Facebook Cookies Browser Settings and the CNIL

By: Richard Beaumont | Tuesday, February 9, 2016 | Tagged: Facebook, French Cookie Compliance, Cookie Law Enforcement | Leave Comment

France’s Data Protection Authority, the CNIL, has sent Facebook a formal notice that it is in breach of a number of provisions of French data protection law, and is facing significant fines if it does not make changes to its practice within three months.

This follows a similar action from their Belgian counterparts towards the end of last year, where the social media giant made changes to functionality in Belgium to comply.  However, the CNIL appears to have gone much further in its actions, ruling not just on cookies but the transfer of data to the USA via the now defunct Safe Harbor mechanism, and perhaps most significantly its core advertising practices upon which the vast majority of its revenue is based.

A full analysis of the ruling is too big for a single blog, so I am going to focus on one of the key aspects, but you can view the entire ruling in English here.

Cookies

As in the Belgian case, the CNIL highlights how Facebook places a cookie when a non-user visits a page that does not require logging in.  The same cookie can also be read through the different plug-ins (such as the Like button) that other people add to their own sites. This enables Facebook to build a browsing history of non-users for up to 10 days.  This is deemed by CNIL to be an unfair practice as there is not any opportunity for individuals to know about or refuse this cookie.

CNIL notes that Facebook has previously said this cookie is used for security purposes, but believes that this does not justify the subsequent ability to track non-users across other sites.

However, the CNIL goes further and also states that the use of cookies by Facebook is also unlawful for logged in Facebook users, on the basis that cookies are both set before a user has had a chance to give consent, and that the notice given to visitors does not provide sufficient information for a user to make an informed judgement.

In particular the decision highlights the fact that it is not made clear that cookies are used to enable advertising, and that there is no opportunity for users to refuse cookies through any settings or controls.

Consent Through Browser Settings

Although Facebook does advise people they can change their browser settings to block cookies, this is not deemed sufficient, as the types of cookies in use, and the limitation of browser controls, do not give users enough control.

The argument here is that blocking all cookies by the browser will stop the site from working, but only blocking third party cookies is not sufficient as it leaves the user unable to block first party cookies that require consent.

Therefore, because there is no opportunity to refuse some types of cookies, the user is unable to give valid consent. 

This is a particularly important aspect of the decision.  Many websites take exactly the same approach as Facebook, relying on users to change browser settings, and would therefore be likely to fail a compliance test for the same reason.  That is position was also clearly stated in the UK ICO’s own guidance, which has maintained since 2012 that ‘most browser settings are not sophisticated enough for websites to assume that consent has been given to allow the site to set a cookie.’ Browser controls have not significantly changed since then, so that advice still holds true.

The CNIL has now become the first regulator to enforce on this issue, but it is unlikely to be the last.  Any website that does not offer visitors direct control over cookies, risks getting caught out by the same principle.

Conclusion

Although Facebook has challenged the Belgian ruling, it also changed its functionality in Belgium in the meantime to avoid the risk of a huge fine if it loses the argument.

It may be much more difficult to do that in this case – because the CNIL decision is much broader. This ruling should also serve as a warning to all websites that rely on asking users to change browser settings to comply with the cookie laws.  We have always maintained that this approach is risky, and we now have a decision that demonstrates why. 

Most websites set a mixture of first and third party cookies that need much subtler user controls than browsers provide in order to make consent for them valid.  This decision means it is now time for many website owners to re-evaluate the validity of their cookie law solutions.

Tag Cloud