What's the issue?

The ePrivacy Directive requires users to consent to non-essential cookies.  The level of consent required is to the standard of the (UK) GDPR.  This means that consent must be freely given, specific, informed and unambiguous.  Crucially, under Article 7 GDPR, it must be "as easy to withdraw as to give consent".

We are all familiar with (and often annoyed by) cookie banners as users.  Many businesses though have experienced a tension between commercial pressures and legal requirements and have chosen not to implement the strictest interpretation of the rules.  

What's the development?

The French data protection regulator, the CNIL, published two decisions on 31 December 2021 sanctioning Google LLC and Google Ireland Limited on the one hand, and Facebook Ireland Limited on the other, for non-compliance with French legislation on cookies.  Google was fined EUR 150m and Facebook EUR 60m.  In addition to the administrative fines, they are required to remedy their breaches within three months after which they will incur a daily penalty of EUR 100,000 for ongoing non-compliance.

The CNIL found that Google and Facebook's failures to make non-essential cookies as easy to reject as to accept invalidated the consent on which the businesses relied.  Whereas cookies could be accepted by a single 'click', a number of steps were needed to reject them. 

This was a breach of the French Data Protection Act, which implements the ePrivacy Directive, and requires prior user consent to non-essential cookies the deposit of cookies on a user's terminal.

What does this mean for you?

While this decision is under French law, the same principles apply across the EU and in the UK.  It will be interesting to see whether any resulting changes are made to other Google and Facebook domains in addition to their French sites.

Of course, Google and Facebook are not alone in taking this approach to cookies. The CNIL actions will provide pause for thought for businesses which presumed that not interpreting cookie rules strictly was a low-risk position.  They may now consider a change in approach to the thorny question of cookie consent, perhaps re-balancing commercial and regulatory drivers.

Read more

These decisions derive from the CNIL initiative launched in 2020, to monitor compliance with legislation on cookies. In March 2021, the CNIL officially reiterated that it would make compliance with obligations related to targeted advertising and profiling of internet users, a strategic priority.

In July 2019, and again in September 2020, the CNIL published new recommendations on cookies. The guidance sets out the conditions under which website publishers should proceed in order to obtain valid consent from users to the deposit of cookies. The CNIL stressed that consent must be freely given which implies that it must be as easy for a user to accept non-essential cookies as to reject them.

This means that if the cookie banner of a website allows the user to consent to the deposit of all cookies (through an 'accept all cookies' button), it must also allow the user to reject all cookies in an equally easy way (for example with an equivalent 'reject all cookies' button).

On google.fr, youtube.com and facebook.fr, the user must, however, go through multiple steps in order to reject cookies but can accept them in one click when arriving on the homepage of the websites.  The CNIL found this to be in breach of requirements.  In fact, since 1 April 2021, when the time limit to comply with the CNIL's guidelines on cookies expired, the CNIL has conducted multiple investigations and issued formal notices to over 60 companies for violations similar to those addressed in the Google and Facebook decisions.

How were the decisions on the level of the fines reached?

With these two decisions, the CNIL has struck hard. The fine imposed on Google is the highest fine from the CNIL to date.  To determine the amounts of the fines, the CNIL took into account:

• the number of data subjects affected by the violation (resulting, in particular, from the dominant position of Facebook and Google in their respective markets)
• the financial benefits obtained from the breach: making it more difficult to decline cookies increases the number of users receiving advertising cookies and consequently the amount of advertising revenue generated by the profiling which relies on the data collected by these cookies
• the massive communication by the CNIL around its new recommendations on cookies of which Google and Facebook could not have been unaware. Regarding Google more specifically, the CNIL considered that there was a "deliberate" violation of the law: when following up on the order which was issued by the CNIL against Google in a previous decision, the CNIL had already warned Google about the actions it expected regarding the modalities to reject cookies on its websites.

While the level of fines clearly reflects the status of Google and Facebook, they are also an indication that the CNIL means business when it comes to cookie compliance.