mobile application for any user who does not give their consent. In some cases, this practice, also called a “pay wall”, makes that access conditional on a financial consideration, such as a subscription.
The Council of State considered, on June 19, 2020, that the CNIL could not prohibit, in principle, this practice.
Pending lasting clarification on this issue from the European legislator, the CNIL will apply the rules in force, as interpreted by case law, to determine on a case-by-case basis whether the consent given is free and whether a given cookie wall is lawful. In doing so, it will pay close attention to the existence of genuine and satisfactory alternatives, particularly ones offered by the same publisher, when refusing non-essential trackers blocks access to the service on offer.
So we're eagerly awaiting the CNIL's first rulings... Until then, you can read these excellent articles:
- "Cookie wall: when will they stop taking us for idiots?" by Numendil.
- "Consent Wall and Cookie Wall" by Romain Bessuges-Meusy, CEO of CMP Axeptio.
- "Cookie walls and other tracking walls: legal, not legal?" by Marc Rees.
Consent in name only
You might think: OK, refusing surveillance isn't that easy, but at least I now have a choice. The catch is that publishers actually have to honor that choice... and in real life, they rarely do:
- Many publishers leak your personal data even before you have given (or refused) your consent.
- Many publishers leak your personal data even though you have refused to give your consent.
The hypocrisy of publishers who pretend to respect the law.
On apps, it's often the Wild West.
Let's look at leaked personal data:
With the Charles Proxy software, you can observe every request.
Note that Apple ATT does not prevent personal data leaks, only tracking (cross-app monitoring).
Apple protects you much better than Google against advertising surveillance, but if you want to avoid all personal data leaks, you will need to use a tracker blocker such as NextDNS.
How to enforce the law?
The CNIL recently announced around twenty formal notices:
Given the body's track record, I have my doubts. See, for example, the account from La Quadrature du Net: "GAFAM escape the GDPR, with the CNIL's complicity".
Noyb will nevertheless try its luck with the various European data protection authorities:
While the CNIL labors to issue some twenty formal notices, Noyb plans to file 10,000 complaints. And this is a small association run by a handful of volunteers: proof that what the CNIL lacks is not resources but, above all, political will.
So, no hope at all? Don't be so sure: the most significant progress could come from the competition authorities, as this article explains well. Fingers crossed and until then, protect yourself.