GDPR and Big Tech: The Cookie Monster Versus Joe Public

Europe’s General Data Protection Regulation which was implemented last summer has far-reaching privacy rules. Commonly referred as the , this is now the standard which has forced most tech companies to rethink not only data collection practices but also how data is collected or they risk high fines. Where the US lacks a similar regulation to protect privacy of Internet users, many characterize Europe’s GDPR as hurting privacy instead of protecting it while others accuse the EU of policing across its own borders.

The Washington Post announced last week that France has fined Google almost $57 million for the first major violation of the GDPR and tech companies in Silicon Valley and beyond are paying close attention. Accused of  failing to disclose the collection and use of personal information to users, Google also failed to obtain permission from these users to do things such as to expose them to personalized advertisements. To most North Americans, such regulation are almost joke-worthy, but that is because most internet users are completely unaware as to how Google harvests the information it uses, which does involve accessing private data. Yet, there is cause for concern when Android users set up a new mobile phone and followed Android’s setup process.

Two nonprofit organizations, None Of Your Business (noyb) and La Quadrature du Net originally filed a complaint back in May 2018 but noyb filed its complaint against Google and Facebook. Under the GDPR regulations, complaints must first be transferred to local data protection watchdogs so France’s top data-privacy agency, CNIL (Commission Nationale de l’Informatique et des Libertés), took the case in hand and started its investigation 1 June, 2018. Concluding that Google did not comply with the consent and transparent aspects of the privacy law, it pointed to specific areas of non-compliance such as how information is not easily accessible and that information is not clear or comprehensive. Of particular note is how data is processed:

Users are not able to fully understand the extent of the processing operations carried out by GOOGLE. But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined. The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes. Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company. Finally, the restricted committee notices that the information about the retention period is not provided for some data.

So what is the information that can be accessed by Google and other tech companies? Take browser cookies, for instance. While “cookies” sounds like a cute word, these small files store a lot of private data: where you have browsed, information you have filled in online forms, even information you have entered into highly personal online financial sites, free website builders, and basically everything you have done on your browser, everywhere you have browsed.  Tracking cookies are used for advertising purposes, specifically involving what is called retargeting, a tactic that depends upon tracking cookies to show ads to people who have previously visited a specific site or shown interest in a particular product. If you’ve ever looked up something on Google or on Amazon and then saw it or a similar item on a popup advertisement while browsing, this is no coincidence. You’ve simply been retargeted.

The information cookies contain is set and accessed by the servers of the websites that you visit and cookies allow servers to identify you and remember things about you.  So, while a cookie might be considered to be no big deal by some people, imagine that any website having access to your cookies would potentially have access to anything you have typed into your web browser. Silktide founder, Oliver Emberton explains cookies like this:  “The problem is that those same cookies can also be used to track people, and do things that many people don’t like, like deliver targeted ads. And this has got a lot of people understandably concerned.” The GDPR means that users are to be asked for consent before cookies can be accessed. You can read the CNIL summary of their report here.

Google is now fined for violating France’s General Data Protection Regulations to the tune of US$57 million. When the GDPR was first announced, many claimed that this would be bad for business. But on the other side of the argument, privacy groups have firmly stood behind the necessary privacy measures to be observed by all companies to include tech giants like Facebook and Google which have come under scrutiny in recent months.  And earlier this week, Poland, the UK and Ireland were implicated in not safeguarding users with regard to “how ad auction companies, including Google, unlawfully profile Internet users’ religious beliefs, ethnicities, diseases, disabilities, and sexual orientation.”

Ultimately, there is a clear contradiction between what’s good for big business and what is good for privacy protections of individual. The real question is what will give in first–our human right to privacy or big business’ desire for profit?

Julian Vigo is a scholar, film-maker and human rights consultant. Her latest book is Earthquake in Haiti: The Pornography of Poverty and the Politics of Development (2015). She can be reached at: julian.vigo@gmail.com. Read other articles by Julian.