Radar - January 2022 – 5 / 5 观点
The ePrivacy Directive requires users to consent to non-essential cookies. The level of consent required is to the standard of the (UK) GDPR. This means that consent must be freely given, specific, informed and unambiguous. Crucially, under Article 7 GDPR, it must be "as easy to withdraw as to give consent".
We are all familiar with (and often annoyed by) cookie banners as users. Many businesses though have experienced a tension between commercial pressures and legal requirements and have chosen not to implement the strictest interpretation of the rules.
The French data protection regulator, the CNIL, published two decisions on 31 December 2021 sanctioning Google LLC and Google Ireland Limited on the one hand, and Facebook Ireland Limited on the other, for non-compliance with French legislation on cookies. Google was fined EUR 150m and Facebook EUR 60m. In addition to the administrative fines, they are required to remedy their breaches within three months after which they will incur a daily penalty of EUR 100,000 for ongoing non-compliance.
The CNIL found that Google and Facebook's failures to make non-essential cookies as easy to reject as to accept invalidated the consent on which the businesses relied. Whereas cookies could be accepted by a single 'click', a number of steps were needed to reject them.
This was a breach of the French Data Protection Act, which implements the ePrivacy Directive, and requires prior user consent to non-essential cookies the deposit of cookies on a user's terminal.
While this decision is under French law, the same principles apply across the EU and in the UK. It will be interesting to see whether any resulting changes are made to other Google and Facebook domains in addition to their French sites.
Of course, Google and Facebook are not alone in taking this approach to cookies. The CNIL actions will provide pause for thought for businesses which presumed that not interpreting cookie rules strictly was a low-risk position. They may now consider a change in approach to the thorny question of cookie consent, perhaps re-balancing commercial and regulatory drivers.
These decisions derive from the CNIL initiative launched in 2020, to monitor compliance with legislation on cookies. In March 2021, the CNIL officially reiterated that it would make compliance with obligations related to targeted advertising and profiling of internet users, a strategic priority.
In July 2019, and again in September 2020, the CNIL published new recommendations on cookies. The guidance sets out the conditions under which website publishers should proceed in order to obtain valid consent from users to the deposit of cookies. The CNIL stressed that consent must be freely given which implies that it must be as easy for a user to accept non-essential cookies as to reject them.
This means that if the cookie banner of a website allows the user to consent to the deposit of all cookies (through an 'accept all cookies' button), it must also allow the user to reject all cookies in an equally easy way (for example with an equivalent 'reject all cookies' button).
On google.fr, youtube.com and facebook.fr, the user must, however, go through multiple steps in order to reject cookies but can accept them in one click when arriving on the homepage of the websites. The CNIL found this to be in breach of requirements. In fact, since 1 April 2021, when the time limit to comply with the CNIL's guidelines on cookies expired, the CNIL has conducted multiple investigations and issued formal notices to over 60 companies for violations similar to those addressed in the Google and Facebook decisions.
How were the decisions on the level of the fines reached?
With these two decisions, the CNIL has struck hard. The fine imposed on Google is the highest fine from the CNIL to date. To determine the amounts of the fines, the CNIL took into account:
While the level of fines clearly reflects the status of Google and Facebook, they are also an indication that the CNIL means business when it comes to cookie compliance.