noyb has lodged a complaint with the Austrian data protection authority against Google for deceptive practices related to its Privacy Sandbox API, introduced on 7 September 2023. Google’s new system replaces third-party cookies with first-party tracking within Chrome, marketed misleadingly as a privacy feature.
Use of Dark Patterns
The complaint details how Google used dark patterns—manipulative UI/UX design techniques—to trick users into consenting to tracking. The pop-ups presented users with an option to “Turn on an ad privacy feature,” implying increased privacy protection. However, this actually enabled extensive tracking of users’ browsing histories.
Consent Violations
According to noyb, Google’s practices violate GDPR’s requirements for specific, informed, and unambiguous consent. The complaint highlights that the pop-up’s wording and design misled users about the nature of the data processing, failing to inform them that enabling the feature would allow tracking for targeted advertising.
Allegations and Deceptive Practices
- Tracking Scope: The Privacy Sandbox API tracks users’ web activities, generating nearly 500 advertising topics based on their browsing history. Advertisers can access these topics to display targeted ads.
- Transparency Issues: Google’s pop-ups falsely claimed to enhance privacy while actually facilitating tracking, contrary to users’ expectations of a privacy feature.
- Consent Mechanism: The ambiguous consent process, involving misleading phrases like “Turn it on,” does not meet GDPR standards. Google did not clearly inform users that their data would be used for targeted advertising.
- Deceptive Pop-up Design: The pop-ups presented a choice to either “Turn it on” or “No thanks,” misleading users into thinking they were opting for increased privacy.
- Internal Browser Tracking: Despite advertising the feature as a means to protect privacy, the tracking is conducted internally by Google, bypassing third-party cookies.
- Misleading Imagery and Language: The use of terms like “protect,” “limit,” and “privacy features,” alongside misleading imagery, reinforced the false message that the feature enhanced user privacy.
- Comparison to Competitors: Unlike browsers such as Safari and Firefox, which block third-party cookies by default, Chrome’s Privacy Sandbox simply repackages tracking data for targeted ads.
- User Confusion: Even GDPR-trained lawyers at noyb found the pop-ups confusing and had to seek clarification from Google.
Compliance and Fines
noyb requests that the Austrian data protection authority investigates the complaint and compels Google to comply with GDPR. The complaint demands that Google stop processing data collected under invalid consent, inform data recipients of the unlawful processing, and proposes an effective, proportionate, and dissuasive fine, given the extensive impact on Chrome’s user base.
👉 Read the complaint here.
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.
