Desafíos actuales de la Inteligencia Artificial

66 Desafíos actuales de la Inteligencia Artificial banners” appearing on websites and seeking consumer consent to place cookies on their devices were mainly not compliant with the GDPR: just 11.8% of websites using the five top consent management platforms met minimal GDPR requirements for valid consent. 41 The CNIL inter alia referred to this empirical study in its decision to fine Facebook €60 million for the use of dark patterns, namely not enabling users to reject cookies as easily as accepting them. 42 The CNIL also fined Google €150 million for similar practices. 43 Applying the French law transposing the ePrivacy Directive 44 in light of the heightened consent requirements un- der the GDPR, the authority held that the method employed by Google Search and YouTube for users to manifest their choice over the placing of cookies was illegally biased in favour of consent. Again, the authority referred to several studies showing that organisations imple- menting a “refuse all” button on the first-level consent interface had seen a decrease in the consent rate to accept cookies. The CNIL also relied on the same studies to impose heavy fines on Microsoft 45 and TikTok. 46 The CNIL focused not only on deceptive designs that manipulate users into shar- ing more personal information than they intended but also on other types of invalid consent or the lack thereof. For instance, the CNIL imposed a €50 million fine on Google in 2019 for failing to obtain valid consent (i.e., informed, unambiguous, and specific) from its users for purposes of personalised advertising, 47 later upheld by the Conseil d’Etat . 48 Since then, Google adapted its practices across the EU to comply with GDPR requirements. 41 NOUWENS, Midas; LICCARDI, Ilaria; VEALE, Michael; KARGER, David; KAGAL, Lalana, “Dark pat- terns after the GDPR: Scraping consent pop-ups and demonstrating their influence”, Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (2020), pp. 1-13. 42 CNIL, délibération SAN-2021-024 du 31 décembre 2021. The CNIL found that discouraging users to decline cookies while encouraging them to accept being tracked on the first page undermined their freedom of consent, as many users would not accept cookies if offered a genuine choice. 43 CNIL, délibération SAN-2021-023 du 31 décembre 2021. 44 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the pro- cessing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.7.2002, p. 37-47. 45 CNIL, délibération SAN-2022-023 du 19 décembre 2022. 46 CNIL, délibération SAN-2022-027 du 29 décembre 2022. 47 CNIL, délibération SAN-2019-001 du 21 janvier 2019. The regulator determined that user consent was not sufficiently informed because the information about the company’s processing of personal data for ad personali- sation was not centralised in a single document. As a result, users were unaware that their information would be processed for this purpose across Google’s various services. Nor was consent unambiguous because the option to be shown personalised ads was pre-checked in difficult-to-find settings. Finally, nor was consent specific, because Google sought consent when users were creating an account, by ticking boxes to agree on its terms of service and privacy policy, whereas consent should be obtained distinctively for each purpose. 48 Conseil d’Etat, décision n°430810 du 19 juin 2020, ECLI:FR:CECHR:2020:430810.20200619.