Your contacts
The French Data Protection Authority (CNIL) has fined Facebook (now Meta Platforms, Inc.) EUR 60 million and Google EUR 150 million based on the reasoning that it is not as easy to refuse cookies on their websites as it is to accept them. Below you can find out more about the background to these decisions. Also, if you jump to the end of our blog article, you will find out what these decisions mean for your business and the set-up of your cookie selection process.
Fine against Google
After having received several complaints about the way cookies can be refused on the websites “google.fr” and “youtube.com”, the CNIL started an investigation. The CNIL found that while the websites offer the possibility of immediately clicking on a button that allows all cookies, the websites do not provide the same option to opt out of all cookies. Instead, to opt out of all cookies, the user must click several times. The CNIL found that by implementing a more complex solution to refuse all cookies, the website operator discourages users from effectively opting out of the cookies and favours the “accept all” button offered by the websites. The CNIL found this to be a violation of a provision in the French Data Protection Act that requires consent for any activity through which an electronic communication service accesses or enters information in a user’s device.
Under the French Data Protection Act and the EU General Data Protection Regulation (GDPR), in order to freely consent to any processing activity users must be clearly and fully informed of the purpose of a data processing activity and the means to oppose it. The GDPR clarifies this in its recitals by stating that consent cannot be freely given if the user is not in a position to refuse or withdraw consent without suffering any prejudice. The CNIL considered in its decision that the process of rejecting cookies by selecting a button to manage the cookie settings, which takes users to another window where the user can personalise the cookie settings or again choose a button to accept all cookies, discouraged users too much to be considered free consent. The more complex the process to refuse all cookies, the more likely it is in the CNIL’s opinion that consent cannot be given freely. In this regard, the CNIL recommended in its 2020 guidelines on cookies and other tracking devices and the accompanying recommendations that website operators provide for acceptance and rejection of cookies with the same level of simplicity.
Based on the above-described assessment, principally because users of google.fr and youtube.com could not refuse cookies as easily as they could accept them, the CNIL fined Google LLC EUR 90 million and Google Ireland Ltd EUR 60 million on 31 December 2021 (cf. press release from 6 January 2022).
Fine against Facebook
In the same manner, as in the decision against Google, the CNIL began actively investigating Facebook’s cookie set-up in April 2021 following several complaints about the way cookies could be refused on the website “facebook.com”.
The background of the case for Facebook was similar to the one relating to Google. Facebook provided a pop-up window on its website with one button to “accept all cookies” and one button to “manage data parameters” but no button to reject all cookies. This meant that to reject cookies, the user had to access a second window where the user again had the option to accept all cookies and where the user would have to personalise the cookie settings with slides. Although the two sliders for personalised advertisements were disabled by default, the CNIL found the process to refuse cookies was not simple enough. As the process to refuse cookies required accessing two different windows, the CNIL found that it may be too confusing for users to freely consent to the use of cookies, thereby violating the above-mentioned provision in the French Data Protection Act and the requirements for consent under GDPR.
Therefore, on 31 December 2021, the CNIL fined Facebook Ireland Ltd EUR 60 million due to the violation of the same provisions as in the Google case (cf. press release from 6 January 2022).
How will the decision impact your business?
In short, businesses must implement a cookie selection process that allows users to select from “accept all cookies”, “reject all cookies” and, if applicable “customise cookies” on the first pop-up window or the cookie banner. Any process that is more burdensome for users to reject cookies than to accept cookies will, in the opinion of the French Data Protection Authority, hinder the possibility to consent freely. Moreover, these decisions also highlight that the CNIL is willing to pursue the enforcement of its recommendations by starting investigations and, in case of non-compliance, ordering very substantial sanctions.
If you are unsure how to navigate the new realities of cookie settings or stay up to date with the various guidance of different national data protection authorities, reach out to our ICT & Digital Team. We are happy to assist you and your business find the right solution.
More information: