Google and Google Ireland were penalized €150 million (U.S. $169 million) total, while Facebook Ireland was fined €60 million (U.S. $68 million). The CNIL justified the sanction amounts by the number of data subjects affected and profits the companies make from advertising indirectly generated from data collected by cookies.
The CNIL said while Facebook, Google, and YouTube (owned by Google) allow users to immediately accept cookies in a single click, it requires several clicks to refuse them, which nudges people to take the simpler option.
The regulator said the process constitutes an infringement of Article 82 of the French Data Protection Act, in which the European Union’s ePrivacy Directive is transposed.
In addition to the fines, the CNIL ordered the companies to provide internet users located in France with a means of refusing cookies as simply as accepting them. If they fail to do so within three months, each company will have to pay a penalty of €100,000 (U.S. $113,000) per day of delay.
“Businesses know full well that most consumers really don’t want to ‘learn more’ and would rather say ‘yes’ simply to get to the page quicker. … The fines will likely serve as a warning to other retailers that follow this model that they may need to revise their cookie banners.”
Richard Nicholas, Partner, Browne Jacobson
As the penalties were imposed under French national law, the CNIL did not need to refer the complaint to the Irish Data Protection Commission (DPC), the lead supervisory agency for both Big Tech firms, as required under the EU’s General Data Protection Regulation (GDPR).
The move has led some to consider the CNIL’s action is a deliberate attempt to circumvent the GDPR and the one-stop shop mechanism. “The reluctance of Big Tech firms to comply with EU cookie laws, combined with the apparently easy-going nature of the Irish DPC, has led CNIL to take action under the ePrivacy Directive,” said Alan Calder, CEO of compliance and risk specialists GRC International Group.
The CNIL has been focusing its oversight on cookie consents for some time. In December 2020, the regulator fined Google and Amazon a combined €135 million (then-U.S. $163 million) for automatically installing advertising cookies on users’ computers without permission.
Since the end of March 2021, the CNIL said it has adopted nearly 100 “corrective measures” against companies (namely, orders and sanctions) related to noncompliance with the legislation on cookies.
Other EU data regulators are also taking greater notice of how companies, particularly Big Tech firms, potentially abuse cookie consent.
The Irish DPC updated its cookie guidance back in April 2020, saying it would give websites and data controllers six months to come into compliance before taking any enforcement action. No such action has yet been taken.
“People trust us to respect their right to privacy and keep them safe,” said Google in an emailed statement. “We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision under the ePrivacy Directive.”
Facebook, a subsidiary of Meta Platforms, said, “We are reviewing the authority’s decision and remain committed to working with relevant authorities. Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls.”
Experts have described the CNIL’s decisions as “warning shots” that will push companies to reassess how they gain cookie consent from users.
Richard Nicholas, partner at law firm Browne Jacobson, called it a “concerning development” as many consumer-facing online businesses “already take a similar approach.”
“Businesses know full well that most consumers really don’t want to ‘learn more’ and would rather say ‘yes’ simply to get to the page quicker. This, of course, also benefits the business because it makes use of the data captured from the cookie,” said Nicholas.
“This decision suggests regulators will not always allow for this approach—certainly not from the largest and most data-hungry technology companies. The fines will likely serve as a warning to other retailers that follow this model that they may need to revise their cookie banners,” he added.