How Google makes fun of the CNIL

Google sanctioned for breach of the Data Protection Act

Last December 7, the CNIL sanctions Google to the tune of 100 million euros for violating French legislation on cookies:

cnil

On the Google search engine, the CNIL noted 3 violations article 82 of the Data Protection Act (transposition of the ePrivacy directive) :

A deposit of cookies without prior collection of user consent: several cookies serving an advertising purpose were automatically placed when the user went to google.fr (cookies not essential to the service).
A lack of information for users of the google.fr search engine: the information banner did not provide any information relating to cookies.
The partial failure of the “opposition” mechanism: disabling ad personalization had no impact on any advertising cookies.

The search engine, Google's cash cow

If Google offers a multitude of services, its search engine still generates the majority of its revenue :

income

During the 4th quarter of 2020, Google search generated 56% of its revenue. Partner sites, YouTube, Google Play or Google Cloud represent a significant share of revenue, but they are much less profitable.

Search is strategic for Google, it has allowed it to impose its surveillance capitalism on multiple areas:

Dominating research allowed it to become dominant in adtech, cf. "The dominance of Google's advertising markets".
This domination is facilitated by the exploitation of your personal data, without real consent cf. "Google associates your surfing data with your personal data, and it's hard to escape".
Google also allows third parties to monitor you even when you take precautions, cf. "Google Tag Manager, the new anti-adblock weapon".
The revenues generated by its search engine have allowed Google to be dominant in many areas, cf. "Google services that capture your personal data, and alternatives".

Google versus the CNIL

We therefore have:

On the one hand the law, supposed to protect the private lives of Internet users, materialized here by a sanction from the CNIL.
On the other hand, the exploitation of your personal data on Google's most strategic service, its search engine.

Who will be the winner?

In his sanction, the CNIL notes 2 points :

Since an update in September 2020, Google has stopped automatically placing advertising cookies as soon as the user arrives on the google.fr page.
The new information banner still does not allow users residing in France to understand the purposes for which cookies are used and does not inform them of the fact that they can refuse these cookies.

The CNIL indicates that Google has 3 months to correctly inform users, under penalty of paying a penalty of 100,000 euros per day of delay. Now let's study what happens on the first visit to google.fr.

Google continues the automatic deposit of advertising cookies

Let's start our investigation on google.fr :

Disable your adblocker.
Delete cookies on Chrome (Settings > Advanced settings > Clear browsing data), so you are logged out of your Google account.
Open the Chrome console (⌘+Option+J on Mac, Ctrl, Shift and J on PC), “Network” tab or launch Charles Proxy.
Then go to google.fr.

continue

As you can see, the information banner now provides information relating to cookies, but does not allow you to easily refuse the deposit of non-essential cookies.

What does the law say? If we quote the CNIL, consent is only valid if the person exercises a real choice. In particular, "the user must be able to accept or refuse the deposit and/or reading of cookies with the same degree of simplicity". This is clearly not the case here.

Does Google stop automatically placing advertising cookies as soon as the user arrives on the google.fr page as declared by the CNIL? Let's look at the queries via Charles Proxy :

nest

As we see, Google places the cookie NEST upon arrival on google.fr. What is this cookie for? According to Google's own words :

We use cookies, such as "NID" and "SID", to personalize ads on Google sites, such as Google search. For example, we use them to remember your most recent searches, your previous interactions with an advertiser's search results or ads, and your visits to an advertiser's website. This allows us to show you personalized ads on Google.

Google also indicated to the CNIL that the cookie NEST pursued an advertising purpose (cf. the deliberation, paragraph 99):

The restricted training notes that the company GIL indicated in its letter of April 30, 2020 that four of the seven cookies placed, namely the NID, IDE, ANID and 1P_JAR cookies, pursue an advertising purpose.

And yet, the CNIL emphasizes that Google has stopped this practice (point 102):

She nevertheless emphasizes that during the sanction procedure the companies made modifications to the google.fr page, which notably led, since September 10, 2020, to the cessation of the automatic deposit of these four cookies as soon as the user arrives on the page.

Was the CNIL check carried out correctly? Still, Google continues to violate the law, cf. the CNIL website :

Consent must be prior to placing and/or reading cookies. As long as the person has not given their consent, cookies cannot be placed or read on their terminal.

Pitfalls in the Google consent journey

The Google information banner tells us:

If you agree, we will personalize the content and ads you see based on your activity on Google services like Search, Maps and YouTube. [...] Click on "More information" to discover the options available to you

If I click on "More information", I am exposed to a new information window:

info1

Google details here the personal data processed, the purposes, as well as the confidentiality settings. Always note the "I accept" and "Other options" buttons: Google still does not allow you to refuse the storage of non-essential cookies.

There, you could get lost in Google's search and click on "Other options", hoping to "quickly" come across the option to refuse advertising monitoring. You will see this screen:

others

There, Google presents several options:

Adjust privacy settings: This is the right option! You need to click on “Adjust your settings now”.
Configure cookies in the browser: option that Google does not recommend: "You can block some or all cookies, but this may prevent certain features from working on the web. For example, many websites require cookies to be enabled when you want to log in to them.".
Install an add-on to opt out of Google Analytics tracking: Google Analytics is unfortunately far from being the only tool that Google uses to monitor you on the web (Google first monitors you through advertising). Needless to say, a person concerned about their privacy will prefer to use an adblocker.
Log in to your Google account: so you no longer see this reminder! Google actually says: “If you regularly clear cookies from your browser, you will continue to receive this privacy reminder, because we have no way of knowing that you have already seen it". The disadvantage of monitoring you by default: without cookies, Google assumes that it has the right to monitor you!

What happens if you click "Adjust your settings now"? You return to the previous step! But you weren't paying enough attention, the step contains links to modifying parameters:

modify

The obstacle course is not over.

16 additional clicks to opt out of monitoring

So let's click on "Change search parameters":

So let's uncheck "Saving searches", then click on "Back" and finally on "Change ad settings":

announcement

Here you need to uncheck “Google Search Ads Personalization” and “Web Ads Personalization”. With these settings checked by default, Google allows itself to monitor you on "more than two million websites that partner with Google for serving ads."

When you uncheck “Personalization of ads on Google search”, you are entitled to a little extra surprise:

deactivate

Are you really sure of yourself? Google makes it even more difficult for you: your searches say a lot about you...

And when you click "Disable", Google displays a beautiful message:

refusal

"It may take some time for our systems to take this change into account.."

Google shouldn't expect you to pass the obstacle course! Same punishment if you click on the “Disable” button for “Personalization of ads on the Web”:

web

Here too, we see that it is complicated for Google:

web2

If you want to install other "Opt-out" cookies, which only disable ad personalization but let adtech companies monitor you, Google will redirect you to the advertising industry website :

You can also opt out of ad personalization for over 100 other online ad networks.

Return to the information banner again and now click on “Change YouTube settings”:

youtube

This time, you are directed to the YouTube site, you still need to uncheck “Videos you watch on YouTube” and click on “Clear watch history”:

history

Then you need to uncheck “Videos you are looking for on YouTube” and click on “Clear search history”:

And to crown this wonderful journey, when you return to the information banner, you must click on "I accept" (this remains the only way to delete this information banner, even if you have just refused everything):

In total, if you take the quickest route, you need 17 clicks!

During the “non-consent” journey, monitoring continues

What happens during this “non-consent” journey? If we look at the requests via Charles:

route

Google continues to power its advertising services, including Google Analytics and Doubleclick.

Despite your refusal, you continue to be monitored by Google on the web

Following this obstacle course, let's consult the site Lemonde.fr (doped with tracers, cf. "Consent: the worst user experience and surveillance with Lemonde.fr") and filter the queries on Google:

lemonworld

As you can see, Lemonde.fr likes Google.

Bad luck, Google did not delete the cookie NEST. As a result, many requests are sent from the Lemonde.fr site to Google with your identifier stored in the cookie. NEST (reminder, this is an advertising cookie). So the following violation is still valid:

When a user deactivated the personalization of ads on Google search by using the mechanism made available to them from the “Consult now” button, one of the advertising cookies remained stored on their computer and continued to read information to the server to which it is attached.

The restricted panel therefore considered that the “opposition” mechanism put in place by the companies was partially defective, in violation of article 82 of the Data Protection Act.

Will Google offer a real consent mechanism?

The CNIL sanctioned Google for obligations that pre-existed the GDPR (article 82 of the Data Protection Act, transposition of the “ePrivacy” directive).

However, since October 1, 2020, the CNIL has published its amending guidelines as well as a recommendation relating to the use of cookies and other trackers. The CNIL asked the actors to comply with the rules thus clarified, considering that this adaptation period should not exceed six months.

Some key points :

Refusing trackers should be as easy as accepting them. The CNIL recommends that the consent collection interface not only include an “accept all” button but also a “refuse all” button.

Users must be able to withdraw their consent easily and at any time.

We are therefore impatiently awaiting April 1st and Google's compliance in order to be able to refuse its surveillance in 1 click (and not in 17 clicks)... In reality, even the obligations prior to the GDPR are flouted:

Google contested its 100 million euro fine before the Council of State.
As we have seen, Google monitors you via the cookie NEST, even before your consent but also after your refusal of consent.
Trying to refuse Google surveillance is an obstacle course.
It is reasonable to doubt the dissuasive nature of the CNIL's sanctions, if indeed it manages to get paid. 100 million euros and 100,000 euros per day (or 36 million euros per year), it's not that expensive for Google.

Google is the most striking example of this lie to consent, but the French web is infested with sites that violate your privacy, examples:

It remains to be seen whether the CNIL will take dissuasive sanctions from April 1.

Your alternatives to avoid Google surveillance

If we restrict ourselves to the Google search engine (the subject of this article), you have other options such as:

DuckDuckGo : an American search engine that does not monitor you. The interface is clean, the search engine is one of the default choices on Safari, and the bulk of results are based on Bing.
Qwant : the French version, a less refined interface, the bulk of the results are also based on Bing.
Ecosia : the German version, Ecosia reverse 80% of its profits to non-profit associations which work on the reforestation program present mainly in southern countries. Ecosia is also primarily based on Bing.
Startpage : the Dutch version, the interface is refined and the results are those of Google. So, it's my choice (Google results are often much more relevant than Bing). Startpage has become controversial since it was acquired in 2019 by a company with adtech interests (you can form your own opinion while reading this article).

It is interesting to read why Google provides its search results to Startpage :

Why does Google let Startpage access their search results? Startpage.com has a contract with Google that allows us to use their official "Syndicated Web Search" feed, so we have to pay them to get those results.

Unlike Bing which provides its results to numerous meta-engines (DuckDuckGo, Qwant, Ecosia...), Google is stingy with its search results. Startpage seems to be the only one to have access to it, for how long?