The Commission nationale de l'informatique et des libertés (CNIL), France’s data protection watchdog, announced that it’s going to impose a 150,000 euro fine on Facebook. The agency will fine Facebook over its use of the “datr” cookie, which enabled the company to collect information on French and other European citizens without their knowledge.
The so-called “datr” cookie is what Facebook has been using since at least 2010 to track users across the web, even if they are logged out of Facebook, and even if they don’t have a Facebook account. The company does this through the “Like” button used by millions of websites.
It wasn’t Facebook that first told its users and the public about it, but a Dutch researcher who discovered in late 2010 that Facebook’s Like button would transmit user data even if those users didn't click on it. Facebook called this issue a bug and said it would issue a fix.
However, in September, 2011, another Australian researcher found that the Like button was also tracking users online when they weren’t logged in to Facebook. The company also called this a bug, and said that it would be fixed.
Later the same year, Facebook said that it wouldn’t use that data for advertising purposes anyway. Fast forward three more years, to 2014, when Facebook announced that it would commence using the the data gathered by the Like button and other widgets to better target ads to its users.
When the Belgium data protection authority sued Facebook in 2015, the company claimed that the datr cookie is used as a security feature to stop spam, fake accounts, botnets, and so on. The company was arguing that the cookie was necessary for its users’ protection and that the Belgium agency shouldn’t ban its use.
CNIL Fines Facebook
CNIL has joined four other countries (Belgium, the Netherlands, Spain, and Germany) in a European investigation of Facebook’s data practices. CNIL’s own investigation has uncovered several compliance failures on Facebook’s part.
The first failure is Facebook’s collection of internet users’ data across the web, without their consent, through the datr cookie. Under the European Union’s data protection legislation, companies must ask for consent before gathering most types of data from users.
Facebook’s second failure, according to CNIL, is that the company has compiled this massive collection of data for advertising purposes without a proper legal basis. CNIL’s argument is that, unlike Facebook users, the non-users, whose data has also been collected, can’t control how the advertising is displayed because they don’t have Facebook accounts in the first place.
The French agency also accused Facebook of not telling users how their data will be used on registration forms, of not allowing users to block datr cookies (as per the old “EU cookie law”), and of not demonstrating a real need to indefinitely keep user’s IP addresses for the life of the account.
As a result of all of these violations, the agency decided to sanction Facebook with a 150,000 euro fine, which was the limit for such violations when the investigation started. Since then, the European Union has passed a new General Data Protection Regulation, which now allows national data protection authorities to issue significantly higher sanctions for privacy violations.
Facebook and WhatsApp are also under a different EU investigation over their sudden change in policy to start sharing user data despite initially promising not to do so.