網(wǎng)站往往會(huì)誘導(dǎo)用戶同意網(wǎng)站跟蹤cookie,它們的做法是增加用戶拒絕網(wǎng)站要求的難度。1月6日,法國(guó)的數(shù)據(jù)保護(hù)監(jiān)管機(jī)構(gòu)開始打擊科技業(yè)內(nèi)這種所謂的“黑暗模式”,對(duì)Facebook、谷歌(Google)和YouTube共處以2.1億歐元(約合2.38億美元)罰款。
法國(guó)國(guó)家信息與自由委員會(huì)(CNIL)表示,這些公司的行為違反了《法國(guó)數(shù)據(jù)保護(hù)法》(French Data Protection Act),對(duì)Facebook罰款6000萬(wàn)歐元,對(duì)谷歌及其視頻流媒體業(yè)務(wù)罰款1.5億歐元。除罰款以外,該監(jiān)管機(jī)構(gòu)還要求這些公司在三個(gè)月內(nèi)修改其cookie接受/拒絕機(jī)制,否則將面臨每天10萬(wàn)歐元的罰款。
歐洲嚴(yán)格的在線隱私保護(hù)制度于2021年正式啟動(dòng),之前頒布的《通用數(shù)據(jù)保護(hù)條例》(General Data Protection Regulation)在2021年的罰款總額超過(guò)10億歐元,主要包括盧森堡和愛爾蘭分別對(duì)亞馬遜(Amazon)和WhatsApp收取的巨額罰款。《通用數(shù)據(jù)保護(hù)條例》的影響并沒有人們所擔(dān)心的那么嚴(yán)重。
但法國(guó)國(guó)家信息與自由委員會(huì)最近的罰款卻是依據(jù)另外一項(xiàng)歐盟法律:《電子隱私指令》(ePrivacy Directive)。該指令在約20年前被轉(zhuǎn)變成法國(guó)法律。這項(xiàng)“古老的”(在互聯(lián)網(wǎng)時(shí)代)法律即人們常說(shuō)的“cookie法律”,本來(lái)應(yīng)該在五年前被取代,但立法程序卻多次停滯不前。
Cookie?沒錯(cuò)!
用戶同意是cookie法律的關(guān)鍵,而法國(guó)國(guó)家信息與自由委員會(huì)認(rèn)為Facebook和谷歌并沒有恰當(dāng)獲得用戶同意。
該監(jiān)管機(jī)構(gòu)批評(píng)谷歌和YouTube的網(wǎng)站稱:“用戶拒絕全部cookie需要點(diǎn)擊多次,但接受cookie卻只需要點(diǎn)擊一次?!?/p>
Facebook的網(wǎng)站也存在同樣的問題,只是該監(jiān)管機(jī)構(gòu)在1月6日的聲明中額外增加了一句有趣的評(píng)論:“法國(guó)國(guó)家信息與自由委員會(huì)還發(fā)現(xiàn),允許用戶拒絕cookie的按鈕位于第二個(gè)窗口底部,但標(biāo)注的卻是‘接受cookie’?!痹摍C(jī)構(gòu)表示,這些網(wǎng)站的機(jī)制均通過(guò)“影響互聯(lián)網(wǎng)用戶同意自由”的程序,阻止用戶拒絕cookie。
Facebook母公司Meta的發(fā)言人說(shuō):“我們正在評(píng)估該部門的決定,并繼續(xù)致力于與相關(guān)部門合作。我們的cookie同意控制措施為用戶提供了對(duì)其個(gè)人數(shù)據(jù)的較大控制權(quán),包括在Facebook和Instagram上新增一個(gè)設(shè)置菜單,支持用戶隨時(shí)重新查看和管理自己的決定,并且我們將繼續(xù)開發(fā)和完善這些控制措施?!?/p>
谷歌的發(fā)言人表示:“人們相信我們會(huì)尊重他們的隱私權(quán)并保障他們的安全。我們深知我們有責(zé)任保護(hù)這種信任,并承諾根據(jù)《電子隱私指令》的規(guī)定,以此次決定為基礎(chǔ)繼續(xù)做出調(diào)整,同法國(guó)國(guó)家信息與自由委員會(huì)密切合作?!?/p>
“黑暗模式”
這并非Facebook和谷歌首次被指控使用黑暗模式這種有欺騙性的設(shè)計(jì),誘導(dǎo)用戶放棄他們的隱私。
幾年前,《通用數(shù)據(jù)保護(hù)條例》正式頒布后不久,歐洲各地的消費(fèi)者團(tuán)體曾經(jīng)向國(guó)家隱私監(jiān)管機(jī)構(gòu)請(qǐng)求調(diào)查黑暗模式。挪威消費(fèi)者協(xié)會(huì)(Norwegian Consumer Council)作為該行動(dòng)的主要發(fā)起者,曾經(jīng)正式向挪威的數(shù)據(jù)保護(hù)監(jiān)管機(jī)構(gòu)投訴谷歌。
但根據(jù)《通用數(shù)據(jù)保護(hù)條例》下的“一站式”機(jī)制,這類投訴應(yīng)該由公司歐洲總部所在國(guó)家的監(jiān)管機(jī)構(gòu)處理,而大部分大型科技公司的總部都位于愛爾蘭。因此,這項(xiàng)投訴被轉(zhuǎn)交給愛爾蘭數(shù)據(jù)保護(hù)委員會(huì)(Irish Data Protection Commission)。眾所周知,該機(jī)構(gòu)效率低下并且資金不足,因此該案后來(lái)就不了了之了。
法國(guó)國(guó)家信息與自由委員會(huì)避免了這個(gè)陷阱,依據(jù)《電子隱私指令》針對(duì)谷歌和Facebook采取行動(dòng)。該機(jī)構(gòu)在1月6日的聲明中反復(fù)提到,其對(duì)于在法國(guó)境內(nèi)違反《電子隱私指令》的行為有處以罰款的司法管轄權(quán)。
挪威消費(fèi)者協(xié)會(huì)的數(shù)字政策主管芬恩·米爾斯塔德在1月6日告訴《財(cái)富》雜志:“法國(guó)國(guó)家信息與自由委員會(huì)的決定發(fā)出了強(qiáng)烈的信號(hào),即網(wǎng)站必須給用戶真正公平的選擇權(quán),不能誘導(dǎo)用戶接受符合公司‘自身利益’的條件?!?/p>
美國(guó)電子隱私信息中心(Electronic Privacy Information Center)曾經(jīng)多次向美國(guó)聯(lián)邦貿(mào)易委員會(huì)(Federal Trade Commission)投訴黑暗模式。在美國(guó)總統(tǒng)喬·拜登政府執(zhí)政期間,美國(guó)聯(lián)邦貿(mào)易委員會(huì)更加支持這類投訴。它在2021年10月曾經(jīng)表示,將針對(duì)“欺騙或引誘消費(fèi)者選擇訂閱服務(wù)”的黑暗模式加大執(zhí)法力度。(財(cái)富中文網(wǎng))
翻譯:劉進(jìn)龍
審校:汪皓
網(wǎng)站往往會(huì)誘導(dǎo)用戶同意網(wǎng)站跟蹤cookie,它們的做法是增加用戶拒絕網(wǎng)站要求的難度。1月6日,法國(guó)的數(shù)據(jù)保護(hù)監(jiān)管機(jī)構(gòu)開始打擊科技業(yè)內(nèi)這種所謂的“黑暗模式”,對(duì)Facebook、谷歌(Google)和YouTube共處以2.1億歐元(約合2.38億美元)罰款。
法國(guó)國(guó)家信息與自由委員會(huì)(CNIL)表示,這些公司的行為違反了《法國(guó)數(shù)據(jù)保護(hù)法》(French Data Protection Act),對(duì)Facebook罰款6000萬(wàn)歐元,對(duì)谷歌及其視頻流媒體業(yè)務(wù)罰款1.5億歐元。除罰款以外,該監(jiān)管機(jī)構(gòu)還要求這些公司在三個(gè)月內(nèi)修改其cookie接受/拒絕機(jī)制,否則將面臨每天10萬(wàn)歐元的罰款。
歐洲嚴(yán)格的在線隱私保護(hù)制度于2021年正式啟動(dòng),之前頒布的《通用數(shù)據(jù)保護(hù)條例》(General Data Protection Regulation)在2021年的罰款總額超過(guò)10億歐元,主要包括盧森堡和愛爾蘭分別對(duì)亞馬遜(Amazon)和WhatsApp收取的巨額罰款?!锻ㄓ脭?shù)據(jù)保護(hù)條例》的影響并沒有人們所擔(dān)心的那么嚴(yán)重。
但法國(guó)國(guó)家信息與自由委員會(huì)最近的罰款卻是依據(jù)另外一項(xiàng)歐盟法律:《電子隱私指令》(ePrivacy Directive)。該指令在約20年前被轉(zhuǎn)變成法國(guó)法律。這項(xiàng)“古老的”(在互聯(lián)網(wǎng)時(shí)代)法律即人們常說(shuō)的“cookie法律”,本來(lái)應(yīng)該在五年前被取代,但立法程序卻多次停滯不前。
Cookie?沒錯(cuò)!
用戶同意是cookie法律的關(guān)鍵,而法國(guó)國(guó)家信息與自由委員會(huì)認(rèn)為Facebook和谷歌并沒有恰當(dāng)獲得用戶同意。
該監(jiān)管機(jī)構(gòu)批評(píng)谷歌和YouTube的網(wǎng)站稱:“用戶拒絕全部cookie需要點(diǎn)擊多次,但接受cookie卻只需要點(diǎn)擊一次?!?/p>
Facebook的網(wǎng)站也存在同樣的問題,只是該監(jiān)管機(jī)構(gòu)在1月6日的聲明中額外增加了一句有趣的評(píng)論:“法國(guó)國(guó)家信息與自由委員會(huì)還發(fā)現(xiàn),允許用戶拒絕cookie的按鈕位于第二個(gè)窗口底部,但標(biāo)注的卻是‘接受cookie’?!痹摍C(jī)構(gòu)表示,這些網(wǎng)站的機(jī)制均通過(guò)“影響互聯(lián)網(wǎng)用戶同意自由”的程序,阻止用戶拒絕cookie。
Facebook母公司Meta的發(fā)言人說(shuō):“我們正在評(píng)估該部門的決定,并繼續(xù)致力于與相關(guān)部門合作。我們的cookie同意控制措施為用戶提供了對(duì)其個(gè)人數(shù)據(jù)的較大控制權(quán),包括在Facebook和Instagram上新增一個(gè)設(shè)置菜單,支持用戶隨時(shí)重新查看和管理自己的決定,并且我們將繼續(xù)開發(fā)和完善這些控制措施。”
谷歌的發(fā)言人表示:“人們相信我們會(huì)尊重他們的隱私權(quán)并保障他們的安全。我們深知我們有責(zé)任保護(hù)這種信任,并承諾根據(jù)《電子隱私指令》的規(guī)定,以此次決定為基礎(chǔ)繼續(xù)做出調(diào)整,同法國(guó)國(guó)家信息與自由委員會(huì)密切合作。”
“黑暗模式”
這并非Facebook和谷歌首次被指控使用黑暗模式這種有欺騙性的設(shè)計(jì),誘導(dǎo)用戶放棄他們的隱私。
幾年前,《通用數(shù)據(jù)保護(hù)條例》正式頒布后不久,歐洲各地的消費(fèi)者團(tuán)體曾經(jīng)向國(guó)家隱私監(jiān)管機(jī)構(gòu)請(qǐng)求調(diào)查黑暗模式。挪威消費(fèi)者協(xié)會(huì)(Norwegian Consumer Council)作為該行動(dòng)的主要發(fā)起者,曾經(jīng)正式向挪威的數(shù)據(jù)保護(hù)監(jiān)管機(jī)構(gòu)投訴谷歌。
但根據(jù)《通用數(shù)據(jù)保護(hù)條例》下的“一站式”機(jī)制,這類投訴應(yīng)該由公司歐洲總部所在國(guó)家的監(jiān)管機(jī)構(gòu)處理,而大部分大型科技公司的總部都位于愛爾蘭。因此,這項(xiàng)投訴被轉(zhuǎn)交給愛爾蘭數(shù)據(jù)保護(hù)委員會(huì)(Irish Data Protection Commission)。眾所周知,該機(jī)構(gòu)效率低下并且資金不足,因此該案后來(lái)就不了了之了。
法國(guó)國(guó)家信息與自由委員會(huì)避免了這個(gè)陷阱,依據(jù)《電子隱私指令》針對(duì)谷歌和Facebook采取行動(dòng)。該機(jī)構(gòu)在1月6日的聲明中反復(fù)提到,其對(duì)于在法國(guó)境內(nèi)違反《電子隱私指令》的行為有處以罰款的司法管轄權(quán)。
挪威消費(fèi)者協(xié)會(huì)的數(shù)字政策主管芬恩·米爾斯塔德在1月6日告訴《財(cái)富》雜志:“法國(guó)國(guó)家信息與自由委員會(huì)的決定發(fā)出了強(qiáng)烈的信號(hào),即網(wǎng)站必須給用戶真正公平的選擇權(quán),不能誘導(dǎo)用戶接受符合公司‘自身利益’的條件?!?/p>
美國(guó)電子隱私信息中心(Electronic Privacy Information Center)曾經(jīng)多次向美國(guó)聯(lián)邦貿(mào)易委員會(huì)(Federal Trade Commission)投訴黑暗模式。在美國(guó)總統(tǒng)喬·拜登政府執(zhí)政期間,美國(guó)聯(lián)邦貿(mào)易委員會(huì)更加支持這類投訴。它在2021年10月曾經(jīng)表示,將針對(duì)“欺騙或引誘消費(fèi)者選擇訂閱服務(wù)”的黑暗模式加大執(zhí)法力度。(財(cái)富中文網(wǎng))
翻譯:劉進(jìn)龍
審校:汪皓
Websites regularly try to steer users toward accepting their tracking cookies by making it relatively hard to reject them. On January 6, France's data protection watchdog struck back against such tricks—known in the tech industry as "dark patterns"—by fining Facebook, Google, and YouTube a total of €210 million ($238 million).
The agency, known as CNIL, said the companies' actions violated the French Data Protection Act. Apart from these fines—€60 million for Facebook and €150 million for Google and its video-streaming business—it gave them three months to change how their cookie acceptance/rejection mechanisms work, or face further penalties of €100,000 a day.
Europe's tough online privacy regime really kicked into gear in 2021, when fines under the previously less-than-feared General Data Protection Regulation (GDPR) totaled more than €1 billion, mostly thanks to blockbuster fines for Amazon and WhatsApp, levied in Luxembourg and Ireland respectively.
CNIL's latest fines, however, were underpinned by a different piece of EU legislation: the ePrivacy Directive, which was transposed into French law some two decades ago. Popularly known as the "cookie law," this ancient (in internet time) rulebook was supposed to be replaced five years ago, though the legislative process has repeatedly stalled.
Cookies? Doh!
Users' consent is central to the cookie law and, according to CNIL, Facebook and Google haven't been getting it fairly.
"Several clicks are required to refuse all cookies, against a single one to accept them," the regulator complained regarding Google and YouTube's websites.
The same applies to Facebook's website, with one particularly entertaining added wrinkle—per January 6's statement: “The CNIL also noted that the button allowing the user to refuse cookies is located at the bottom of the second window and is entitled ‘Accept cookies.’” In all these cases, CNIL said, the mechanisms discourage users from refusing cookies, in a process that "affects the freedom of consent of Internet users."
"We are reviewing the authority's decision and remain committed to working with relevant authorities," said a spokesperson for Facebook owner Meta. "Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls.”
A Google spokesperson said, "People trust us to respect their right to privacy and keep them safe. We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision under the ePrivacy Directive."
“Dark patterns”
This is not the first time Facebook and Google have been accused of employing dark patterns—essentially deceptive designs—to manipulate people into weakening their privacy.
A few years ago, shortly after the GDPR came into force, consumer groups from across Europe asked national privacy regulators to investigate dark patterns. The Norwegian Consumer Council (NCC), which spearheaded the push, made a formal complaint against Google to Norway's data protection watchdog.
However, under the GDPR's "one stop shop" mechanism, complaints are supposed to be handled by the regulator in the country where the company has its European headquarters—meaning Ireland, for most of Big Tech. So the NCC's complaint got passed to the notoriously slow and underfunded Irish Data Protection Commission, where it has been languishing ever since.
France's CNIL avoided this trap by targeting Google and Facebook under the ePrivacy law. As it repeatedly noted in January 6's statements, it has the jurisdiction to issue fines for ePrivacy violations on French soil.
"The CNIL decision sends a strong signal that users must be given real and fair choices online, and not manipulated into 'accepting' whatever is in the companies' own interest," NCC digital policy chief Finn Myrstad told Fortune on January 6.
Over in the U.S., the Electronic Privacy Information Center (EPIC) has repeatedly complained to the Federal Trade Commission (FTC) about dark patterns. The agency has become more sympathetic to these complaints under the Biden administration. It said last October that it would step up enforcement against dark patterns that "trick or trap consumers into subscription services."