Facebook Told To Stop Tracking Non-Users Or Face Fines In France
Privacy regulator accuses Facebook of undisclosed cookie-based tracking of internet users who do not have Facebook accounts.
France’s data protection authority, Commission nationale de l’informatique et des libertés (CNIL), has been one of the more aggressive in going after Google for alleged EU privacy violations. The regulator has turned its attention to Facebook and ordered it to comply with the French Data Protection Act or face fines.
France and other EU privacy regulators, notably Belgium, have objected to the alleged practice of cookie-based tracking of non-Facebook users on third-party sites through social buttons or plug-ins. According to a public statement issued by CNIL, earlier reported by TechCrunch:
- FACEBOOK collects, without prior information, data concerning the browsing activity of Internet users who do not have a FACEBOOK account. Indeed, the company does not inform Internet users that it sets a cookie on their terminal when they visit a FACEBOOK public page (e.g. page of a public event or of a friend). This cookie transmits to FACEBOOK information relating to third-party websites offering FACEBOOK plug-ins (e.g. Like button) that are visited by Internet users.
- The social network collects data concerning the sexual orientation and the religious and political views without the explicit consent of account holders. In addition, Internet users are not informed on the sign up form with regard to their rights and the processing of their personal data.
- The website also sets cookies that have an advertising purpose without properly informing and obtaining the consent of Internet users.
The French privacy regulator made the claims public “due to the seriousness of the violations.” Facebook has maintained that it is in full compliance with European privacy rules.
Facebook has faced a number of investigations in multiple countries in Europe surrounding potential violations of privacy laws. Most recently, the Belgian privacy authority filed suit over the same issues complained of by the French.
Facebook, whose European headquarters are in Ireland, has previously argued that only the Irish Data Protection Commissioner has jurisdiction over the company and its policies. However, new EU-wide privacy rules have been approved and are scheduled to be implemented in 2017 across Europe.
The new regulatory framework contains much more substantial fines for privacy violations, up to four percent of a company’s global revenues. In Facebook’s case, this could amount to $720 million, based on 2015 revenue figures.
The rules would apply to any company “doing business” in Europe — very broadly defined.