After years of growing criticism over invasive ad tracking, Google announced in September 2023 that it would phase out third-party cookies from its Chrome browser. Since then, users have been gradually tricked into enabling a supposed “ad privacy feature” that actually tracks people. While the so-called “Privacy Sandbox” is advertised as an improvement over extremely invasive third-party tracking, the tracking is now simply done within the browser by Google itself. To do this, the company theoretically needs the same informed consent from users. Instead, Google is tricking people by pretending to “Turn on an ad privacy feature”. noyb has therefore filed a complaint with the Austrian data protection authority.
- Complaint with the Austrian data protection authority (EN)
- Complaint with the Austrian data protection authority (DE)
“Informed”, “transparent” and “fair”? Google’s internal browser tracking was introduced to users via a pop-up that said “turn on ad privacy feature” after opening the Chrome browser. In the European Union, users are given the choice to either “Turn it on” or to say “No thanks”, so to refuse consent. In a letter to noyb, Google argued that choosing to click on “Turn it on” would indeed be considered consent to tracking under Article 6(1)(a) of the GDPR. In reality, the company concealed the fact that selecting this option would turn on first-party tracking.
Dark patterns. It is no secret that Google has experimented with different wording and interface designs to maximise the consent rates among users. This is done using so-called dark patterns, which are manipulative designs used by companies to trick users, often unlawfully, into agreeing to things they would never otherwise accept.
But this is an extreme case: Google didn’t just change the colour or size of a button, but simply lied to its users. The only logical way to interpret the Privacy Sandbox pop-up shown to users is to think that Google Chrome is now starting to (technically) protect them from ad tracking. This message was even reinforced by the repeated use of words like “protect”, “limit” and “privacy features”, accompanied by misleading imagery.
Max Schems, Honorary Chairman of noyb: “Google has simply lied to its users. People thought they were agreeing to a privacy feature, but were tricked into accepting Google’s first-party ad tracking. Consent has to be informed, transparent and fair to be legal. Google has done the exact opposite.”
Being “less terrible” is not a “privacy feature”. Google main argument is that the new Privacy Sandbox is less invasive than third-party tracking systems. While this may be true, it does not mean that Google can do whatever it wants without complying with European data protection law.
Max Schrems: “If you merely steal less money from people than another thief, you can’t call yourself a ‘wealth protection agent’. But that is basically what Google is doing here.”
Browser now calculates user interests. With its Privacy Sandbox, Google wants to take full control over the analysis of the online behaviour of its users: Chrome now tracks every website you visit to generate a list of advertising topics. These include “Student Loans & College Financing”, “Undergarments” or “Parenting”, “Jobs & Education” and “Finance/Credit & Lending/Credit Reporting & Monitoring”. Advertisers then receive this information from the Chrome browser.
Max Schrems: “People are increasingly critical of the fact that big tech companies are making billions from invasive ad tracking technologies. Instead of actually improving the situation, Google is responding with a kind of unlawful ‘privacy washing’ by introducing a new tracking system.”
Complaint filed. Article 4(11) of the GDPR clearly states that consent must, among other things, be a “specific, informed and unambiguous indication of the data subject’s wishes”. Given the highly misleading pop-up banner, the complainant had no way of knowing that he was actually consenting to the processing of his data for targeted advertising. Instead, he was led to believe that Google would protect his personal data. This means that Google clearly didn’t meet the requirements for free consent under the GDPR. noyb is asking the Austrian DPA to order Google to bring its processing operations into compliance with the GDPR, to stop the processing of data collected on the basis of invalid consent, and to inform the data recipients that they must stop processing this data. Last but not least, noyb proposes that the authority impose an effective, proportionate and dissuasive fine.