The Never-Ending Story of the “Cookie” Set-up

Your contacts

The French Data Protection Authority (CNIL) has fined Facebook (now Meta Platforms, Inc.) EUR 60 million and Google EUR 150 million based on the reasoning that it is not as easy to refuse cookies on their websites as it is to accept them. Below you can find out more about the background to these decisions. Also, if you jump to the end of our blog article, you will find out what these decisions mean for your business and the set-up of your cookie selection process.

Fine against Google

After having received several complaints about the way cookies can be refused on the websites “” and “”, the CNIL started an investigation. The CNIL found that while the websites offer the possibility of immediately clicking on a button that allows all cookies, the websites do not provide the same option to opt out of all cookies. Instead, to opt out of all cookies, the user must click several times. The CNIL found that by implementing a more complex solution to refuse all cookies, the website operator discourages users from effectively opting out of the cookies and favours the “accept all” button offered by the websites. The CNIL found this to be a violation of a provision in the French Data Protection Act that requires consent for any activity through which an electronic communication service accesses or enters information in a user’s device.

Under the French Data Protection Act and the EU General Data Protection Regulation (GDPR), in order to freely consent to any processing activity users must be clearly and fully informed of the purpose of a data processing activity and the means to oppose it. The GDPR clarifies this in its recitals by stating that consent cannot be freely given if the user is not in a position to refuse or withdraw consent without suffering any prejudice. The CNIL considered in its decision that the process of rejecting cookies by selecting a button to manage the cookie settings, which takes users to another window where the user can personalise the cookie settings or again choose a button to accept all cookies, discouraged users too much to be considered free consent. The more complex the process to refuse all cookies, the more likely it is in the CNIL’s opinion that consent cannot be given freely. In this regard, the CNIL recommended in its 2020 guidelines on cookies and other tracking devices and the accompanying recommendations that website operators provide for acceptance and rejection of cookies with the same level of simplicity.

Based on the above-described assessment, principally because users of and could not refuse cookies as easily as they could accept them, the CNIL fined Google LLC EUR 90 million and Google Ireland Ltd EUR 60 million on 31 December 2021 (cf. press release from 6 January 2022).

Fine against Facebook

In the same manner, as in the decision against Google, the CNIL began actively investigating Facebook’s cookie set-up in April 2021 following several complaints about the way cookies could be refused on the website “”.

The background of the case for Facebook was similar to the one relating to Google. Facebook provided a pop-up window on its website with one button to “accept all cookies” and one button to “manage data parameters” but no button to reject all cookies. This meant that to reject cookies, the user had to access a second window where the user again had the option to accept all cookies and where the user would have to personalise the cookie settings with slides. Although the two sliders for personalised advertisements were disabled by default, the CNIL found the process to refuse cookies was not simple enough. As the process to refuse cookies required accessing two different windows, the CNIL found that it may be too confusing for users to freely consent to the use of cookies, thereby violating the above-mentioned provision in the French Data Protection Act and the requirements for consent under GDPR.

Therefore, on 31 December 2021, the CNIL fined Facebook Ireland Ltd EUR 60 million due to the violation of the same provisions as in the Google case (cf. press release from 6 January 2022).

How will the decision impact your business?

In short, businesses must implement a cookie selection process that allows users to select from “accept all cookies”, “reject all cookies” and, if applicable “customise cookies” on the first pop-up window or the cookie banner. Any process that is more burdensome for users to reject cookies than to accept cookies will, in the opinion of the French Data Protection Authority, hinder the possibility to consent freely. Moreover, these decisions also highlight that the CNIL is willing to pursue the enforcement of its recommendations by starting investigations and, in case of non-compliance, ordering very substantial sanctions.

If you are unsure how to navigate the new realities of cookie settings or stay up to date with the various guidance of different national data protection authorities, reach out to our ICT & Digital Team. We are happy to assist you and your business find the right solution.


More information:

Share post

most read


MLL Legal

MLL Legal is one of the leading law firms in Switzerland with offices in Zurich, Geneva, Zug, Lausanne, London and Madrid. We advise our clients in all areas of business law and stand out in particular for our first-class industry expertise in technical-innovative specialist areas, but also in regulated industries.

MLL Meyerlustenberger Lachenal Froriep


Much is still unclear in relation to liability questions around AI tools.

Read our latest post about “Liability during the Lifecycle of an AI Tool” and download our white paper.

Show article.

Our Story

MLL Legal is a leading Swiss law firm with a history that dates back to 1885. The firm has grown both organically and by means of strategic mergers, the latest of which took place on 1st July 2021 between Meyerlustenberger Lachenal and FRORIEP.

The merger establishes MLL Legal, a combined new entity as one of the largest commercial law firms in Switzerland with 150 lawyers in four offices in Switzerland and two offices abroad, in London and Madrid serving clients seeking Swiss law advice.

Our firm has a strong international profile and brings together recognised leadership and expertise in all areas of law affecting commerce today, with a focus on high-tech, innovative and regulated sectors. 

About us


Click here for our latest publications


Read all our legal updates on the impact of COVID-19 for businesses.

COVID-19 Information

Job openings

Looking for a new challenge?

Our talented and ambitious teams are motivated by a common vision to succeed. We value open and straightforward communication accross all levels of the organisation in a supportive working environment.

Job openings

Firm News

Click here for our latest firm news.

Our Team

The regulatory and technological landscape continually require businesses to adapt and evolve.
Our 150+ lawyers are continuously innovating and striving for improvement in everything they do. We embrace new ideas and technologies, combining our wealth of expertise with creative thinking and diligence. With our hands-on approach, we implement viable solutions for the most complex legal challenges.

Our Team.

LexCast – the podcast series by MLL NexGen

Smart legal education on the go. The LexCast hosted by MLL NexGen provides legal insights in a short format that allows listeners to educate themselves on and about legal issues wherever they are and whenever they find the time.

Listen to our podcast series – stay tuned.

MLL Legal on Social Media

Follow us on LinkedIn, Twitter und Instagram.