SoylentNews is people
SoylentNews
France fines Google $120M and Amazon $42M for dropping tracking cookies without consent – TechCrunch:
France's data protection agency, the CNIL, has slapped Google and Amazon with fines for dropping tracking cookies without consent.
Google has been hit with a total of €100 million ($120 million) for dropping cookies on Google.fr and Amazon €35 million (~$42 million) for doing so on the Amazon .fr domain under the penalty notices issued today.
The regulator carried out investigations of the websites over the past year and found tracking cookies were automatically dropped when a user visited the domains in breach of the country's Data Protection Act.
In Google's case the CNIL has found three consent violations related to dropping non-essential cookies.
"As this type of cookies cannot be deposited without the user having expressed his consent, the restricted committee considered that the companies had not complied with the requirement provided for by article 82 of the Data Protection Act and the prior collection of the consent before the deposit of non-essential cookies," it writes in the penalty notice [which we've translated from French].
Amazon was found to have made two violations, per the CNIL penalty notice.
CNIL also found that the information about the cookies provided to site visitors was inadequate — noting that a banner displayed by Google did not provide specific information about the tracking cookies the Google.fr site had already dropped.
Under local French (and European) law, site users should have been clearly informed before the cookies were dropped and asked for their consent.
In Amazon's case its French site displayed a banner informing arriving visitors that they agreed to its use of cookies. CNIL said this did not comply with transparency or consent requirements — since it was not clear to users that the tech giant was using cookies for ad tracking. Nor were users given the opportunity to consent.
The law on tracking cookie consent has been clear in Europe for years. But in October 2019 a CJEU ruling further clarified that consent must be obtained prior to storing or accessing non-essential cookies. As we reported at the time, sites that failed to ask for consent to track were risking a big fine under EU privacy laws.
Google and Amazon are now finding that out to their cost, it seems.
We've reached out to Amazon and Google for comment on the CNIL's action.
Update: Google sent this statement, attributed to a spokesperson:
People who use Google expect us to respect their privacy, whether they have a Google account or not. We stand by our record of providing upfront information and clear controls, strong internal data governance, secure infrastructure, and above all, helpful products. Today's decision under French ePrivacy laws overlooks these efforts and doesn't account for the fact that French rules and regulatory guidance are uncertain and constantly evolving. We will continue to engage with the CNIL as we make ongoing improvements to better understand its concerns.
Update 2: Amazon has also now sent a statement:
We disagree with the CNIL's decision. Protecting the privacy of our customers has always been a top priority for Amazon. We continuously update our privacy practices to ensure that we meet the evolving needs and expectations of customers and regulators and fully comply with all applicable laws in every country in which we operate.
(Score: 2) by Rosco P. Coltrane on Tuesday December 15 2020, @12:46PM (4 children)
are normally dealt with with heavier and heavier punishments, then possibly jail time for some execs. But not Google or the other big data giants: they get caught, pay the minuscule fine compared to their profits, and keep right on going.
(Score: 2) by PiMuNu on Tuesday December 15 2020, @01:07PM (2 children)
> minuscule fine compared to their profits
Although, compared to their profits *from France* I guess this is a significant fine. If all the European nations made the same fine, shareholders would be really grumpy.
(Score: 2) by looorg on Tuesday December 15 2020, @01:50PM (1 child)
I doubt it's very significant even *from France*, plus then all the people that speak french but live in other countries that might use the .fr version for various reasons from time to time.
That said if all other countries in the EU (or just anywhere) would do the same then yes I think Google, Amazon etc would start to be very unhappy as it would or might be an actual threat to their entire business model.
(Score: 3, Insightful) by TheRaven on Wednesday December 16 2020, @12:17PM
sudo mod me up
(Score: 0) by Anonymous Coward on Wednesday December 16 2020, @10:15AM
I think all fines should be relative to a person's income and a non-human entity's gross revenue. But good luck getting the rich that run things to pass that law.
(Score: 5, Touché) by RS3 on Tuesday December 15 2020, @01:38PM
Amazon's statement:
"Always"? Really. So then they go on to say:
So if protecting privacy has ALWAYS been top priority, then why do you need to update your "privacy" practices?
If any of you have ever actually read a "privacy agreement", they always start out with statements similar to: "we hold your privacy in the highest regard...", but then always go on to say "we will share your info with our trusted partners"...
Okay wait, who are those "partners"? What are their privacy statements? Maybe they in fact don't care about our privacy, and happily sell anything and everything they can get their hands on.
(Score: 2) by canopic jug on Tuesday December 15 2020, @02:19PM (10 children)
Drop means discontinue. That's what is desired, both by the public and by the law. These multinationals must drop cookies from web transactions or face both penalties and public disapproval. Or is the author cheering privacy-invading cookies?
Money is not free speech. Elections should not be auctions.
(Score: 5, Insightful) by Samantha Wright on Tuesday December 15 2020, @02:22PM (1 child)
I'm guessing it's a translation error. Either that or the author was going for "dropping a trail of breadcrumbs" metaphor, ineptly.
(Score: 0) by Anonymous Coward on Tuesday December 15 2020, @07:02PM
the went for cookie/breadcrumbs (designers of stored info packets) back in the day, because the more correct droppings (as in animal territory markings). would have been more descriptive, but negitavely so.
(Score: 3, Informative) by RS3 on Tuesday December 15 2020, @03:44PM (2 children)
I agree and was a bit confused at first. We seem to live in a world of redefining everything, including words themselves. It's hip slang. Think of "drop" in this context as "they dropped a cookie into your computer's cookie jar".
(Score: 1, Interesting) by Anonymous Coward on Tuesday December 15 2020, @03:49PM (1 child)
Dropped a cookie, pinched a loaf, let out a load, bust a deuce, fired off an ass rocket... meh, what's the difference.
(Score: 0) by Anonymous Coward on Tuesday December 15 2020, @06:28PM
> But dropped a cookie into your computer's cookie jar
I figured it out easily enough, but the expression doesn't make sense with the physical analogy. Someone might drop money *into* a tip jar, but they take cookies *out* of the cookie jar.
(Score: 0) by Anonymous Coward on Tuesday December 15 2020, @04:17PM (2 children)
Probably someone with poor to non-existent English skills performing translation from French to English and choosing the wrong English word.
(Score: 2) by HiThere on Tuesday December 15 2020, @06:08PM (1 child)
Sorry, to me that reads like a perfectly reasonable English word. It's true that "drop" has multiple meanings, and that they don't all work in the sentence, but "drop" in the sense of "leave behind" fits perfectly with what they meant. It's true that "drop" in the sense of "abandon" doesn't work, but that's only one of the meanings.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Tuesday December 15 2020, @07:08PM
It may have made sense to you, douche, but it's still wrong. None of drop's "multiple meaning" make this god-awful bro-speech.
(Score: 2) by PinkyGigglebrain on Tuesday December 15 2020, @09:08PM (1 child)
Sometimes.
I think in this case they might mean drop in the context of adding something to a container. ie, the cookie being added to the contents of the HD, like a drop being added to a bucket.
I was going to just cut/paste the definition of "drop" but turns out "drop" has a ton of different meanings depending on context.
drop [merriam-webster.com]
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 2) by FatPhil on Wednesday December 16 2020, @04:27PM
So presumably they've dropped some prior aceptable behaviour and picked up some new bad behaviour instead.
But no - their use of tracking cookies has not been dropped.
So context didn't help there.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by Runaway1956 on Tuesday December 15 2020, @05:24PM (2 children)
#boner
Silliness aside, I love the fines, however miniscule they might be. I agree with the above poster who says that all the other EU countries should impose similar, or even larger fines. If the tech companies refuse to comply with EU law, then it should HURT them in the pocketbook.
A few quarters of net losses in the EU would get investors attention!
Abortion is the number one killed of children in the United States.
(Score: 0) by Anonymous Coward on Tuesday December 15 2020, @05:57PM
Except, to a Google, these are indeed miniscule fines.
These are small enough to just be chalked up as cost of doing business to someone of Google or Amazon's scale. They can just pay this, year on year, to the French govt., and continue just as before, because they will make 100x back from the advertisers due to their ignoring of the law and storing these tracking cookies.
These fines are like a mosquito biting a horse. The horse barely notices and goes on about its business.
If these regulators were trying to protect their people (instead of appear to be "doing something") these fines would be large enough that Google or Amazon would notice them in this quarters profit margin. I.e. large enough that this quarters SEC report would show a worldwide net loss to Goggle or Amazon. Then they will pay attention and start to change. Otherwise, the horses tail will just swat the mosquito away, and it will continue grazing in the field of advertiser money.
(Score: 4, Interesting) by HiThere on Tuesday December 15 2020, @06:11PM
I think that usually there is an increased fine for a second violation, and that again increased for a third violation. Perhaps this should be thought of more as a warning than as a punishment.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Tuesday December 15 2020, @06:23PM
will you spend the fine money on educating kids about free software, privacy,. security and programming or just fund more parasites?
(Score: 0) by Anonymous Coward on Tuesday December 15 2020, @07:05PM
I wish all you idiots would stop using "dropped" wrong. It's so confusing to articles by 20-something douche bags.
(Score: 3, Insightful) by darkfeline on Wednesday December 16 2020, @01:35AM (3 children)
This is stupid. Cookies are accepted by the client. You can't blame the server for the client accepting cookies. If you do, you must also accept that ad blocking is illegal, as it is the prerogative of the client to request/accept any ads the server offers. Either you accept that the client has control over requested resources, or you accept that the client must download and save everything offered by the server.
Practically speaking, you can't protect users by suing every single website that sends cookies. You have to teach users to configure their clients to block cookies. Of course, the goal of these kinds of lawsuits isn't to protect users, but rather to collect some funding and possibly also to lightly "pressure" large companies into meeting political demands.
Join the SDF Public Access UNIX System today!
(Score: 1, Insightful) by Anonymous Coward on Wednesday December 16 2020, @02:48AM
You may find it stupid, but the law is the law. Putting a mark on peoples browsers to track them are illegal in the EU without explicit consent. Exceptions are made for critical cookies like login tokens and similar essential functionality. Of course we should educate people, but do you really think it'll have an effect? We're in this privacy nightmare because we thought people would educate themselves, but it's never going to happen. I'm happy there are lots of other area of which I'm not an expert that are regulated to protect me and my health.
(Score: 2) by TheRaven on Wednesday December 16 2020, @12:22PM
Nonsense. A cookie is often just a UUID used to index a database entry. There are legitimate and legal uses for such a cookie and there are also illegal uses for such a cookie. Why should it be up to the recipient of the cookie on the client to determine whether the use on the server is legitimate?
What about other browser fingerprinting attacks? If you're using these to illegally collect information about people, should it be the user's fault for using a browser that doesn't contain active countermeasures against this week's attack? If I shoot you in the chest with a pistol, is it your fault and liability because you chose not to wear body armour?
sudo mod me up
(Score: 2) by FatPhil on Wednesday December 16 2020, @04:31PM
Real world laws are there to protect the real world citizens from real world threats.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves