France's data protection watchdog, CNIL, fined Apple €8 million and Meta (Facebook's parent company) €60 million for violating EU privacy law. The fines stem from how the companies implemented targeted advertising on iOS and Android respectively. CNIL found that users were not given a simple enough mechanism to opt out of personalized ads; while both companies offered some control, users had to navigate multiple settings. Specifically, Apple defaulted to personalized ads requiring users to actively disable them, while Meta made ad personalization integral to its terms of service, requiring active consent to activate non-personalized ads. The CNIL considered both approaches violations of EU regulations that require clear and straightforward consent for personalized advertising.
In a significant development concerning data privacy regulations within the European Union, two technological behemoths, Apple and Meta Platforms (formerly known as Facebook), have been subjected to substantial financial penalties for contravening the General Data Protection Regulation (GDPR). The French data protection watchdog, the Commission nationale de l'informatique et des libertés (CNIL), levied these fines following thorough investigations into the companies' practices related to personalized advertising on mobile devices.
Specifically, Apple was fined €8 million (approximately $8.5 million USD) for failing to adequately obtain user consent prior to the utilization of identifiers for personalized advertising within the App Store on iOS 14.4. The CNIL contended that while Apple solicited consent for personalized advertising within its own applications, it did not extend this same practice to advertising displayed within the App Store itself, thereby violating the stipulations of the GDPR, which mandates explicit and informed consent for such activities.
Meta, on the other hand, faced a considerably larger penalty of €60 million (approximately $64 million USD) for its practices on Facebook and Instagram. The CNIL determined that Meta made it exceedingly difficult for users to decline personalized advertising, effectively nudging them towards acceptance. The regulator asserted that this design, which presented users with a complex and cumbersome process to opt-out of personalized ads while offering a simple one-click acceptance, did not meet the GDPR’s requirements for free, specific, informed, and unambiguous consent. The CNIL emphasized the importance of providing users with an equivalent level of ease for both accepting and rejecting personalized advertising, ensuring genuine user autonomy in this matter. This ruling underscores the continuing scrutiny of large technology companies and their advertising practices under the GDPR, signifying a firm stance by European regulators in upholding user privacy rights in the digital sphere. Furthermore, it highlights the complexities of implementing personalized advertising in a manner that fully conforms to the stringent requirements of data protection regulations, posing a significant challenge to companies operating within the EU.
Summary of Comments ( 174 )
https://news.ycombinator.com/item?id=43770337
Hacker News commenters generally agree that the fines levied against Apple and Meta (formerly Facebook) are insignificant relative to their revenue, suggesting the penalties are more symbolic than impactful. Some point out the absurdity of the situation, with Apple being fined for giving users more privacy controls, while Meta is fined for essentially ignoring them. The discussion also questions the effectiveness of GDPR and similar regulations, arguing that they haven't significantly changed data collection practices and mostly serve to generate revenue for governments. Several commenters expressed skepticism about the EU's motives, suggesting the fines are driven by a desire to bolster European tech companies rather than genuinely protecting user privacy. A few commenters note the contrast between the EU's approach and that of the US, where similar regulations are seemingly less enforced.
The Hacker News post "Apple and Meta fined millions for breaching EU law" generated a modest number of comments, primarily focusing on the perceived absurdity of the fines and the EU's regulatory approach.
Several commenters expressed skepticism about the effectiveness and rationale behind the fines. One user questioned the logic of fining companies for allegedly violating user privacy while simultaneously mandating features (like ATT, App Tracking Transparency) that purportedly aim to protect user privacy. They highlighted the seemingly contradictory nature of being penalized for not adhering to a standard while also being forced to implement a mechanism that seemingly leads to that penalty.
Another commenter pointed out the relatively small amount of the fines compared to the companies' vast revenues, suggesting that such penalties are unlikely to deter future behavior. They argued that these fines essentially amount to a "cost of doing business" rather than a genuine deterrent.
The discussion also touched on the complexities of obtaining user consent and the practical challenges of adhering to regulations like GDPR. A commenter sarcastically remarked on the expectation that users should meaningfully engage with complex consent pop-ups, noting the impracticality of expecting users to carefully consider and understand the implications of every consent request.
One comment questioned the actual impact on user privacy, suggesting that the fines might be more about generating revenue for the EU than genuinely protecting users. They also suggested the possibility of regulatory capture, implying that regulators might be influenced by larger tech companies.
Finally, a comment highlighted the seeming disparity in the application of GDPR regulations, observing that smaller companies face stricter enforcement while larger companies often seem to escape significant consequences. They used the analogy of enforcing traffic laws strictly on bicycles while ignoring violations by large trucks.
In essence, the comments reflect a general sentiment of skepticism and cynicism towards the EU's approach to regulating tech giants, questioning the effectiveness and motivations behind the fines, and highlighting the practical difficulties and perceived inconsistencies in their application.