Fine against Google
After having received several complaints about the way cookies can be refused on the websites “google.fr” and “youtube.com”, the CNIL started an investigation. The CNIL found that while the websites offer the possibility of immediately clicking on a button that allows all cookies, the websites do not provide the same option to opt out of all cookies. Instead, to opt out of all cookies, the user must click several times. The CNIL found that by implementing a more complex solution to refuse all cookies, the website operator discourages users from effectively opting out of the cookies and favours the “accept all” button offered by the websites. The CNIL found this to be a violation of a provision in the French Data Protection Act that requires consent for any activity through which an electronic communication service accesses or enters information in a user’s device.
Under the French Data Protection Act and the EU General Data Protection Regulation (GDPR), in order to freely consent to any processing activity users must be clearly and fully informed of the purpose of a data processing activity and the means to oppose it. The GDPR clarifies this in its recitals by stating that consent cannot be freely given if the user is not in a position to refuse or withdraw consent without suffering any prejudice. The CNIL considered in its decision that the process of rejecting cookies by selecting a button to manage the cookie settings, which takes users to another window where the user can personalise the cookie settings or again choose a button to accept all cookies, discouraged users too much to be considered free consent. The more complex the process to refuse all cookies, the more likely it is in the CNIL’s opinion that consent cannot be given freely. In this regard, the CNIL recommended in its 2020 guidelines on cookies and other tracking devices and the accompanying recommendations that website operators provide for acceptance and rejection of cookies with the same level of simplicity.
Fine against Facebook
In the same manner, as in the decision against Google, the CNIL began actively investigating Facebook’s cookie set-up in April 2021 following several complaints about the way cookies could be refused on the website “facebook.com”.
Therefore, on 31 December 2021, the CNIL fined Facebook Ireland Ltd EUR 60 million due to the violation of the same provisions as in the Google case (cf. press release from 6 January 2022).
How will the decision impact your business?
In short, businesses must implement a cookie selection process that allows users to select from “accept all cookies”, “reject all cookies” and, if applicable “customise cookies” on the first pop-up window or the cookie banner. Any process that is more burdensome for users to reject cookies than to accept cookies will, in the opinion of the French Data Protection Authority, hinder the possibility to consent freely. Moreover, these decisions also highlight that the CNIL is willing to pursue the enforcement of its recommendations by starting investigations and, in case of non-compliance, ordering very substantial sanctions.
If you are unsure how to navigate the new realities of cookie settings or stay up to date with the various guidance of different national data protection authorities, reach out to our ICT & Digital Team. We are happy to assist you and your business find the right solution.