The French data protection authority hit Facebook and Google with multimillion-dollar fines yesterday for their use of deceptive design in their cookie consent banners. Commonly known as dark patterns, these design choices threaten or trick people into doing things that are in conflict with their own interests.
We’ve all encountered these deceptive designs — where users are presented with a big “accept all cookies” button — but rejecting cookies takes multiple clicks, menus, submenus, confusing toggles, and so on. In fact, there’s even a whole Twitter account dedicated to coercive and deceptive design.
This isn’t a run-of-the-mill compliance story. Technically, Facebook and Google are compliant with the ePrivacy Directive — users can opt out if they want to. The issue, according to the data protection authority, is that opting out of cookies is confusing and unclear.
For privacy leaders and their teams:
Ensure you are “ePrivacy ready.” The ePrivacy Directive — also known as the “Cookie Directive” — has been under revision for over five years, and agreement on a final version may still take time. But make no mistake: European regulators keep leveraging these rules, together with the General Data Protection Regulation, to protect individuals’ privacy rights. Ensure you are familiar with the ePrivacy Directive and are able to meaningfully comply.
Design and implement better privacy experiences. This is not the first time that the French regulator has evaluated the privacy experience as part of its investigation and decisions. In another case involving a French retailer, it wrote that “the privacy language used was tedious, even for an enlightened user” and the numerous clicks required to get to relevant privacy content undermined privacy rights. Ensure you involve your customer experience (CX) and UX peers when implementing your privacy program, and monitor and improve continuously the quality of CX across privacy touchpoints.