14 January 2022
The CNIL has recently published two decisions dated December 31, 2021 in which it sanctions Google LLC and Google Ireland Limited on the one hand, and Facebook Ireland Limited on the other hand, for non-compliance with the French legislation on cookies.
The fines imposed by the CNIL amount respectively to 150 million euros for Google and 60 million euros for Facebook. Besides the administrative fines, they are required to correct the breach within 3 months, under a daily penalty of 100,000 euros, should they fail to comply within such timeframe.
These decisions derive from the CNIL initiative since 2020, to closely monitor compliance with the legislation on cookies. In March 2021, the CNIL officially reiterated that it would make compliance with obligations related to targeted advertising and profiling of Internet users, a priority in its control strategy.
Since April 1, 2021, when the timelimit to comply with the CNIL new guidelines on cookies expired, the CNIL has conducted multiple controls and issued formal notices to over sixty companies for violations similar to those addressed in the Google and Facebook decisions.
In accordance with Article 82 of the French Data Protection Act, implementing E-privacy Directive, the deposit of cookies on a user's terminal requires his prior consent (except for certain "essential" cookies).
In July 2019, and again in September 2020, the CNIL published new recommendations on cookies. The CNIL describes in particular the conditions under which website publishers should proceed in order to obtain valid consent from users to the deposit of cookies. The CNIL stressed that consent must be free, which implies that it must be as easy for a user to accept the deposit of cookies as to refuse it.
Therefore, if the cookie banner of a website allows the user to consent to the deposit of all cookies (through an "accept all cookies" button), it must also allow the user to refuse the deposit of all cookies in an equally easy way (with an equivalent "refuse all cookies” button). However, on google.fr, youtube.com and facebook.fr, the user must go through multiple steps in order to refuse the deposit of cookies while he can accept them in one click when arriving on the homepage of the websites.
With these two decisions, the CNIL strikes hard, the fine imposed on Google being to date the highest fine which was ever imposed by the CNIL. To determine the amounts of the fines, the CNIL took into account:
by multiple authors