Excerpt
The French DPA found Facebook guilty for making it more complex for users to refuse cookies than to accept them, and for not providing users with clear information on refusal of cookies.
Our analysis
When a user in France visits Facebook's website, they can easily agree to the deposit of advertising cookies by clicking on the "Accept cookies" button on the first window. However, to refuse these cookies, the user must complete three separate actions. First, they must click on the "Manage data settings" button located above the "Accept cookies" button in the first window. Second, they must scroll down the entire content of the second window, specifically to establish that the two sliding buttons allowing the deposit of advertising cookies are disabled by default. Finally, they must click on the "Accept all" button located at the bottom of this second window.
The restricted committee has concluded that this complex mechanism for rejecting cookies amounts to discouraging users from refusing cookies and encouraging them to favor the "Accept cookies" button. The methods used by Facebook to express choice in refusing cookies skew the expression of choice in favor of consent and alter freedom of choice. By having to click on "Manage data settings" and understanding the setup of the page to reject cookies, the user is likely to become discouraged and ultimately choose to accept cookies. Additionally, the information referring to acceptance/rejection of cookies was unclear, making it difficult for users.
Facebook's website utilizes deceptive patterns, such as forced action, obstruction, and hidden information, to discourage users from refusing advertising cookies and to favor the "Accept cookies" button. By doing so, Facebook has violated several laws, including Article 82 of the French Data Protection Act, Article 4(11) of the GDPR, and Article 5(3) of the ePrivacy Directive. Facebook's use of deceptive patterns is counter-intuitive, as users must click on a button titled "Accept cookies" to refuse the deposit of cookies. This method instead encourages the user to believe that it is not possible to continue browsing if they refuse the deposit of advertising cookies.
Outcome
The CNIL imposed a fine of €60,000,000 on Facebook Ireland Limited for violating Article 82 of the Loi 'Informatique et Libertés'. Facebook was also ordered to simplify its methods for obtaining consent from French users to read and write information on their terminals. The CNIL attached a penalty of €100,000 per day of delay to the injunction, with proof of compliance required within three months. The decision was made public on the CNIL and Légifrance websites, with the company's name to be removed after two years.
Parties
CNIL - French Data Protection Authority and Facebook Ireland Limited
Case number
SAN-2021-024
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Obstruction is a type of deceptive pattern that deliberately creates obstacles or roadblocks in the user's path, making it more difficult for them to complete a desired task or take a certain action. It is used to exhaust users and make them give up, when their goals are contrary to the business's revenue or growth objectives. It is also sometimes used to soften up users in preparation for a bigger deception. When users are frustrated or fatigued, they become more susceptible to manipulation.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Users must give informed and unambiguous consent and receive clear information about cookies, including processing purposes and data controller identity, according to the law.
Requires website operators to obtain user consent before storing or accessing information on the user's device through cookies or similar technologies.
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.