Flash Data

Briefing

Cookies: Google and Facebook sanctioned by the CNIL

The CNIL has recently published two decisions dated December 31, 2021 in which it sanctions Google LLC and Google Ireland Limited on the one hand, and Facebook Ireland Limited on the other hand, for non-compliance with the French legislation on cookies.

The fines imposed by the CNIL amount respectively to 150 million euros for Google and 60 million euros for Facebook. Besides the administrative fines, they are required to correct the breach within 3 months, under a daily penalty of 100,000 euros, should they fail to comply within such timeframe.

These decisions derive from the CNIL initiative since 2020, to closely monitor compliance with the legislation on cookies. In March 2021, the CNIL officially reiterated that it would make compliance with obligations related to targeted advertising and profiling of Internet users, a priority in its control strategy.
Since April 1, 2021, when the timelimit to comply with the CNIL new guidelines on cookies expired, the CNIL has conducted multiple controls and issued formal notices to over sixty companies for violations similar to those addressed in the Google and Facebook decisions.

Why were Google and Facebook sanctioned?

In accordance with Article 82 of the French Data Protection Act, implementing E-privacy Directive, the deposit of cookies on a user's terminal requires his prior consent (except for certain "essential" cookies).

In July 2019, and again in September 2020, the CNIL published new recommendations on cookies. The CNIL describes in particular the conditions under which website publishers should proceed in order to obtain valid consent from users to the deposit of cookies. The CNIL stressed that consent must be free, which implies that it must be as easy for a user to accept the deposit of cookies as to refuse it.

Therefore, if the cookie banner of a website allows the user to consent to the deposit of all cookies (through an "accept all cookies" button), it must also allow the user to refuse the deposit of all cookies in an equally easy way (with an equivalent "refuse all cookies” button). However, on google.fr, youtube.com and facebook.fr, the user must go through multiple steps in order to refuse the deposit of cookies while he can accept them in one click when arriving on the homepage of the websites.

What about the sanctions?

With these two decisions, the CNIL strikes hard, the fine imposed on Google being to date the highest fine which was ever imposed by the CNIL. To determine the amounts of the fines, the CNIL took into account:

the number of data subjects affected by the violation (resulting in particular from the dominant position of Facebook and Google on their respective markets).
the financial benefits obtained from the breach: making it more difficult to decline cookies shall increase the portion of users receiving advertising cookies and thereby increase the amount of advertising revenues generated by the profiling in which these cookies are involved.
the massive communication around its new recommendations on cookies that Google and Facebook could not ignore. Regarding Google more specifically, the CNIL considered that there was a "deliberate" violation of the law: when following-up on the order which was issued by the CNIL against Google in a previous decision, the CNIL had already warned Google on the actions which were expected regarding the modalities to refuse cookies on its websites.