Extreme Dark Patterns: Noyb complains about Google's privacy sandbox
Google markets Privacy Sandbox, its third-party cookie alternative, as a privacy feature. However, Noyb argues that it merely shifts tracking methods.
(Image: testing/Shutterstock.com)
The Austrian civil rights organization Noyb has lodged a complaint with the Austrian Data Protection Authority (DSB) against the Privacy Sandbox technology advertised by Google as a replacement for third-party cookies. The US company is selling the process to users "as a function to guarantee privacy" in targeted advertising, the activists complain. In reality, however, it conceals a new form of tracking. A user's browser history and therefore "every click" and every online movement is still tracked. The only difference is that tracking takes place via Google's Chrome browser, and a list of advertising topics is created based on the websites visited by users.
According to the complaint, there were already almost 500 advertising categories such as "student finance", "underwear" or "parenting" when the sandbox programming interface (API) was launched. Google assigns these preferences to users based on their online activities. An advertiser on a website that activates the Sandbox API then asks Chrome which topics a user belongs to and then potentially displays a corresponding banner. Although the browser blocks some third-party tracking cookies, which has long been standard practice among competitors, it continues to use user data for personalized advertising.
According to the General Data Protection Regulation (GDPR), Google would actually need informed consent from users to activate this mechanism, explains Noyb. However, the search engine giant is misleading them with its promise of data protection. The company had even carried out tests to ensure a high consent rate. It can therefore be assumed that the prompt interface has been "optimized" using manipulative design tricks ("dark patterns") to achieve "extreme consent rates" such as 90 percent or more.
Noyb demands deterrent fine for Google
When opening Chrome, users are asked to activate a "function for data protection in advertising", explains Noyb. In the EU, they would have the choice of either clicking on "Activate" or rejecting the system with "Not interested". In a letter, Google argued that it actually understands the selection of the "Activate" option as consent in accordance with the GDPR. In reality, the company is hiding the fact that it is activating "first-party tracking".
Google is thus also violating the GDPR requirement that personal data be processed lawfully and in a way that is comprehensible to the individual, the complainant argues. EU law classifies misleading advertising as unfair commercial practices. The transparency requirements of the GDPR are also not complied with.
It could be that the privacy sandbox, which has already been moved several times for the majority of users, is less invasive than tracking by third-party cookies, explains Noyb founder Max Schrems. However, this does not mean that Google can simply ignore applicable data protection law: "If you only steal less money from people than another thief, you can't call yourself a 'property protector'." The company is engaging in a kind of unlawful "privacy washing". Noyb and the complainant are therefore calling on the DPA to order Google to bring its data processing into line with the GDPR. They are also calling for the imposition of an "effective, proportionate and dissuasive fine".
(emw)
