back to article It takes more clicks to reject their cookies than accept them, so France fines Facebook and Google over €200m

Google and Facebook have come a little unstuck in the cookie department as French watchdog Commission Nationale de l'Informatique et des Libertés (CNIL) slapped the pair with a €150m and €60m fine respectively. The CNIL kicked off its investigations after receiving complaints regarding the way cookies can be refused on …

  1. Korev Silver badge

    But it's in their "legitimate interest"

    1. Rich 2 Silver badge

      Yea - where did that ridiculous “legitimate interest” shite come from? Is it an attempt to make you feel bad for clicking “bugger off”?

      1. Cederic Silver badge

        No, it's because there are multiple valid reasons a company may process your data whether you like it or not.

        For example, they may have a legal obligation to issue you a refund long after you've closed your account. To do that they need to track you down and assure that they've found the right person, something that requires private data about you.

        1. Nifty Silver badge

          "they need to track you down and assure that they've found the right person"

          Erm... they need cookies to determine your identity after you've closed an account? Pull the other one, it's got bells on.

          1. Cederic Silver badge

            I was discussing the legal need for 'legitimate interest', which exists independently of but can also apply to cookies. I used an example that should get through even to people that seem to need communication via idiophonic percussion.

            1. Jamie Jones Silver badge

              Don't be so obtuse - there is a huge difference between registering on a site you are purchasing good from, and being tracked by cookies for no reason when you are browsing a site anonymously.

              No-one has suggested that Amazon should randomly send goods out to unauthenticated visitors.

              1. mevets

                point taken....

                But to be fair, Amazon does have a patent on sending you stuff you didn't order (speculative fulfillment?) which is not that different.

                1. spold

                  Re: point taken....

                  .... I thought that was more about sending you stuff that you might have ordered last night after having a few too many wobbly pops.... of course, we have never done that ???

                2. JimboSmith Silver badge

                  Re: point taken....

                  Patent? They sent me a hen party wedding veil instead of the memory stick I ordered. When I called and pointed this out they said keep the veil and we’ll send out the correct item asap. To be fair they did and I donated the veil to a local charity shop who were bemused that I had it.

        2. Rich 2 Silver badge

          “ For example, they may have a legal obligation..”

          So how does a tracking/advertising cookie fall into the “legal obligation” camp? Or ANY “legitimate interest” camp come to that?

          1. Cederic Silver badge

            Well, at risk of yet further downvoting from people that choose not to understand the law, consider marketing purposes.

            It's reasonable and appropriate for websites to market goods and services to you, and to seek to tailor that marketing to meet their understanding of your needs. They have a legitimate interest in processing your personal data to do this, and using a cookie to support that activity should be legal.

            Don't ask me, ask the ICO:

            But look, I didn't write the law, I don't enforce it, I don't grant permission for any marketing or tracking cookies and I block them using browser plug-ins. If you really don't like a site's claim of Legitimate Interest go write to the ICO about it.

      2. Pseu Donyme

        re legitimate interest

        Come to think about it, 'legitimate interest' has no business being mixed with cookie consent: the EU 'cookie law'* requires consent for storing cookies on user devices, there is no alternative to consent such as legitimate interest or other GDPR Article 6(1) lawful basis.

        * ePrivacy Directive (2002/58/EC) amended by Directive 2009/136 with the CJEU Planet 49 (C-673/17) decision (with the latter bringing in GDPR consent; as such the ePrivacy Directive predates and is distinct from the GDPR)

      3. Anonymous Coward
        Anonymous Coward

        Legitimate interest

        There seems to be some confusion as to what that means.

        To illustrate with an example: you have a raffle and each one of us can only register once, in the interests of fairness to all other concerned. Within that context, a company keeping track of who has registered in order to detect duplicates would most likely be considered a valid legitimate interest, whereas the same company using the data to send advertising to you would not. They could separately ask for consent for that, providing clear information, etc., but it's not legitimate interest.

  2. Captain Scarlet Silver badge

    Reject all

    I personally tend to allow site to store information, select functional and reject anything else (Unless forced to click more than a few, anything with legitimate interest options gets the reject all button clicked then the site closed).

    I am wasting years of my life with this crap

    1. John Robson Silver badge

      Re: Reject all

      Browser makers really need to offer an option "save cookies for this site, but scrap them when the tab is closed" along with a list of the cookies with any potentially useful ones (e.g. login token, basket contents) being filtered to the top of the list to be manually excluded.

      1. Brewster's Angle Grinder Silver badge

        Re: Reject all

        Firefox lets you delete all cookies when the browser closes. That suits me, not least because I tend to leave tabs open.

        1. RegGuy1 Silver badge

          Re: Reject all

          Bob on. EVERY DAY. Delete all your cookies EVERY DAY.

          It's not a magic fix but it makes it harder for them.

          Every day. All of them.

        2. Alumoi Silver badge

          Re: Reject all

          Cookie AutoDelete. Available for FF and Chrom*. Nuff said.

          1. DS999 Silver badge

            Re: Reject all

            Upvote for this. I use this and it lets you autodelete cookies after you close the last tab for a given web site. I have about a dozen sites whitelisted (including the Register) where I allow them to persist until I close the browser, which happens about once every month or two when I reboot for some reason.

            The net result is that I can blithely click "accept all" to get rid of the stupid annoying dialog on a one-off site I'm visiting, and the cookie monsters get nothing since all the cookies go away a few seconds/minutes later when I close that tab!

            1. JetSetJim

              Re: Reject all

              While I generally allow some sites, it is somewhat ironic (not the Alanis Morisette version) that El Reg is running this headline while also being "guilty" of the practice. Accept all El Reg cookies - 1 click. Customise El Reg cookie settings - 2 clicks (assuming "Tailored advertising" and "analytics" are default unticked in this dialog).

              Wish someone would do something sensible about Javascript, too, but it would no doubt be abused by all and sundry so perhaps should keep quiet about this and deal with the pain of working out which domain is needed for a website to actually function (in particular 3rd party payment processors)

        3. Anonymous Coward
          Anonymous Coward

          Re: Reject all

          Honestly, I bet that they feel allowed to reinstate those cookies as soon as you connect again if you've not explicitly rejected them. They're good at browser fingerprinting, and in addition to home IP addresses being very static nowadays, it's easy enough for them.

        4. Graham Cobb Silver badge

          Re: Reject all

          Firefox containers go even further: they let you keep cookies separate for different tabs on the same site, as well as throwing them away when you close the tab. I have a very, very short list (it has no more than 3 or 4 sites on it) where I allow their tabs to share or retain cookies. The list does include ElReg, of course!

          1. mevets

            Miles off topic....

            Do you know of a way to do container routing; so that all pages I open for go to one container, while goes to another?

            1. Graham Cobb Silver badge

              Re: Miles off topic....

              Yes, using Firefox 78.0.14esr on Debian Bookworm - other versions may be different.

              I use two extensions: Firefox Multi-Account Containers and Temporary Containers. I can't remember exactly how they divide up the tasks, but between them they let you specify that tabs should by default open in their own container but you can assign a shared container to all the tabs for a particular site if you wish.

              For example, I have a container for ElReg, one for Amazon and one for Programming (which includes GitHub and few FOSS sites). Everything else opens in per-tab temporary containers. And you can tell a tab to reopen in a different container if you want (which I use occasionally to login to a site using a GitHub account, for example - others might do the same with a Facebook account or something).

        5. LybsterRoy Silver badge

          Re: Reject all

          Same here with Maxthon. I also installed "I don't care about cookies" since I don't really.

      2. iron Silver badge

        Re: Reject all

        Apart from the last part about manual exclusion you just described private browsing mode.

      3. alain williams Silver badge

        Re: Reject all

        You want "save cookies for this site, but scrap them when the tab is closed". Install cookie autodelete which does just that.

        1. John Robson Silver badge

          Re: Reject all

          Does it have configurable exclusions for sites which require login tokens to be retained?

          1. jonathan keith

            Re: Reject all


      4. Jamie Jones Silver badge

        Re: Reject all

        chrome on chromebook has exactly that - at default - no third party extensions required... I assumed all chrome instances do, but I only use chrome on the chromebook, so maybe not.

        theregister is one of only 4 sites I have whitelisted.

        It does however mean you're constantly getting those "please accept our cookies" popups on just about every site

    2. Chris G

      Re: Reject all

      I see quite afew sites that don't have a reject all button, have a few basic on off buttons and then hidden away in the 'our partners' section, dozens of legitimate interest buttons.

      I just reject the entire site as it is obvious they have less interest in doing business with me than taking and selling/sharing my data.

      These sites have a standard format that somebodyhas sold them, so now the moment that box appears, I go elsewhere.

      1. MrReynolds2U

        Re: Reject all

        The Formula One website is horrific for that.

        You think you've blocked it all and then you expand something and scroll down past hundreds of "partners" with a toggle next to each one.

        Anyone got any worse examples?

        1. Inkey

          Re: Reject all

          National geographic....

          Fucking ludacris 46 trackers alone ....

          Heart fm (rubbish radio station).... cant remember why i went there ...gave up ... 52 cookies didnt stick around to check illagitimate "interest"

          We care about your privacy and security

          Then stop fucking tracking, monitoring and slurping

          as much of my usage as possible....

          Now that the mood board, kinwah fart sniffing brigade are all earth friendly, would love to know what all this extra commpute does in terms of energy comsumption ?? Since bitcoin gets a rapp why not cookies and tracking and over use of java script

        2. IGotOut Silver badge

          Re: Reject all

          Anyone got any worse examples?

          Pretty much every "news" site.

      2. yoganmahew

        Re: Reject all

        If you are not in the UK, the BBC site, yes, the BBC, has a monster list of advertising trackers and there is no Reject All button...

        1. Piro Silver badge

          Re: Reject all

          Yup, it's horrendous.

    3. Persona Silver badge

      Re: Reject all

      I am wasting years of my life with this crap

      Countless years of human effort are lost to this crap. I accept all cookies. My only browser extension is "I don't care about cookies" which at least stops some of the crap. As I've said before I wish there was a browser setting I could set to take me back to those happy and productive days when I didn't need to choose cookies to accept or agree to privacy policies before being able to do anything productive.

      1. MiguelC Silver badge

        Re: Reject all

        I also use the "I Don't Care About Cookies" add-on to ignore/auto accept cookie requests, but I use it in conjunction with the "Cookie AutoDelete" one. So, while I may accept all cookies, they are purged after I quit the site. Maybe they still keep some identifying data on their side or some persistent stuff on mine, but, with the help of NoScript and uBlock Origin I feel I have my back pretty well covered. Am I missing something?

        1. KittenHuffer Silver badge

          Re: Reject all

          Missed anything? Yup!

          Canvasblocker - Which help block fingerprinting

          ClearURLs - Removes tracking elements from URLs

          Tracking Token Stripper - Fsck Google



  3. Red Ted

    A Google spokesperson said...

    "People trust us to respect their right to privacy and keep them safe...."

    They what?!

    I rather think that most people either A) don't realise how much G invades their privacy or B) regard them as a necessary evil to get stuff done on the great wide interwibble.

    1. ClockworkOwl

      Re: A Google spokesperson said...

      Or C) Avoid them like a syphalitic sex toy...

    2. iron Silver badge

      Re: A Google spokesperson said...

      D) Regard them as evil.

      Yes I do use Google search. Yes I do have an Android phone. That is as far as I'm willing to go.

      I still don't consider Google a 'necessary' evil, just evil.

      But not as evil as Zuck. I will not use his companies' products ever.

      1. Tilda Rice

        Re: A Google spokesperson said...

        hrhr Iron. Search and Android. That's like 90% of your digital intent, fingerprint and private details.

        1. Graham Cobb Silver badge

          Re: A Google spokesperson said...

          Yes. Don't use them for search: DuckDuckGo is good and there are other options (I use a personal Searx instance - but it isn't to everyone's taste). As for Android, /e/ is a reasonable alternative with much Google stuff removed.

          1. Anonymous Coward
            Anonymous Coward

            Re: A Google spokesperson said...

            Also you their (duck duck go) browser, everything deleted after closing the tab, tracking removed etc.

          2. Ken G Silver badge

            Re: A Google spokesperson said...

            Qwant is French based.

      2. David 132 Silver badge

        Re: A Google spokesperson said...

        > But not as evil as Zuck. I will not use his companies' products ever.

        I’ve never meta person who would.

    3. Anonymous Coward
      Anonymous Coward

      Re: A Google spokesperson said...

      A Google spokesperson lied would be both more accurate and save copious data transfers.

    4. Kevin McMurtrie Silver badge

      Re: A Google spokesperson said...

      Google operates like a cult. They have thousands of employees believing they protect privacy even while they're a cog in the system that uses extremely sensitive data for manipulation.

  4. Jedit Silver badge

    It's not enough

    When countries start issuing the multi-billion fines that Facebook deserve for their advertising practices, then we'll talk. There is no rule that they won't break, no invasion of privacy they won't make, if someone has paid them to force an advert on you. They'll show you adverts for things that are forbidden by their own rules - and in some cases, international law - from companies that you have blocked. They'll even cancel your decision to block a company, literally unflagging a setting and acting like you never set it.

    1. Jellied Eel Silver badge

      Re: It's not enough

      I don't think fines are the right solution. Mainly because they can just become cost of sales and probably expensed.

      A simpler solution should be to just adopt the same tech utilised to monitor other home invaders. So fit all C-level execs involved in privacy invasion with ankle tags. Then for every type of data slurped, publish that under each execs corporate bio page. Add say, 10yrs in jail for any attempt to avoid publication of their 'private' information.

      It may just be a way to administer a clue-bat, although may require building a few more prisons.

      1. Yet Another Anonymous coward Silver badge

        Re: It's not enough

        Then how do you pay for the sites?

        Obviously all TV should have a menu where I have to select seeing adverts, and it's only fair that the default must be no ads, but there must also be no licence fee.

        1. ecofeco Silver badge

          Re: It's not enough

          Pay? For sites? Why should I?

          If half the websites in existence were suddenly gone tomorrow, I would not miss one single one.

          If simple banner ads are not enough to pay for operations, it's not my problem.

        2. Anonymous Coward
          Anonymous Coward

          Re: It's not enough

          It's been shown time and time again that ads should be tailored to the page content, not the visitor.

          It's common sense.

          No tracking needed.

        3. doublelayer Silver badge

          Re: It's not enough

          Some options:

          1. Ask for donations.

          2. Non-creepy ads, following the laws in place.

          3. Demand money and don't let me see the content unless I pay.

          4. Go out of business and let someone else try.

      2. swm Silver badge

        Re: It's not enough

        No - jail terms for executives.

  5. Dave314159ggggdffsdds Silver badge


    Why don't they just ask nicely* instead of imposing ludicrous, unlawful fake penalties that will never be paid and are completely unenforceable?

    [*If the ICO asks nicely, you still have to comply.]

    Oh yes, because it's just political grandstanding.

    I agree that wrist-slaps are deserved by companies who make it too hard to opt out, but this is silly.

    1. nematoad Silver badge

      "...ludicrous, unlawful fake penalties..."

      Unlawful? Who says?

      It's the French imposing this fine for activities conducted on French soil so unless the US and France have a secret treaty which says that US companies only answer to US law when ever they conduct business in France then the fines are lawful.

      As for ludicrous, well if Google wants to play on French turf then they must accept French rules, and if they don't they either pay up or leave.

      I have no idea if you are a US citizen but a world exists outside the US with their own laws and sovereignty.

      1. Ken G Silver badge

        It would be educational if, once the issue is fixed in France, another EU country imposes a similar fine, then another, until it becomes cheaper for MetaGoogle to comply with GDPR throughout the community.

    2. Dinanziame Silver badge

      Oh, you can be sure that Google and Facebook are paying these fines. It's not much for them, and that is fine, considering the issue is not so important. But they are paying.

    3. Anonymous Coward
      Anonymous Coward

      We French have a saying: «nul n'est censé ignorer la loi».

      That particularly applies to company who literally spend millions paying lawyers.

      The CNIL even conveniently published a how-to describing the rules, with pictures, that many websites with much less income than Google managed to understand :

      So arguing that Google is still too new at the World Wide Web thingy, had no idea they could search the internet to find that information and needed somebody to come hold their hand to guide them, that's unlikely to work.

      1. Dinanziame Silver badge

        The saying is very nice and all, but the unfortunate truth is that the law is often unclear, and you sometimes don't know what it means until a judge says so. The French civil law system is slightly more clear on that point than the Anglosphere common law, which is worse because it explicitly puts court rulings above written statutes. When it sometimes takes years for courts to reach a final decision, it's a bit taking the piss to claim that "everybody should know the law".

        1. Anonymous Coward
          Anonymous Coward

          "it's a bit taking the piss to claim that "everybody should know the law"."

          Not really, as ignorance isn't a defense in law.

          1. Anonymous Coward
            Anonymous Coward

            Well, you're certainly no lawyer.

            For the vast majority of laws (at least in common law countries), ignorance of the law (and therefore lack of guilty mind) is most certainly a very valid defense. And that's true to the extent that it's the default, and when a governing body intends otherwise, intends to create what's known as strict liability, that MUST be explicitly written into the law.

            For the vast majority of laws, no criminal intent == no crime.

            1. Anonymous Coward
              Anonymous Coward

              I presume you're talking about mens rea, in which case you've massively missed the mark.

              Criminal intent has nothing whatsoever to do with knowing or understanding the law.

              If you run out of a shop with a bottle of wine without paying you may (should you be believed) have a lack of intent defense if you forgot the bottle was on your person (and you intended to pay for it).

              You absolutely would not have a defense if you weren't aware it was a crime.

  6. 404 Not Found

    Can I piont out that is takes two clicks here to reject, but one to accept as well.

    1. Anonymous Coward
      Anonymous Coward

      The flow here is much, much better though: the reject click locations are not intentionally spaced to make it more difficult. Unlike Google, which somehow is not able to display 3 buttons on a single screen, and forces to scroll down to reach them all.

  7. heyrick Silver badge

    Oh thank god.

    There are quite a number of sites with a boilerplate list of dozens of trackers and scum, with an easy to use button to disallow cookies except the many marked as "Legitimate interest" that need to be selected one by one by one.

    It's horseshit anyway as this boilerplate rubbish always lists the same sites over and over. Forget one, and I'm pretty sure they'll accept that as given consent over and above the many times you've said get lost.

    But, yes. Accept all needs a corresponding Reject all.

    1. fuzzie

      Re: Oh thank god.

      Lots of sites seems to use OneTrust to present their cookie validation dialogue. And the arms-long list of partners and vendors you mention is probably the list from IAB (some advertising conglomerate). That's like three hundred or so "partners" all claiming legitimate interest and you often have to go unselect them individually. Some one should just slap down OneTrust for not following the symmetrical UX rule.

  8. Potemkine! Silver badge

    All websites (including this one) should have a one-click policy to allow or reject cookies. Period.

    Anything else is a weaselish tactic to try to get personal data from users.

    1. Pascal Monett Silver badge

      This site is one of the rare ones that, when you ask to check which cookies are enabled, only list essential cookies as on - the rest are unchecked.

      So El Reg is a step above many others in this regard.

      1. Potemkine! Silver badge

        Editor should be half spanked then ^^

        1. Korev Silver badge

          Bring back the..... Moderatrix!

    2. Stork Silver badge

      My experience is that a large number of German and Scandinavian sites have either a “reject all” or “only necessary “ button. UK and Iberian sites you often have to switch off by category, and with US sites you consider if it really is that interesting.

      Similarly, I often find settings mostly off in the first group and everything on in the latter.

    3. Cederic Silver badge


      I have a 'do not track' toggle set in my browser. Its status is provided in my HTTP headers. If sites read and acted on that, my cookie preferences would be known to them with zero clicks.

      Give 'do not track' legal force, backed by the right to make financial claims for breaching it. Let's see Facebook survive 800 million individual lawsuits.

    4. Anonymous Coward
      Anonymous Coward

      "All websites (including this one) should have a one-click policy to allow or reject cookies. Period."

      Nah. Every website should not use cookies at all. Period.

      There is no valid reason to have these. But plenty of evil ones.

      As well as making the interwebs a much nicer place, getting rid of cookies would seriously piss off advertisers, marketroids, influencers (whatever they are) and the other unpleasant life-forms who are all destined for the B ark. Which is a bonus.

      1. bpfh Silver badge

        Don't touch my session cookies!

        But persistant ones, I'm happy to kill.

        Also, if your site only uses session cookies for the basic actual use of a website after login, and no others, then you don't need a cookie accept banner as there isn't really anything.

        Unfortunately, as it's a fashion to install as many ad brokers and marketers on your website and load JS from 90 external domains and a couple of meg of leery code (yes, Daily Mail, you were the worst offender the last time I looked).

        Also, if you want to do stats, you do have server logs, and you can anoymise those by stripping the 4th byte of the dotted quad... but for a lot of companies who don't have any IT knowledge, it's easier to shove a "service as a service" from some 3rd party on there and manage your site from there rather than rolling your own.

        1. fuzzie

          Re: Don't touch my session cookies!

          You do call out a good point that's often lost in the noise. The regulations does not require the cookie consent banner if you use any cookies, only if you use cookies which could be viewed as tracking and/or storing personally identifiable information. Simply session cookies or retaining your cookie preferances are perfectly fine and doesn't need a pop-up.

          Of course, many companies are acting very passive aggressive about this and making the experience worse for the users, presumably in order to "show them how bad these laws are".

      2. swm Silver badge

        There is a site that factorizes numbers. It uses cookies so you don't have to restart a computation. The site works perfectly well if you disable all cookies.

      3. Anonymous Coward
        Anonymous Coward

        re: Every website should not use cookies at all. There is no valid reason to have these.

        Hey everyone! The poster over here has never done any web development!!!

      4. julian.smith

        influencers (whatever they are)

        Influencers = Brand Whores

  9. RPF

    CookieAutoDelete is my friend.

  10. mark l 2 Silver badge

    I wonder if it would be technically possible for a browser extension similar to Ublock origin to be developed that can automatically reject none essential cookies for you, rather than have to manually wade through loads of options?

    1. bpfh Silver badge

      If ublock blocks the domain that serves the tracking code...

      ...then the tracking code does not get run and it's corresponding pixels don't get set.

  11. Whitter

    Opt in

    Necessary cookies (logged in etc) - you don't need to tell anyone but can if you want.

    All others: opt in.

    Not an opt out, no matter how few clicks implment it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Opt in

      Brilliant idea, mate!

      I can't wait for page after page of opt-in before being allowed to even glance at the site.

  12. glennsills

    I would say that 90% of the cookie opt-in procedures make it much easier to opt-in than opt out. There should be three options on the dialog:

    1. Opt-out - (May provide a warning that things might not work properly)

    2. Opt-in Fully (Should indicate what you are getting yourself into)

    3. Opt-in to cookies used for distinct reasons - this should provide a method of selecting cookies used for website operation, marketing cookies, performance measurement cookies, ...

    Anything other than this is an attempt to get consent for marketing cookies.

  13. Anonymous Coward
    Anonymous Coward

    Funny ...

    that only FB and Google are fined.

    Because, every single french newspaper site is exactly like FB and Google, as far as cookies go. Plus thousands of other french sites, of course.

    But probably it's better seen, politically, to fine FB and Google, rather than Le Parision, Media Part, Le Monde etc ...

    1. Yet Another Anonymous coward Silver badge

      Re: Funny ...

      That's the danger of using fines as an alternative to tax for multi-nationals. It becomes very political which companies get asked for money, and the reprisal sanctions tend to hit a lot of bystanders

    2. DS999 Silver badge

      Re: Funny ...

      I see tons of sites doing this, but the logic of going after Google and Facebook first is that they are big, so the fines will be big.

      That 1) scares the smaller sites into complying and 2) gives them the funding necessary to go after the smaller sites who don't comply.

    3. heyrick Silver badge

      Re: Funny ...


      The paper I read - - pops up the usual cookie nonsense with Accept and Customise options, and below that in smaller text is "Continue without accepting".

      Just looked at and they offer the exact same choices, including the continue without accepting (at the top this time).

      So that's the first two French papers I've looked at (and the only two I can remember the names of) that are not at all like Facebook and Google. Oh, and if you go to customise the cookies (on either site, just tried it) all the additional non-essential crap is off by default.

      1. John Brown (no body) Silver badge

        Re: Funny ...

        "Oh, and if you go to customise the cookies (on either site, just tried it) all the additional non-essential crap is off by default."

        That's also the case with the vast majority of the reputable UK sites I use too.

  14. Dave Pickles

    Saying "no cookies" involves setting a cookie

    A site has to store the fact that you've said 'no' to cookies, which it does by ... storing a cookie.

    Sites should have a standard query string which specifies the user's choice without using cookie storage. This would avoid those of us who delete cookies on browser exit having to go through the preference rigmarole _every single time_.

    1. DS999 Silver badge

      Re: Saying "no cookies" involves setting a cookie

      You think the web sites want to make it easier for people to reject their tracking?

    2. Graham Cobb Silver badge

      Re: Saying "no cookies" involves setting a cookie

      THERE IS A STANDARDISED MECHANISM! But every site ignores it.

      Make honouring "Do Not Track" a legal requirement so that there are fewer clicks to opt out than to opt in!

    3. Pseu Donyme

      Re: Saying "no cookies" involves setting a cookie

      Quite, as long as this is framed as opt-out instead of opt-in; with opt-in the cookie would be needed to store the fact that the user has in fact opted in (including to storing the opt-in cookie itself). Opt-in, of course, is the proper, GDPR way of doing things. Besides, most anything really necessary can be done with session cookies which don't fall under the EU 'cookie law' / ePrivacy Directive as they are by definition not stored on user devices (this, of course, hangs on the exact meaning of 'store' in this context; given that the legislator's intent here is protecting privacy by preventing tracking allowing session cookies without consent seems reasonable as they aren't much good for tracking).

  15. Rich 2 Silver badge

    Good for France

    Bloody good on ‘em for actually doing something about this glaringly abusive behaviour.

    Why it has taken so long (when did the cookie law come in???) is anyone’s guess but still a good move

    1. Pseu Donyme

      Re: Why it has taken so long

      The 'cookie law' is actually EU Directive 2009/136, an amendment to the ePrivacy Directive (2002/58/EC) so it dates back to 2009. However, at the time it was - unfortunately - left open what exactly consent for storing cookies on a user device means and so the likes of Google and Facebook came up with the aggressive interpretation that things like 'consent' banners with only an ok-button would do.

      Eventually (01OCT2019) there was the CJEU Planet 49 (C-673/17) decision though: GDPR consent rules apply to cookie consent. So it seems it took about two years from that to a decision by the CNIL. This doesn't seem too bad given that Google and Facebook have likely worked hard to delay it; now, of course, they will appeal and will no doubt work even harder to drag that on as long as possible.

  16. Paul Hovnanian Silver badge

    No cookies for the French

    Let them eat cake.

  17. Version 1.0 Silver badge

    Let's change it

    I think that the Internet would be a lot nicer if we banned all cookies and payments for advertising - this would have the potential to significantly boost social media but would make visiting a social media site reasonably harmless. "Advertising" for your products would be completely fine on your own website and while social media could talk about things, it need to be illegal to steal and sell their users.

    Imagine a world where people can make a little money by just being "good" people?

  18. Anonymous Coward
    Anonymous Coward

    Looks more like GG and FB do this deliberately, and regard cookies as a straw man, that keeps eyes focused off the ball i.e the actual tracking that doesn't use cookies at all, and hasn't for years.

  19. ZekeStone

    Web browsers are part of the problem

    In the past, you could set your web browser to prompt whether to accept a given cookie. It was a bit of a hassle when you went on a site for the first time. But was interesting as it showed how much tracking crap some sites wanted to put on your computer.

    They have since gotten rid of that functionality and I have to wonder how much marketing and analytics companies paid them to remove that feature.

    I never saw a good reason (at least not good to me or general consumers) for that feature removal.

  20. John Brown (no body) Silver badge

    And why are some cookies so big?

    Just looking at existing cookies from the current session, and I see 4 cookies from taking up 1.5MB of space. There are other offenders too. Most of the cookies are under 700 bytes. Why are so special?

    1. JWLong

      Re: And why are some cookies so big?

      Weatherbug was considered a virus 20 years ago.

      1. John Brown (no body) Silver badge

        Re: And why are some cookies so big?

        Yeah? Not one I've come across before. I've no idea which site dropped that cookie on me. Sometime in the past few day I must have unblocked scripting/cookies for some site or other and got it from there.

  21. Anonymous Coward
    Anonymous Coward

    I have a number of other complaints...

    Where can I alert the French authorities to almost every site on the internet?

  22. Omnipresent

    I use it all...

    mozilla, all script blockers, tracking blockers, I delete cookies AND off line data after *every use, and then I turn off my wifi until I need the interwebz again. Not a lie.

    Then I make sure I have updates and everything it might download paused for thirty days before I turn the interwebz back on. I don't always catch it before I turn my pc back on, so I usually just use a very old mac for anything web related and then clean it all afterwords. This is how we have to use the web now.

    I still know they are collecting me by ip. They are the spyware.

    1. julian.smith

      Re: I use it all...

      You don't "use it all" .... wait until you discover VPNs

      Much of your "protections" can be switched off

  23. Fursty Ferret

    Wonder if they'll go after that awful company (TrustArc) that makes you wait for two minutes while they "update their records" if you click reject?

  24. naive

    Be careful what you wish for....

    To learn more about protecting privacy I have been playing around with VPN's, virtual one time use VM's and strict browser settings to reduce exposure to the evil G.

    The result is that I now get bombarded with cat food, lipstick, perfume and mascara commercials when watching my daily sequence of history, car and gun youtube videos.

    It really amazed me that this happened, since none of the commercials served make any sense based on the selected content.

    Probably it is just G's way to flip the finger.

    My take from this is that it is debatable whether creepy ads are worse than non-sense ads.

    If cookies are the price to get relevant ads, ads which will be served anyway since sites like youtube cost fortunes to run, perhaps it is an acceptable tradeoff.

    1. heyrick Silver badge

      Re: Be careful what you wish for....

      There are ways to watch YouTube streams independently of YouTube's control. Bonus: no invasive tracking¹ and no adverts.

      ¹ - they'll still have your IP address, but this doesn't seem to be used as what you watch outside of the YouTube environment doesn't affect their automatic suggestions.

  25. Reality_Cheque

    Erm... glass houses?

    Here on The Register site. "Accept All Cookies" not "Reject All Cookies" but rather "Customise Settings".

  26. EricB123 Bronze badge

    I Couldn't Have Said it Better

    "It is also unlikely because it requires motivation and 'guts' to do this."

    Exactly why the USA will never do this.

  27. jdiebdhidbsusbvwbsidnsoskebid

    3 months?!?

    Why have they been given 3 months before they get daily fines? Surely if they've been found guilty now, they should be fined every day from now, for continuing to fail to adhere to the law that had been in place for years.

  28. SpamuelBeckett

    Funny, i've never noticed a rejected cookies button on The Register...

  29. Anonymous Coward
    Anonymous Coward

    CNIIL (pronounced Kneel, K as in Knuth)

    > "It seems that France remains on the forefront of data protection enforcement."

    Yep. Say what you want about the French, but the CNIL are not just respected. They are feared.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like