European DPAs Bring Enforcement Against U.S. Company Data Practices

European data protection authorities (DPAs) have taken action in the past week against U.S. companies for violations of EU privacy and data protection regulations. First, France’s data protection authority, the CNIL, issued fines against Google ($170 million) and Facebook ($68 million) for violation of the ePrivacy Directive. Both companies have a single button available for users to accept all cookies on their services, but require users to go through a series of steps and clicks in order to reject cookies. In addition, Facebook users must first click a button reading “Accept Cookies” to reach the options to reject cookies. The CNIL determined that these systems are likely to confuse or manipulate users away from exercising their rights to reject cookies, essentially using dark patterns to coerce consent. According to the ruling, the companies must change their cookie designs to address these problems within three months or face fines of €100,000 per day of non-compliance beyond the deadline.

Next, the Austrian DPA found that an Austrian health website had violated the GDPR by using Google Analytics on the site. The DPA ruled that IP address information constitutes personal data and, since IP information is exported to the U.S. via the Google Analytics implementation on the site, the website had violated Chapter V of the GDPR, which relates to transfers of personal data out of the EU. This ruling could pave the way for similar decisions in multiple EU member states.

EPIC has previously spoken out for stronger user protections against cookies and tracking technologies and has filed comments highlighting the harms of dark pattern use.