Why do non-EU-based companies/websites bother to comply with this directive? For that matter, why do even big firms with an EU presence comply? I can see why a firm with an EU office or employees might worry about some legal risk, but (a) is it really true that the EU would devote significant enforcement resources to prosecuting/fining “victimless” violations of this directive? (b) for sufficiently popular websites (Amazon, FB, …) surely the companies have more leverage than the EU, since I’d think that one of these firms even threatening to stop serving European customers (or employing EU programmers for that matter) would cause vastly more political backlash compared to the amount of genuine political support for the (policy motivation behind the) annoying cookie banners.
If amazon or facebook were breaking the rules, the EU would probably love to go after them and hit them with giant fines. They are multinational corporations, they are big tech, they are even American! Fining them for continuing to operate in the EU would be very popular across a lot of the political spectrum.
OK, maybe I’m wrong about the politics as regards large multinationals. (Although I’m not sure I’m wrong.)
But that argument says nothing about why a website like JSTOR (non-profit, US-based) complies. I’m skeptical that anyone would try to enforce against them, and also that any such enforcement would have actual legal consequences. EU tries to fine JSTOR, JSTOR says “we are in the US” and doesn’t pay, then...? Does anyone actually think the EU is going to force all European ISPs to block JSTOR? I suppose if JSTOR uses EU-based datacenters to serve some content to European users, those could be shut down. I do not think that would be a popular move with European academics.
If a firm has a policy of “we will follow the law except when we can get away with breaking it”, they may miscalculate what they can get away with and be hit with fines. Having an ethical injunction to try to follow the law in all cases, even when you think you might get away with not following it, is the safest policy.
Of course, in practice big companies do skirt the law and try to get away with it, but for that to be rational there needs to be a sufficient payoff for it. In practical terms, it doesn’t cost FB/Amazon anything to comply with cookie banner laws, nor would they get any real benefit from breaking them. So even if the risk was small, why take it?
Decisions on whether or not to enforce laws are not made in the EU by directly elected politicians driven by the desire to be popular with the population.
AFAICT those fines have not been for missing cookie banners. And if I were Mark Zuckerberg, I might think to myself, “the EU is going to shake us down for ‘privacy violations’ no matter what we do, so why should I bother making our user experience worse with annoying cookie banners?”
(Also, to some extent, FAANG-scale companies may get fined but serve as a shield for all smaller companies. If you were a Brussels bureaucrat with a focus on fining websites for privacy issues, and you could get hundreds of millions for targeting a FAANG [not that you get to keep any of that money or plausibly tell yourself that your work improved the world in any meaningful way, but hey whatever floats your boat], would you bother fining Joe Startup $100k for imperfect privacy practices in the app they’re running from their garage in San Bruno?)
The size of the fine depends on the number of privacy violations.
Brussels bureaucrats are not the only people who can bring lawsuits for GDPR violations. A startup that makes money through an app likely has European customers and thus there are assets that could be targeted.
In practice, both the Google Play Store and the Apple store have rules that enforce privacy. Especially, Apple is quite willing to tell Joe Startup that his app needs to follow the rules if it wants to be in their store.
Why do non-EU-based companies/websites bother to comply with this directive? For that matter, why do even big firms with an EU presence comply? I can see why a firm with an EU office or employees might worry about some legal risk, but (a) is it really true that the EU would devote significant enforcement resources to prosecuting/fining “victimless” violations of this directive? (b) for sufficiently popular websites (Amazon, FB, …) surely the companies have more leverage than the EU, since I’d think that one of these firms even threatening to stop serving European customers (or employing EU programmers for that matter) would cause vastly more political backlash compared to the amount of genuine political support for the (policy motivation behind the) annoying cookie banners.
If amazon or facebook were breaking the rules, the EU would probably love to go after them and hit them with giant fines. They are multinational corporations, they are big tech, they are even American! Fining them for continuing to operate in the EU would be very popular across a lot of the political spectrum.
OK, maybe I’m wrong about the politics as regards large multinationals. (Although I’m not sure I’m wrong.)
But that argument says nothing about why a website like JSTOR (non-profit, US-based) complies. I’m skeptical that anyone would try to enforce against them, and also that any such enforcement would have actual legal consequences. EU tries to fine JSTOR, JSTOR says “we are in the US” and doesn’t pay, then...? Does anyone actually think the EU is going to force all European ISPs to block JSTOR? I suppose if JSTOR uses EU-based datacenters to serve some content to European users, those could be shut down. I do not think that would be a popular move with European academics.
If a firm has a policy of “we will follow the law except when we can get away with breaking it”, they may miscalculate what they can get away with and be hit with fines. Having an ethical injunction to try to follow the law in all cases, even when you think you might get away with not following it, is the safest policy.
Of course, in practice big companies do skirt the law and try to get away with it, but for that to be rational there needs to be a sufficient payoff for it. In practical terms, it doesn’t cost FB/Amazon anything to comply with cookie banner laws, nor would they get any real benefit from breaking them. So even if the risk was small, why take it?
Decisions on whether or not to enforce laws are not made in the EU by directly elected politicians driven by the desire to be popular with the population.
Practically we do see Facebook and Amazon getting fined: https://www.wsj.com/articles/facebooks-whatsapp-fined-around-270-million-for-eu-privacy-violations-11630576800
AFAICT those fines have not been for missing cookie banners. And if I were Mark Zuckerberg, I might think to myself, “the EU is going to shake us down for ‘privacy violations’ no matter what we do, so why should I bother making our user experience worse with annoying cookie banners?”
(Also, to some extent, FAANG-scale companies may get fined but serve as a shield for all smaller companies. If you were a Brussels bureaucrat with a focus on fining websites for privacy issues, and you could get hundreds of millions for targeting a FAANG [not that you get to keep any of that money or plausibly tell yourself that your work improved the world in any meaningful way, but hey whatever floats your boat], would you bother fining Joe Startup $100k for imperfect privacy practices in the app they’re running from their garage in San Bruno?)
The size of the fine depends on the number of privacy violations.
Brussels bureaucrats are not the only people who can bring lawsuits for GDPR violations. A startup that makes money through an app likely has European customers and thus there are assets that could be targeted.
In practice, both the Google Play Store and the Apple store have rules that enforce privacy. Especially, Apple is quite willing to tell Joe Startup that his app needs to follow the rules if it wants to be in their store.
Small players could be fined to set precedents that can be used against larger players.