It has been one hot month for privacy in France. The French DPA (CNIL) issued fines to three large tech companies (Apple, TikTok, and Microsoft). All decisions are interesting, and one comes with a big fine.
- The ePrivacy Directive
- Apple fined €8M for illegal tracking
- TikTok was fined €5M for a cookie mess
- Microsoft fined €60M for Bing’s cookies
- Some considerations
- Final Thoughts
The ePrivacy Directive
All cases revolve around Article 5 of the ePrivacy Directive of the EU. We write a lot about GDPR in our blogs, but the ePrivacy Directive is also quite important when it comes to privacy.
The GDPR is known as the “cookie law”, but the Directive is the real cookie law. Article 5 requires consent to read and write any information stored on the terminal equipment of the user. The rule covers cookies but also applies to different technologies like advertising IDs (as in Apple’s case).
The Directive contains two exemptions. Consent is not required for necessary processing information:
- For making communication possible (for instance, phone companies need to process phone numbers)
- For providing a service that the user requested. This exemption includes so-called essential cookies used by websites, such as cookies that store UI preferences or track items in a shopping cart.
Cookies needed for marketing and web analytics are not essential cookies and can only be processed after collecting consent. This is why you see so many annoying cookie banners when browsing the Internet.
Overall this is a stricter regime compared to the GDPR, because the GDPR allows the processing of personal data on bases other than consent, such as legitimate interest or the performance of a contract (we wrote more about legal bases here).
Another important difference is that the Directive is not directly applicable. So data protection authorities (DPAs) in each Member State don’t enforce the Directive directly, but rather enforce the national laws which implement the Directive (in the case of the CNIL, that would be the French Data Protection Act).
Apple fined €8M for illegal tracking
The first case is about advertising IDs. iOS 14.6 uses advertising IDs to track user activity and personalize advertisements on its App Store. The OS does not ask the user for consent, but it does provide an opt-out option in its privacy settings. The CNIL held this to be a violation of the ePrivacy Directive and fined Apple for €8M. According to Politico, Apple intends to challenge the decision.
This ruling is nothing new. The GDPR requires consent to be given through a clear affirmative action, and the EU Court of Justice has already clarified that opt-out systems can never collect valid consent, so the rules are as clear as it gets. And yet companies still use opt-out systems- (even multinationals with well funded legal departments).
Two more things should be noted. First, the case revolved around iOS 14.6 specifically, and the DPA did not investigate tracking in other versions. Second, Apple changed its privacy settings from iOS 15 onwards and implemented an opt-in system for the specific privacy option involved in the case. This does not necessarily mean that Apple is no longer tracking users without their consent- in fact, the company is facing a privacy lawsuit in California over unauthorized tracking.
TikTok was fined €5M for a cookie mess
In the second case; the CNIL investigated the cookies on TikTok’s website. What it found was not great.
First, the website used three cookies regardless of the user’s choice to accept or reject them. Two were essential cookies under the ePrivacy Directive, but one was a marketing cookie. You can’t do that.
Second, the cookie banner provided the user with a choice to accept or customize cookies in the first layer, forcing the user to access the second layer and go through extra clicks in order to reject cookies. This is a textbook example of deceptive design- something we have already discussed on our blog. Additionally, the banner did not provide sufficient information to the user. For this reason, the CNIL held that the cookie banner was not compliant and that the website was processing cookies without the user’s consent.
As a side note, TikTok came up with an interesting defense: “Rejecting cookies is really simple on our website because the user can just ignore the cookie banner and keep browsing.” So accepting all cookies takes one click, and rejecting them takes zero- it’s that easy! Needless to say, the CNIL did not buy that.
Microsoft fined €60M for Bing’s cookies
The third case is about cookies on the Bing.com domain and cost Microsoft a 60 million fine.
The authority first found that the cookie banner displayed on the website was not compliant with the GDPR and the CNIL’s own guidelines. Similarly to TikTok.com’s banner, Bing’s did not include a reject option on the first layer and forced the user to go through more unnecessary clicks to reject cookies.
The CNIL also found that Bing.com placed a cookie for anti-advertising fraud regardless of user preference. Microsoft considered this cookie to be essential, but the CNIL ruled otherwise based on its own guidelines. The authority also found that an advertising cookie was placed without consent, which Microsoft claimed to be the consequence of a human error.
The timing for the decisions against TikTok and Microsoft couldn’t be more appropriate. A task force from the European Data Protection Board dealt with cookie banners and published its report shortly after the CNIL published its decisions. Incidentally, the necessity of a reject button in the first layer of banners is one of the main points of the report.
We covered this topic in detail on our blog because we believe that the report is a good indicator of how data protection authorities will handle cookie cases from now on. Hopefully, the CNIL’s fines against TikTok and Microsoft for their deceptive banners will set an example for other DPAs.
Competence is another important aspect of all three decisions. The CNIL isn’t saying anything new in this regard, but the issue is still worth looking into.
Apple, TikTok, and Microsoft all have their European subsidiaries in the Republic of Ireland, and all three claimed that the DPC (the Irish DPA) was competent to decide their case under the GDPR. But the cases revolved around ePrivacy violations, and the ePrivacy Directive follows different competence rules compared to the GDPR. This is why the CNIL held itself competent to impose fines.
Competence might look like a technicality, but it is a big deal from a practical viewpoint. Some DPAs are stricter than others, and the CNIL is far stricter than the DPC. Had the cases been decided in Ireland, the outcome might have been different and more favorable to the companies.
It’s early to say, but we might finally see a crackdown on deceptive cookie banners. At Simple Analytics we’ve never been a fan of using cookies, let alone those annoying and often deceptive cookiebanner. The rationale for this is that website owners can get the insights they need to improve their website performance without the need for cookies.
We are a cookieless Google Analytics alternative that is 100% GDPR-compliant and does not need a cookiebanner. Curious to see what that looks like? Feel free to give us a try!